Ryan and Dan, Thanks for the info on using lists in OSSEC. Looks like a much more efficient way for OSSEC to evaluate a larger set of numbers.
You would think a SANS institute InfoSec Practical OSSEC paper would offer advanced examples that actually worked :<) Looks like I would need to run ossec-makelists to rebuild the lists, does that require a manual restart of ossec-analysisd? Thanks, James Whittington -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Tuesday, February 19, 2013 9:55 AM To: [email protected] Subject: Re: [ossec-list] Large ruleset causing ossec startup issues? On Tue, Feb 19, 2013 at 12:38 AM, Ryan Schulze <[email protected]> wrote: > Hi James, > > that sounds like quite a few new rules in that list. I've never had > that many, so can't say what side affects it may have. But after > looking at the SANS document I would suggest shortening it down to one > rule that uses CDB lists and looks like this (based off the rule template from the document): > > <group name="web"> > <rule id="100499" level="14"> > <if_sid>3100</if_sid> > <list field="srcip" lookup="address_match_key">lists/ip_shunlist</list> > <description>Shun!</description> > </rule> > </group> > > Then you just have to populate the ip_shunlist file and add the > following to the ossec.conf in the <rules> section: > <list>lists/ip_shunlist</list> > > IMHO easier to maintain (just update the list of IPs), and the list > can be used for multiple rules. > Have a look at the OSSEC documentation for how the IP List should be > formatted: > http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html > > If the author tried to do a "watch list" without using cdb lists, he's providing bad advice. It's definitely the way to go (I've had 100,000+ items in lists without issues). > > > On 2/18/2013 4:46 PM, James Whittington wrote: > > I read a whitepaper by the SANS institute where they gave an example > of taking an emerging threats blacklist and creating a custom ruleset > from it's IPs. > > (http://www.sans.org/reading_room/whitepapers/detection/practical-osse > c_33699) > > > > I was pretty sure I had all the pieces working and in fact could do a > logtest successfully using the newly created ruleset. > > This is OSSEC HIDS v2.7-beta2 by the way. > > On an OSSEC restart however analysis had a couple of errors and none > of my remote logs seems to be flowing through anymore? > > > > 2013/02/18 16:58:29 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > > 2013/02/18 16:58:29 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. > > 2013/02/18 16:58:29 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' > not accessible: 'Connection refused'. > > 2013/02/18 16:58:29 ossec-analysisd(1301): ERROR: Unable to connect to > active response queue. > > 2013/02/18 16:58:29 ossec-analysisd: INFO: Connected to > '/queue/alerts/execq' (exec queue) > > > > After commenting out the ruleset in the ossec.conf file fixed things > so it seems tied to this new ruleset. > > The new rules are a bit larger at 1.7 MB so maybe something is timing out? > > > > Any ideas out there on this? > > I like the idea of incorporating a well known blacklist into ossec. > > > > Thanks, > > > > James Whittington > > > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
