the updater-rules script is super cool, takes the weight off my shoulders of having to update them manually. (caution: only works for rules in the master branch!!) love it :)
Am Dienstag, 5. Januar 2016 20:16:46 UTC+1 schrieb Santiago Bassett: > > Forgot to mention all rules and decoders are fully compatible with any > OSSEC version higher or equal to 2.8, so you can use those wether or not > you decide to use the other modules (for integration with ELK or the > RESTful API). There is actually a script/tool that can be used to keep the > rules updated. > > Best > > On Tue, Jan 5, 2016 at 11:14 AM, Santiago Bassett <santiago...@gmail.com > <javascript:>> wrote: > >> Hi, >> >> the dashboards we have created can be found here: >> >> https://github.com/wazuh/ossec-wazuh/tree/master/extensions/kibana >> >> Regarding the rules, here is the repo: >> >> https://github.com/wazuh/ossec-rules >> >> When the rule is related to a PCI control, that information is included >> in the groups section, for example: >> >> <rule id="18106" level="5"> >> >> <if_sid>18105</if_sid> >> >> <id> >> ^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id> >> >> <description>Windows Logon Failure.</description> >> >> <group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5, >> </group> >> >> </rule> >> >> >> This, combined with the modified json output, allow us to create the >> dashboards for PCI in Kibana. >> >> On the other hand we are about to publish rules/decoders for Amazon AWS >> (in case you happen to use it), you can already see the work we are doing >> in the development branch. >> >> Best >> >> On Tue, Jan 5, 2016 at 7:13 AM, <namobud...@gmail.com <javascript:>> >> wrote: >> >>> I took a look and it looks great, but I was wondering if you had any >>> customized dashboards or favorite OSSEC rules to share? >>> >>> Thanks for all the great work. >>> >>> >>> >>> On Tuesday, December 22, 2015 at 10:44:07 PM UTC-5, Santiago Bassett >>> wrote: >>>> >>>> Hi, >>>> >>>> in case you are interested, we have done some work integrating OSSEC >>>> with ELK (specially for those using them to be compliant with PCI DSS, not >>>> sure if this is the case), including the creation of Kibana dashboards. >>>> >>>> We have also created a RESTful API for OSSEC that we plan to use with >>>> new Kibana plugins functionality (added in version 4.2), to be able to >>>> monitor/control your OSSEC deployments from Kibana (e.g agent status, >>>> syscheck or rootcheck settings, agent keys, loaded rules...) >>>> >>>> See more info in our website at: >>>> http://documentation.wazuh.com/en/latest/ossec_elk.html >>>> >>>> Best regards, >>>> >>>> Santiago. >>>> >>>> On Thu, Dec 17, 2015 at 8:24 AM, <namobud...@gmail.com> wrote: >>>> >>>>> I've been tasked with tuning OSSEC. >>>>> >>>>> I've wondering if there is a general guideline or process. We have >>>>> OSSEC feeding into ELK stack. What are folks thoughts on tuning vs. >>>>> coming >>>>> up with better Kibana hunting searches? >>>>> >>>>> Thanks! >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to ossec-list+...@googlegroups.com. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com <javascript:>. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.