RE: [ossec-list] What's your favorite rules?

2016-03-03 Thread lostinthetubez
Good thread idea. I’ve copied a few Windows-centric rules below. Some of the rules that lean heavily on could no doubt be improved, but they don’t bother me with false positives or performance issues in my small environment, so I don’t worry about it. YMMV. I also have some decoders and rules f

Re: [ossec-list] What's your favorite rules?

2016-03-04 Thread namobuddhaonion
Awesome, I would love to see more as you feel comfortable posting them. This was *exactly *what I was looking for. Thanks! On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez wrote: > > Good thread idea. I’ve copied a few Windows-centric rules below. Some of > the rules that lean

Re: [ossec-list] What's your favorite rules?

2016-04-22 Thread namobuddhaonion
These worked great, just wondering if you have any updates. On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez wrote: > > Good thread idea. I’ve copied a few Windows-centric rules below. Some of > the rules that lean heavily on could no doubt be improved, but they > don’t bother m

Re: [ossec-list] What's your favorite rules?

2016-04-24 Thread theresa mic-snare
1002 ;)) Am Freitag, 22. April 2016 19:07:32 UTC+2 schrieb namobud...@gmail.com: > > These worked great, just wondering if you have any updates. > > On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez wrote: >> >> Good thread idea. I’ve copied a few Windows-centric rules below. So

Re: [ossec-list] What's your favorite rules?

2016-04-26 Thread Jesus Linares
Interesting thread. lately I'm using Amazon EC2 Rules , I feel them really useful and you can find more rules for Amazon in the linked repository. Also, you can find interesting this script

Re: [ossec-list] What's your favorite rules?

2016-04-26 Thread theresa mic-snare
I woke up this morning with a notification on my phone that this following rule fired again: 31108 "\(\)\s*{\s*:;\s*}\s*; Shellshock attack detected attack,pci_dss_11.4, Just as I thought that the Shellshock hype was over..someone from China tried t

Re: [ossec-list] What's your favorite rules?

2016-04-26 Thread theresa mic-snare
Also, I should explain why I first wrote 1002 I often check for this rule (2 - Unknown problem somewhere in the system.) just to see if there are any false-positives that haven't been covered by an existing rule yet. Then I would see which log event needs a new rule or decoder, so that it wo

Re: [ossec-list] What's your favorite rules?

2016-04-26 Thread Rob B
what _rules.xml file is 1002 located? I wish I had some kind of rules legend to reference. Thanks. ;-) On Tuesday, April 26, 2016 at 8:20:11 AM UTC-4, theresa mic-snare wrote: > > Also, I should explain why I first wrote 1002 > I often check for this rule (2 - Unknown problem somewh

Re: [ossec-list] What's your favorite rules?

2016-04-26 Thread dan (ddp)
On Tue, Apr 26, 2016 at 10:15 AM, Rob B wrote: > what _rules.xml file is 1002 located? I wish I had some kind of rules > legend to reference. Thanks. ;-) > [ddp@ix] :; grep '"1002"' /var/ossec/rules/*_rules.xml /var/ossec/rules/syslog_rules.xml: > > > On Tuesday, April 26, 2016 at 8:2

Re: [ossec-list] What's your favorite rules?

2016-04-26 Thread Rob B
NM, found it! ;-) syslog duh. On Tuesday, April 26, 2016 at 10:15:03 AM UTC-4, Rob B wrote: > > what _rules.xml file is 1002 located? I wish I had some kind of rules > legend to reference. Thanks. ;-) > > > > On Tuesday, April 26, 2016 at 8:20:11 AM UTC-4, theresa mic-snare wrote:

Re: [ossec-list] What's your favorite rules?

2016-04-26 Thread Rob B
I find this a very interesting set of rule(s) 18100 /services.exe Sysmon - Suspicious Process - services.exe pci_dss_10.6.1,pci_dss_11.4, 184746 wininit.exe Sysmon - Legitimate Parent Image - services.exe On Tuesday, April 26, 2016 at 10:17:17 AM UTC-4, dan (ddpbsd) wrote