dan (ddp) wrote: > Which rules do you propose exactly? Oh, sure.. put me on the spot.
Let's see.. digging through what ships currently, these look about right: attack_rules firewall_rules msauth_rules openbsd_rules ossec_rules pam_rules policy_rules postfix_rules (I'm somewhat torn on this one..) rules_config sendmail_rules (Again, torn) solaris_bsm_rules sshd_rules syslog_rules telnetd_rules (It saddens me that this is even necessary) vmware_rules The basic idea being that these are rules that are likely to match in the majority of networks. There are some rules in there that I would disable in my network, but it's minimalistic enough that I don't think having them enabled would be a major problem anyway. Decoders, in their current form, are a bit more of a problem. As far as I'm aware, the only two decoder files that the system will use are the default decoder.xml file and the local_decoder.xml file you can use to add additional decoders. Since rulesets are somewhat useless without the decoders that go along with them, the only way I see to add additional rulesets is to manually add the decoders to the local_decoder.xml file for each ruleset you need. I wonder if there's a way to combine the rulesets and decoders, or have a way to specify additional decoder files. That might make things a bit easier. -- --------------------------- Jason 'XenoPhage' Frisvold [email protected] --------------------------- "Any sufficiently advanced magic is indistinguishable from technology.\" - Niven's Inverse of Clarke's Third Law -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
