Re: [ossec-list] Sysmon OSSEC (Security Onion Integration)
On Sun, Mar 29, 2015 at 7:31 AM, DefensiveDepth joshbro...@gmail.com wrote: @dan How does the project typically like to see pull requests with custom decoders and/or rulesets? ie drop the new decoder in /etc/decoder.xml create a new rules file under etc/rules/ ? That should be fine. Or if the rules fit into one of the other categories, you can add them to the existing files. Once the pull request is up we can either guide you better, or massage the rules once they're committed. It'd also be very helpful if you could provide sample logs to go with the rules and decoders. If you can add tests to contrib/ossec-testing/tests it would also be super helpful. I think the format is mostly self explanatory, but please ask if I'm mistaken. -Josh On Friday, March 27, 2015 at 9:32:18 AM UTC-4, dan (ddpbsd) wrote: On Fri, Mar 27, 2015 at 9:27 AM, DefensiveDepth joshb...@gmail.com wrote: Newly published paper: Using Sysmon to Enrich Security Onion's Host-Level Capabilities Of particular note, I wrote an OSSEC decoder and a number of rules for Sysmon Event ID 1: Process Created... They can be found on Github... Feel free to tweak, contribute back, send feedback, etc If you want to contribute them, we do enjoy pull requests. Keep in mind that there may be issues with the current stable release (2.8) as the eventchannel bug is unfixed-- I believe the bug fix is slated to be released with 2.9...(https://github.com/ossec/ossec-hids/issues/224) -Josh -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Sysmon OSSEC (Security Onion Integration)
@dan How does the project typically like to see pull requests with custom decoders and/or rulesets? ie drop the new decoder in /etc/decoder.xml create a new rules file under etc/rules/ ? -Josh On Friday, March 27, 2015 at 9:32:18 AM UTC-4, dan (ddpbsd) wrote: On Fri, Mar 27, 2015 at 9:27 AM, DefensiveDepth joshb...@gmail.com javascript: wrote: Newly published paper: Using Sysmon to Enrich Security Onion's Host-Level Capabilities Of particular note, I wrote an OSSEC decoder and a number of rules for Sysmon Event ID 1: Process Created... They can be found on Github... Feel free to tweak, contribute back, send feedback, etc If you want to contribute them, we do enjoy pull requests. Keep in mind that there may be issues with the current stable release (2.8) as the eventchannel bug is unfixed-- I believe the bug fix is slated to be released with 2.9...(https://github.com/ossec/ossec-hids/issues/224) -Josh -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Sysmon OSSEC (Security Onion Integration)
On Fri, Mar 27, 2015 at 9:27 AM, DefensiveDepth joshbro...@gmail.com wrote: Newly published paper: Using Sysmon to Enrich Security Onion's Host-Level Capabilities Of particular note, I wrote an OSSEC decoder and a number of rules for Sysmon Event ID 1: Process Created... They can be found on Github... Feel free to tweak, contribute back, send feedback, etc If you want to contribute them, we do enjoy pull requests. Keep in mind that there may be issues with the current stable release (2.8) as the eventchannel bug is unfixed-- I believe the bug fix is slated to be released with 2.9...(https://github.com/ossec/ossec-hids/issues/224) -Josh -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Sysmon OSSEC (Security Onion Integration)
Sounds good, will do. -Josh On Friday, March 27, 2015 at 9:32:18 AM UTC-4, dan (ddpbsd) wrote: On Fri, Mar 27, 2015 at 9:27 AM, DefensiveDepth joshb...@gmail.com javascript: wrote: Newly published paper: Using Sysmon to Enrich Security Onion's Host-Level Capabilities Of particular note, I wrote an OSSEC decoder and a number of rules for Sysmon Event ID 1: Process Created... They can be found on Github... Feel free to tweak, contribute back, send feedback, etc If you want to contribute them, we do enjoy pull requests. Keep in mind that there may be issues with the current stable release (2.8) as the eventchannel bug is unfixed-- I believe the bug fix is slated to be released with 2.9...(https://github.com/ossec/ossec-hids/issues/224) -Josh -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Sysmon OSSEC (Security Onion Integration)
Really cool stuff. Thanks for sharing. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.