Let me just say that I had one main goal in mind with this suggestion. That was to catalog a- our existing decoders and rules, noting their rule IDs and then creating a simple repo where people could get additional rules or contribute rules that they think someone else might find useful. By "rules" I mean "decoders, rules and the stanzas that have to added to ossec.conf to activate them and point to the log files in questions. This was motivated by my desire to contribute some rules for analyzing Hadoop/Hbase logs.
I see that the discussion has expanded to that *plus* how to install new rules and remove others in a more scripted fashion. So @ddp I see where I threw a monkey wrench into your thinking about when we do this. I agree post-2.8 is better. Maybe I should call the repo ossec-rules-share to make the purpose more clear? On Fri, Mar 21, 2014 at 12:51 PM, Jeremy Rossi <[email protected]>wrote: > On think that needs to be tested and taken in to account in the upgrade > process used. Currently using ./install.sh will ask to update rules. > What do we what to do about this? This would also need the most testing > in my mind. > > > > On Fri, Mar 21, 2014 at 2:52 PM, Vic Hargrave <[email protected]> >> wrote: >> >>> I would agree with this list or rules except I might add the >>> apache_rules. >>> I say let's leave the manner we add decoders and rules the same for now. >>> Keep it simple and incrementally. If we do too much too fast we could >>> break >>> installations out there. >>> >>> >> That's one of the reasons I thought we were going to mess with it >> after 2.8. Make your big changes right after a release, you're allowed >> to make mistakes then. :) >> >> >>> On Fri, Mar 21, 2014 at 10:27 AM, Jason Frisvold <[email protected] >>> > >>> wrote: >>> >>>> >>>> dan (ddp) wrote: >>>> > Which rules do you propose exactly? >>>> >>>> Oh, sure.. put me on the spot. >>>> >>>> Let's see.. digging through what ships currently, these look about >>>> right: >>>> >>>> attack_rules >>>> firewall_rules >>>> msauth_rules >>>> openbsd_rules >>>> ossec_rules >>>> pam_rules >>>> policy_rules >>>> postfix_rules (I'm somewhat torn on this one..) >>>> rules_config >>>> sendmail_rules (Again, torn) >>>> solaris_bsm_rules >>>> sshd_rules >>>> syslog_rules >>>> telnetd_rules (It saddens me that this is even necessary) >>>> vmware_rules >>>> >>>> The basic idea being that these are rules that are likely to match in >>>> the majority of networks. There are some rules in there that I would >>>> disable in my network, but it's minimalistic enough that I don't think >>>> having them enabled would be a major problem anyway. >>>> >>>> Decoders, in their current form, are a bit more of a problem. As far as >>>> I'm aware, the only two decoder files that the system will use are the >>>> default decoder.xml file and the local_decoder.xml file you can use to >>>> add additional decoders. >>>> >>>> Since rulesets are somewhat useless without the decoders that go along >>>> with them, the only way I see to add additional rulesets is to manually >>>> add the decoders to the local_decoder.xml file for each ruleset you >>>> need. I wonder if there's a way to combine the rulesets and decoders, >>>> or have a way to specify additional decoder files. That might make >>>> things a bit easier. >>>> >>>> >>>> -- >>>> --------------------------- >>>> Jason 'XenoPhage' Frisvold >>>> [email protected] >>>> --------------------------- >>>> >>>> "Any sufficiently advanced magic is indistinguishable from technology.\" >>>> - Niven's Inverse of Clarke's Third Law >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups >>>> "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an >>>> email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
