On think that needs to be tested and taken in to account in the upgrade
process used. Currently using ./install.sh will ask to update rules.
What do we what to do about this? This would also need the most testing
in my mind.
On Fri, Mar 21, 2014 at 2:52 PM, Vic Hargrave <[email protected]> wrote:
I would agree with this list or rules except I might add the apache_rules.
I say let's leave the manner we add decoders and rules the same for now.
Keep it simple and incrementally. If we do too much too fast we could break
installations out there.
That's one of the reasons I thought we were going to mess with it
after 2.8. Make your big changes right after a release, you're allowed
to make mistakes then. :)
On Fri, Mar 21, 2014 at 10:27 AM, Jason Frisvold <[email protected]>
wrote:
dan (ddp) wrote:
> Which rules do you propose exactly?
Oh, sure.. put me on the spot.
Let's see.. digging through what ships currently, these look about right:
attack_rules
firewall_rules
msauth_rules
openbsd_rules
ossec_rules
pam_rules
policy_rules
postfix_rules (I'm somewhat torn on this one..)
rules_config
sendmail_rules (Again, torn)
solaris_bsm_rules
sshd_rules
syslog_rules
telnetd_rules (It saddens me that this is even necessary)
vmware_rules
The basic idea being that these are rules that are likely to match in
the majority of networks. There are some rules in there that I would
disable in my network, but it's minimalistic enough that I don't think
having them enabled would be a major problem anyway.
Decoders, in their current form, are a bit more of a problem. As far as
I'm aware, the only two decoder files that the system will use are the
default decoder.xml file and the local_decoder.xml file you can use to
add additional decoders.
Since rulesets are somewhat useless without the decoders that go along
with them, the only way I see to add additional rulesets is to manually
add the decoders to the local_decoder.xml file for each ruleset you
need. I wonder if there's a way to combine the rulesets and decoders,
or have a way to specify additional decoder files. That might make
things a bit easier.
--
---------------------------
Jason 'XenoPhage' Frisvold
[email protected]
---------------------------
"Any sufficiently advanced magic is indistinguishable from technology.\"
- Niven's Inverse of Clarke's Third Law
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
