I would agree with this list or rules except I might add the apache_rules. I say let's leave the manner we add decoders and rules the same for now. Keep it simple and incrementally. If we do too much too fast we could break installations out there.
On Fri, Mar 21, 2014 at 10:27 AM, Jason Frisvold <[email protected]>wrote: > dan (ddp) wrote: > > Which rules do you propose exactly? > > Oh, sure.. put me on the spot. > > Let's see.. digging through what ships currently, these look about right: > > attack_rules > firewall_rules > msauth_rules > openbsd_rules > ossec_rules > pam_rules > policy_rules > postfix_rules (I'm somewhat torn on this one..) > rules_config > sendmail_rules (Again, torn) > solaris_bsm_rules > sshd_rules > syslog_rules > telnetd_rules (It saddens me that this is even necessary) > vmware_rules > > The basic idea being that these are rules that are likely to match in > the majority of networks. There are some rules in there that I would > disable in my network, but it's minimalistic enough that I don't think > having them enabled would be a major problem anyway. > > Decoders, in their current form, are a bit more of a problem. As far as > I'm aware, the only two decoder files that the system will use are the > default decoder.xml file and the local_decoder.xml file you can use to > add additional decoders. > > Since rulesets are somewhat useless without the decoders that go along > with them, the only way I see to add additional rulesets is to manually > add the decoders to the local_decoder.xml file for each ruleset you > need. I wonder if there's a way to combine the rulesets and decoders, > or have a way to specify additional decoder files. That might make > things a bit easier. > > > -- > --------------------------- > Jason 'XenoPhage' Frisvold > [email protected] > --------------------------- > > "Any sufficiently advanced magic is indistinguishable from technology.\" > - Niven's Inverse of Clarke's Third Law > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
