On Fri, Mar 21, 2014 at 2:52 PM, Vic Hargrave <[email protected]> wrote: > I would agree with this list or rules except I might add the apache_rules. > I say let's leave the manner we add decoders and rules the same for now. > Keep it simple and incrementally. If we do too much too fast we could break > installations out there. >
That's one of the reasons I thought we were going to mess with it after 2.8. Make your big changes right after a release, you're allowed to make mistakes then. :) > > On Fri, Mar 21, 2014 at 10:27 AM, Jason Frisvold <[email protected]> > wrote: >> >> dan (ddp) wrote: >> > Which rules do you propose exactly? >> >> Oh, sure.. put me on the spot. >> >> Let's see.. digging through what ships currently, these look about right: >> >> attack_rules >> firewall_rules >> msauth_rules >> openbsd_rules >> ossec_rules >> pam_rules >> policy_rules >> postfix_rules (I'm somewhat torn on this one..) >> rules_config >> sendmail_rules (Again, torn) >> solaris_bsm_rules >> sshd_rules >> syslog_rules >> telnetd_rules (It saddens me that this is even necessary) >> vmware_rules >> >> The basic idea being that these are rules that are likely to match in >> the majority of networks. There are some rules in there that I would >> disable in my network, but it's minimalistic enough that I don't think >> having them enabled would be a major problem anyway. >> >> Decoders, in their current form, are a bit more of a problem. As far as >> I'm aware, the only two decoder files that the system will use are the >> default decoder.xml file and the local_decoder.xml file you can use to >> add additional decoders. >> >> Since rulesets are somewhat useless without the decoders that go along >> with them, the only way I see to add additional rulesets is to manually >> add the decoders to the local_decoder.xml file for each ruleset you >> need. I wonder if there's a way to combine the rulesets and decoders, >> or have a way to specify additional decoder files. That might make >> things a bit easier. >> >> >> -- >> --------------------------- >> Jason 'XenoPhage' Frisvold >> [email protected] >> --------------------------- >> >> "Any sufficiently advanced magic is indistinguishable from technology.\" >> - Niven's Inverse of Clarke's Third Law >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
