Also, I should explain why I first wrote 1002....
I often check for this rule (2 - Unknown problem somewhere in the system.)
just to see if there are any false-positives that haven't been covered by
an existing rule yet.
Then I would see which log event needs a new rule or decoder, so that it
would be covered the next time it occurs.... :)
Am Dienstag, 26. April 2016 14:08:29 UTC+2 schrieb theresa mic-snare:
>
> I woke up this morning with a notification on my phone that this following
> rule fired again:
>
> <rule id="31166" level="15">
> <if_sid>31108</if_sid>
> <regex>"\(\)\s*{\s*:;\s*}\s*;</regex>
> <description>Shellshock attack detected</description>
> <group>attack,pci_dss_11.4,</group>
> </rule>
>
> Just as I thought that the Shellshock hype was over......someone from
> China tried to penetrate my server again...
> harmless since I patch my server frequently, but still interesting to see
> what's going on....
>
> Good to see that OSSEC is capable of detecting recent/modern threats :)
>
> Am Dienstag, 26. April 2016 13:44:42 UTC+2 schrieb Jesus Linares:
>>
>> Interesting thread.
>>
>> lately I'm using Amazon EC2 Rules
>> <https://github.com/wazuh/ossec-rules/tree/master/rules-decoders/amazon-ec2>,
>>
>> I feel them really useful and you can find more rules for Amazon in the
>> linked repository. Also, you can find interesting this script
>> <http://blog.wazuh.com/keep-your-ruleset-updated-automatically/>to
>> update your rules automatically.
>>
>> I would like to know what rules are you missing in OSSEC.
>>
>>
>> Regards.
>> Jesus Linares.
>>
>> On Monday, April 25, 2016 at 12:20:50 AM UTC+2, theresa mic-snare wrote:
>>>
>>> 1002 ;))))))
>>>
>>> Am Freitag, 22. April 2016 19:07:32 UTC+2 schrieb namobud...@gmail.com:
>>>>
>>>> These worked great, just wondering if you have any updates.
>>>>
>>>> On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez wrote:
>>>>>
>>>>> Good thread idea. I’ve copied a few Windows-centric rules below. Some
>>>>> of the rules that lean heavily on <match> could no doubt be improved, but
>>>>> they don’t bother me with false positives or performance issues in my
>>>>> small
>>>>> environment, so I don’t worry about it. YMMV. I also have some decoders
>>>>> and
>>>>> rules for Cowrie honeypots, but intend to polish those up and submit a
>>>>> pull
>>>>> request for those one of these days. If anyone is interested in testing
>>>>> them though, I could send those off list.
>>>>>
>>>>>
>>>>>
>>>>> <rule id="100006" level="8">
>>>>>
>>>>> <if_sid>594</if_sid>
>>>>>
>>>>> <match>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</match>
>>>>>
>>>>> <description>A change has been made to the software that
>>>>> automatically runs at startup.</description>
>>>>>
>>>>> </rule>
>>>>>
>>>>>
>>>>>
>>>>> <rule id="100010" level="7">
>>>>>
>>>>> <if_sid>18103</if_sid>
>>>>>
>>>>> <match>Length specified in network packet</match>
>>>>>
>>>>> <description>Somebody is sending malformed data to your SQL
>>>>> Server. You should probably investigate.</description>
>>>>>
>>>>> </rule>
>>>>>
>>>>>
>>>>>
>>>>> <rule id="100011" level="10">
>>>>>
>>>>> <if_sid>18101</if_sid>
>>>>>
>>>>> <match>PSEXESVC|PsExec</match>
>>>>>
>>>>> <description>Remote access via PSEXEC. If this wasn't
>>>>> initiated by you, then you've got a problem.</description>
>>>>>
>>>>> </rule>
>>>>>
>>>>>
>>>>>
>>>>> <rule id="100013" level="8">
>>>>>
>>>>> <if_sid>18102</if_sid>
>>>>>
>>>>> <id>^2004$</id>
>>>>>
>>>>> <match>diagnosed</match>
>>>>>
>>>>> <description>There's a problem with abnormal memory usage on
>>>>> this system! Please investigate the indicated processes.</description>
>>>>>
>>>>> </rule>
>>>>>
>>>>>
>>>>>
>>>>> <rule id="100014" level="7">
>>>>>
>>>>> <if_sid>18104</if_sid>
>>>>>
>>>>> <id>4698</id>
>>>>>
>>>>> <description>A scheduled task has been created on this
>>>>> machine. Please review.</description>
>>>>>
>>>>> <info>Requires group policy modification to the Advanced
>>>>> Security Audit policy/Audit Other Object Access Events. See:
>>>>> https://technet.microsoft.com/en-us/library/dn319119.aspx</info>
>>>>>
>>>>> </rule>
>>>>>
>>>>>
>>>>>
>>>>> <rule id="100016" level="1">
>>>>>
>>>>> <if_sid>18103</if_sid>
>>>>>
>>>>> <id>36874|36888</id>
>>>>>
>>>>> <group>recon_ssl,</group>
>>>>>
>>>>> <description>Add Schannel errors to the custom recon_ssl
>>>>> group</description>
>>>>>
>>>>> </rule>
>>>>>
>>>>>
>>>>>
>>>>> <rule id="100017" level="7" frequency="38" timeframe="120"
>>>>> ignore="1800">
>>>>>
>>>>> <if_matched_group>recon_ssl</if_matched_group>
>>>>>
>>>>> <description>There have been over 40 SSL cipher suite probes
>>>>> in the last two minutes. Someone may be performing reconnaissance on your
>>>>> servers, assessing whether one of your SSL-enabled services is vulnerable
>>>>> to exploits.</description>
>>>>>
>>>>> <info>Unfortunately, Schannel errors are of limited
>>>>> usefulness. They occur without any indication of which IP address caused
>>>>> them, so consulting contextual log info or firewall logs is the only way
>>>>> to
>>>>> track down who is responsible.</info>
>>>>>
>>>>> </rule>
>>>>>
>>>>>
>>>>>
>>>>> <rule id="100022" level="7">
>>>>>
>>>>> <if_sid>18103</if_sid>
>>>>>
>>>>> <id>^1000$|^1002$|^7023$|^7034$</id>
>>>>>
>>>>> <!--<match>Fault|terminate</match>-->
>>>>>
>>>>> <description>A program or service has crashed. Investigate as
>>>>> appropriate.</description>
>>>>>
>>>>> </rule>
>>>>>
>>>>>
>>>>>
>>>>> <rule id="100026" level="7">
>>>>>
>>>>> <if_sid>18101</if_sid>
>>>>>
>>>>> <id>^7045$</id>
>>>>>
>>>>> <description>A new service has been installed on this
>>>>> computer.</description>
>>>>>
>>>>> </rule>
>>>>>
>>>>>
>>>>>
>>>>> *From:* ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] *On
>>>>> Behalf Of *namobud...@gmail.com
>>>>> *Sent:* Thursday, March 3, 2016 6:35 AM
>>>>> *To:* ossec-list <ossec...@googlegroups.com>
>>>>> *Subject:* [ossec-list] What's your favorite rules?
>>>>>
>>>>>
>>>>>
>>>>> I'm wondering what everyone's favorite rules are.
>>>>>
>>>>>
>>>>>
>>>>> I'm trying to come up with some new rules to tighten security, so I
>>>>> would like to hear (and see code snippets) or folks favorites, and what
>>>>> they are designed to detect. I.E. detect commands run, look for certain
>>>>> IOC's and so on. I'm impressed with how much OSSEC does out of box too!
>>>>>
>>>>>
>>>>>
>>>>> Thanks!
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "ossec-list" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to ossec-list+...@googlegroups.com.
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
