On Tue, Feb 19, 2013 at 12:38 AM, Ryan Schulze <[email protected]> wrote: > Hi James, > > that sounds like quite a few new rules in that list. I've never had that > many, so can't say what side affects it may have. But after looking at the > SANS document I would suggest shortening it down to one rule that uses CDB > lists and looks like this (based off the rule template from the document): > > <group name="web"> > <rule id="100499" level="14"> > <if_sid>3100</if_sid> > <list field="srcip" lookup="address_match_key">lists/ip_shunlist</list> > <description>Shun!</description> > </rule> > </group> > > Then you just have to populate the ip_shunlist file and add the following to > the ossec.conf in the <rules> section: > <list>lists/ip_shunlist</list> > > IMHO easier to maintain (just update the list of IPs), and the list can be > used for multiple rules. > Have a look at the OSSEC documentation for how the IP List should be > formatted: > http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html > >
If the author tried to do a "watch list" without using cdb lists, he's providing bad advice. It's definitely the way to go (I've had 100,000+ items in lists without issues). > > > On 2/18/2013 4:46 PM, James Whittington wrote: > > I read a whitepaper by the SANS institute where they gave an example of > taking an emerging threats blacklist and creating a custom ruleset from it’s > IPs. > > (http://www.sans.org/reading_room/whitepapers/detection/practical-ossec_33699) > > > > I was pretty sure I had all the pieces working and in fact could do a > logtest successfully using the newly created ruleset. > > This is OSSEC HIDS v2.7-beta2 by the way. > > On an OSSEC restart however analysis had a couple of errors and none of my > remote logs seems to be flowing through anymore? > > > > 2013/02/18 16:58:29 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > > 2013/02/18 16:58:29 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. > > 2013/02/18 16:58:29 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' > not accessible: 'Connection refused'. > > 2013/02/18 16:58:29 ossec-analysisd(1301): ERROR: Unable to connect to > active response queue. > > 2013/02/18 16:58:29 ossec-analysisd: INFO: Connected to > '/queue/alerts/execq' (exec queue) > > > > After commenting out the ruleset in the ossec.conf file fixed things so it > seems tied to this new ruleset. > > The new rules are a bit larger at 1.7 MB so maybe something is timing out? > > > > Any ideas out there on this? > > I like the idea of incorporating a well known blacklist into ossec. > > > > Thanks, > > > > James Whittington > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
