I woke up this morning with a notification on my phone that this following
rule fired again:
<rule id="31166" level="15">
<if_sid>31108</if_sid>
<regex>"\(\)\s*{\s*:;\s*}\s*;</regex>
<description>Shellshock attack detected</description>
<group>attack,pci_dss_11.4,</group>
</rule>
Just as I thought that the Shellshock hype was over......someone from China
tried to penetrate my server again...
harmless since I patch my server frequently, but still interesting to see
what's going on....
Good to see that OSSEC is capable of detecting recent/modern threats :)
Am Dienstag, 26. April 2016 13:44:42 UTC+2 schrieb Jesus Linares:
>
> Interesting thread.
>
> lately I'm using Amazon EC2 Rules
> <https://github.com/wazuh/ossec-rules/tree/master/rules-decoders/amazon-ec2>,
> I feel them really useful and you can find more rules for Amazon in the
> linked repository. Also, you can find interesting this script
> <http://blog.wazuh.com/keep-your-ruleset-updated-automatically/>to update
> your rules automatically.
>
> I would like to know what rules are you missing in OSSEC.
>
>
> Regards.
> Jesus Linares.
>
> On Monday, April 25, 2016 at 12:20:50 AM UTC+2, theresa mic-snare wrote:
>>
>> 1002 ;))))))
>>
>> Am Freitag, 22. April 2016 19:07:32 UTC+2 schrieb namobud...@gmail.com:
>>>
>>> These worked great, just wondering if you have any updates.
>>>
>>> On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez wrote:
>>>>
>>>> Good thread idea. I’ve copied a few Windows-centric rules below. Some
>>>> of the rules that lean heavily on <match> could no doubt be improved, but
>>>> they don’t bother me with false positives or performance issues in my
>>>> small
>>>> environment, so I don’t worry about it. YMMV. I also have some decoders
>>>> and
>>>> rules for Cowrie honeypots, but intend to polish those up and submit a
>>>> pull
>>>> request for those one of these days. If anyone is interested in testing
>>>> them though, I could send those off list.
>>>>
>>>>
>>>>
>>>> <rule id="100006" level="8">
>>>>
>>>> <if_sid>594</if_sid>
>>>>
>>>> <match>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</match>
>>>>
>>>> <description>A change has been made to the software that
>>>> automatically runs at startup.</description>
>>>>
>>>> </rule>
>>>>
>>>>
>>>>
>>>> <rule id="100010" level="7">
>>>>
>>>> <if_sid>18103</if_sid>
>>>>
>>>> <match>Length specified in network packet</match>
>>>>
>>>> <description>Somebody is sending malformed data to your SQL
>>>> Server. You should probably investigate.</description>
>>>>
>>>> </rule>
>>>>
>>>>
>>>>
>>>> <rule id="100011" level="10">
>>>>
>>>> <if_sid>18101</if_sid>
>>>>
>>>> <match>PSEXESVC|PsExec</match>
>>>>
>>>> <description>Remote access via PSEXEC. If this wasn't initiated
>>>> by you, then you've got a problem.</description>
>>>>
>>>> </rule>
>>>>
>>>>
>>>>
>>>> <rule id="100013" level="8">
>>>>
>>>> <if_sid>18102</if_sid>
>>>>
>>>> <id>^2004$</id>
>>>>
>>>> <match>diagnosed</match>
>>>>
>>>> <description>There's a problem with abnormal memory usage on
>>>> this system! Please investigate the indicated processes.</description>
>>>>
>>>> </rule>
>>>>
>>>>
>>>>
>>>> <rule id="100014" level="7">
>>>>
>>>> <if_sid>18104</if_sid>
>>>>
>>>> <id>4698</id>
>>>>
>>>> <description>A scheduled task has been created on this machine.
>>>> Please review.</description>
>>>>
>>>> <info>Requires group policy modification to the Advanced
>>>> Security Audit policy/Audit Other Object Access Events. See:
>>>> https://technet.microsoft.com/en-us/library/dn319119.aspx</info>
>>>>
>>>> </rule>
>>>>
>>>>
>>>>
>>>> <rule id="100016" level="1">
>>>>
>>>> <if_sid>18103</if_sid>
>>>>
>>>> <id>36874|36888</id>
>>>>
>>>> <group>recon_ssl,</group>
>>>>
>>>> <description>Add Schannel errors to the custom recon_ssl
>>>> group</description>
>>>>
>>>> </rule>
>>>>
>>>>
>>>>
>>>> <rule id="100017" level="7" frequency="38" timeframe="120"
>>>> ignore="1800">
>>>>
>>>> <if_matched_group>recon_ssl</if_matched_group>
>>>>
>>>> <description>There have been over 40 SSL cipher suite probes in
>>>> the last two minutes. Someone may be performing reconnaissance on your
>>>> servers, assessing whether one of your SSL-enabled services is vulnerable
>>>> to exploits.</description>
>>>>
>>>> <info>Unfortunately, Schannel errors are of limited usefulness.
>>>> They occur without any indication of which IP address caused them, so
>>>> consulting contextual log info or firewall logs is the only way to track
>>>> down who is responsible.</info>
>>>>
>>>> </rule>
>>>>
>>>>
>>>>
>>>> <rule id="100022" level="7">
>>>>
>>>> <if_sid>18103</if_sid>
>>>>
>>>> <id>^1000$|^1002$|^7023$|^7034$</id>
>>>>
>>>> <!--<match>Fault|terminate</match>-->
>>>>
>>>> <description>A program or service has crashed. Investigate as
>>>> appropriate.</description>
>>>>
>>>> </rule>
>>>>
>>>>
>>>>
>>>> <rule id="100026" level="7">
>>>>
>>>> <if_sid>18101</if_sid>
>>>>
>>>> <id>^7045$</id>
>>>>
>>>> <description>A new service has been installed on this
>>>> computer.</description>
>>>>
>>>> </rule>
>>>>
>>>>
>>>>
>>>> *From:* ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] *On
>>>> Behalf Of *namobud...@gmail.com
>>>> *Sent:* Thursday, March 3, 2016 6:35 AM
>>>> *To:* ossec-list <ossec...@googlegroups.com>
>>>> *Subject:* [ossec-list] What's your favorite rules?
>>>>
>>>>
>>>>
>>>> I'm wondering what everyone's favorite rules are.
>>>>
>>>>
>>>>
>>>> I'm trying to come up with some new rules to tighten security, so I
>>>> would like to hear (and see code snippets) or folks favorites, and what
>>>> they are designed to detect. I.E. detect commands run, look for certain
>>>> IOC's and so on. I'm impressed with how much OSSEC does out of box too!
>>>>
>>>>
>>>>
>>>> Thanks!
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to ossec-list+...@googlegroups.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
