On Tue, Feb 19, 2013 at 10:10 AM, James Whittington <[email protected]> wrote: > Ryan and Dan, > Thanks for the info on using lists in OSSEC. > Looks like a much more efficient way for OSSEC to evaluate a larger set of > numbers. > > You would think a SANS institute InfoSec Practical OSSEC paper would offer > advanced examples that actually worked :<) > > Looks like I would need to run ossec-makelists to rebuild the lists, does > that require a manual restart of ossec-analysisd? > > Thanks, > > James Whittington >
It does require a restart the first time the lists are added. Updating the lists should not require a restart. > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Tuesday, February 19, 2013 9:55 AM > To: [email protected] > Subject: Re: [ossec-list] Large ruleset causing ossec startup issues? > > On Tue, Feb 19, 2013 at 12:38 AM, Ryan Schulze <[email protected]> wrote: >> Hi James, >> >> that sounds like quite a few new rules in that list. I've never had >> that many, so can't say what side affects it may have. But after >> looking at the SANS document I would suggest shortening it down to one >> rule that uses CDB lists and looks like this (based off the rule template > from the document): >> >> <group name="web"> >> <rule id="100499" level="14"> >> <if_sid>3100</if_sid> >> <list field="srcip" > lookup="address_match_key">lists/ip_shunlist</list> >> <description>Shun!</description> >> </rule> >> </group> >> >> Then you just have to populate the ip_shunlist file and add the >> following to the ossec.conf in the <rules> section: >> <list>lists/ip_shunlist</list> >> >> IMHO easier to maintain (just update the list of IPs), and the list >> can be used for multiple rules. >> Have a look at the OSSEC documentation for how the IP List should be >> formatted: >> http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html >> >> > > If the author tried to do a "watch list" without using cdb lists, he's > providing bad advice. It's definitely the way to go (I've had 100,000+ items > in lists without issues). > >> >> >> On 2/18/2013 4:46 PM, James Whittington wrote: >> >> I read a whitepaper by the SANS institute where they gave an example >> of taking an emerging threats blacklist and creating a custom ruleset >> from it's IPs. >> >> (http://www.sans.org/reading_room/whitepapers/detection/practical-osse >> c_33699) >> >> >> >> I was pretty sure I had all the pieces working and in fact could do a >> logtest successfully using the newly created ruleset. >> >> This is OSSEC HIDS v2.7-beta2 by the way. >> >> On an OSSEC restart however analysis had a couple of errors and none >> of my remote logs seems to be flowing through anymore? >> >> >> >> 2013/02/18 16:58:29 ossec-syscheckd: INFO: Monitoring directory: '/bin'. >> >> 2013/02/18 16:58:29 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. >> >> 2013/02/18 16:58:29 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' >> not accessible: 'Connection refused'. >> >> 2013/02/18 16:58:29 ossec-analysisd(1301): ERROR: Unable to connect to >> active response queue. >> >> 2013/02/18 16:58:29 ossec-analysisd: INFO: Connected to >> '/queue/alerts/execq' (exec queue) >> >> >> >> After commenting out the ruleset in the ossec.conf file fixed things >> so it seems tied to this new ruleset. >> >> The new rules are a bit larger at 1.7 MB so maybe something is timing out? >> >> >> >> Any ideas out there on this? >> >> I like the idea of incorporating a well known blacklist into ossec. >> >> >> >> Thanks, >> >> >> >> James Whittington >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
