excellent explanation, Dan! as always, thanks a lot :) Am Dienstag, 22. März 2016 12:47:23 UTC+1 schrieb dan (ddpbsd): > > On Fri, Mar 18, 2016 at 3:42 PM, theresa mic-snare > <rockpr...@gmail.com <javascript:>> wrote: > > ehlo *, > > > > I have an important question about CDB lists, as I'm just researching > for my > > thesis on OSSEC. > > yes, i've read the documentation on readthedocs, maybe i'm too daft to > > understand it. > > > > what I have done so far: > > > > I've created a file called "baddomains" in /var/ossec/lists/ > > content is from zeustracker > > (https://zeustracker.abuse.ch/blocklist.php?download=baddomains) > > > > I've added the list in the <rules></rules> section > > <list>lists/baddomains</list> > > > > i've run > > # bin/ossec-makelists > > > > > > i'm not quite sure what the purpose of the CDB lists is.... should a > rule > > fire as soon as one of those domains (content of baddomains) is > attacking > > me?! > > I don't think i've yet understood the positive/negative key match of it > > > > can someone please explain it to me with a real-life example? > > > > I have a list with bad domains: > <list>rules/lists/ossec.block</list> > > I get them from the same place you do, and more. The format is: > DOMAIN:bad domain > > I have rules that watch my dns server logs for queries, and compare > the domains with the cdb list: > <rule id="500701" level="15"> > <if_sid>500101</if_sid> <!-- DNS A request --> > <list field="url" lookup="match_key">lists/ossec.block</list> > <description>Bad domain.</description> > </rule> > > It should compare the value of the url field to the cdb and alert on > any DOMAIN found. I stuck undeadly.org in my block list for testing. > ossec-testrule: Type one log per line. > > **Phase 1: Completed pre-decoding. > full event: 'Mar 22 07:21:25 ix unbound: [5756:0] info: > 127.0.0.1 undeadly.org. A IN' > hostname: 'ix' > program_name: 'unbound' > log: '[5756:0] info: 127.0.0.1 undeadly.org. A IN' > > **Phase 2: Completed decoding. > decoder: 'unbound' > srcip: '127.0.0.1' > url: 'undeadly.org' > > **Phase 3: Completed filtering (rules). > Rule id: '500101' > Level: '0' > Description: 'DNS A request.' > > > > Oops. So obviously I'm doing something wrong, but I haven't tried to > track it down yet. That's how it's supposed to work though. > > > also what does CDB stand for? I haven't found that in the OSSEC Docs > > either.... > > common database? central database?! > > > > thanks, > > theresa > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.