I did see that script. Seemed really interesting. Due to a lack of a test environment, I didn't try it, but reading it, I was under the impression that it only worked with a wazzuh installation and not with ossec vanilla. Would it actually work without installing wazzuh?
Le jeudi 8 juin 2017 05:14:07 UTC-4, Jesus Linares a écrit : > > Hi Alexis, > > Dan's method is the faster way to do it and it should work properly. > > Saying that, Wazuh does a great effort to centralice decoders, rules, > rootchecks and OpenSCAP content in wazuh-ruleset > <https://github.com/wazuh/wazuh-ruleset> repository. Also, a script > <https://documentation.wazuh.com/current/user-manual/ruleset/update.html>to > update the ruleset is provided. Unfortunately, the ruleset (and the script) > only works with Wazuh manager 2.0 due to compatibility issues (we included > dynamic > fields > <https://documentation.wazuh.com/current/user-manual/ruleset/dynamic-fields.html>) > > but OSSEC agents are fully compatible with Wazuh manager. > > I hope it helps. > Regards. > > On Thursday, June 8, 2017 at 3:48:05 AM UTC+2, dan (ddpbsd) wrote: >> >> On Wed, Jun 7, 2017 at 4:24 PM, Alexis Lessard >> <alexisl...@gmail.com> wrote: >> > Hi! >> > >> > What is the cleanest and easiest way to updates rules and signatures of >> > attacks and threats in ossec? I'm looking maybe for a command I could >> use to >> > automate it. When I execute bin/manage_agents -V (to obtain version), >> I get >> > this: >> > OSSEC HIDS v2.8.3 - Trend Micro Inc. >> > >> > According to the documentation for 2.8.1 right here, in order to update >> > those rules, we have to download the installation package and reinstall >> it. >> > The installation script should ask us to update. That seems pretty >> > complicated and unorthodox. Is there a simpler way? >> > >> >> Clone the github repo, copy the decoder.xml and rules files to the >> proper directory, restart ossec. >> >> > Also, I think I should ask that question: Does anyone know how often >> does >> > ossec update their signatures and rules, or if they update them at all? >> > >> >> When we do. A lot of it depends on how often people submit new rules, >> decoders or even log samples. >> >> > Thanks! >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
