Hi Alexis, Dan's method is the faster way to do it and it should work properly.
Saying that, Wazuh does a great effort to centralice decoders, rules, rootchecks and OpenSCAP content in wazuh-ruleset <https://github.com/wazuh/wazuh-ruleset> repository. Also, a script <https://documentation.wazuh.com/current/user-manual/ruleset/update.html>to update the ruleset is provided. Unfortunately, the ruleset (and the script) only works with Wazuh manager 2.0 due to compatibility issues (we included dynamic fields <https://documentation.wazuh.com/current/user-manual/ruleset/dynamic-fields.html>) but OSSEC agents are fully compatible with Wazuh manager. I hope it helps. Regards. On Thursday, June 8, 2017 at 3:48:05 AM UTC+2, dan (ddpbsd) wrote: > > On Wed, Jun 7, 2017 at 4:24 PM, Alexis Lessard > <alexisl...@gmail.com <javascript:>> wrote: > > Hi! > > > > What is the cleanest and easiest way to updates rules and signatures of > > attacks and threats in ossec? I'm looking maybe for a command I could > use to > > automate it. When I execute bin/manage_agents -V (to obtain version), I > get > > this: > > OSSEC HIDS v2.8.3 - Trend Micro Inc. > > > > According to the documentation for 2.8.1 right here, in order to update > > those rules, we have to download the installation package and reinstall > it. > > The installation script should ask us to update. That seems pretty > > complicated and unorthodox. Is there a simpler way? > > > > Clone the github repo, copy the decoder.xml and rules files to the > proper directory, restart ossec. > > > Also, I think I should ask that question: Does anyone know how often > does > > ossec update their signatures and rules, or if they update them at all? > > > > When we do. A lot of it depends on how often people submit new rules, > decoders or even log samples. > > > Thanks! > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
