On Thu, Jul 15, 2010 at 8:31 PM, Jeremy Rossi <[email protected]> wrote: > >> >> Is there any sort of rules repository out there for OSSEC? I saw >> an >> older message asking about this, but there wasn't a definitive response... > > Been thinking about this a lot and even got started on it. Here is what I > have started and also think ddpbsd has started something but I lost the > link. > > I use mercurial so went with bitbucket.org. > > Setup http://bitbucket.org/jrossi/ossec-rules/ that has all the current > rules and policies and other things from the standard ossec releases. > > To hack on them fork on bitbucket.org (free account available) and send pull > requests or email with pull requests. I am willing to maintain the central > repo and handle merging of other peoples contributions. > > I am also the author of the unittesting patch[1] for ossec (not accepted and > not in ossec yet;)) but I plan on preforming full unit testing of rules so > that something else that people can contribute it would be great. > > > [1]: > <http://bitbucket.org/jrossi/ossec-hids-patches/src/tip/rules-unittests.patch> > > >
My rules are at http://code.google.com/p/wip-ossec-rules The ossec directory contains the rules from the latest snapshot (that I've uploaded anyways), along with a populated local_rules.xml/local_decoder.xml from the rules I'm working on. The decoder.xml is tweaked slightly from the main decoder.xml, but that's because I haven't gotten around to pushing my changes upstream. dan
