Hi list,
i'am running ossec 2.6 (the first snapshot after the release) on debian 6.
I have some questions/requests about ossec.
1
In the help text of "/bin/ossec-logtest -h" stands still "-f Run in
foreground". I thought this was edited?
2
Could it be possible to give more output during "/bin/ossec-logtest -f"
about the decoders. For rules the output is detailed but for the
decoders you don't see what decoders were executed and what
children/parent decoders were tested. This would be great.
3
Is it possible to configure several command-logfiles
(process-monitoring) with different time intervals?
4
By the syscheck option for directories "report_changes" it is possible
to display the exactly change in one file. But of security reasons it is
not recommendable to do this because someone unwanted can read the mail
and see some internal config-files. So is it possible to check these
exactly changes, not sending them per email, but save them to disk so
that (only) root can check out these changes?
5
Will there be /or is there a rule option <same_dst_ip/> and
<same_dst_port/> for frequency rules?
6
Why is the process-id in the filename of the pid-file? Because without
these (mostly) random number it is easier to monitor the pid-file (e.g.
with monit).
7
Can this issue
(https://bitbucket.org/dcid/ossec-hids/issue/26/ossec-init-script-misses-insserv-tags-for)
be handled, so that there are no warning during the debian-command
insserv (here is they debian-page with a default init-script-header:
http://wiki.debian.org/LSBInitScripts)
8
I want observe a directory with syscheck totaly, so with <directories
check_all="yes">/dir</directories> (maybe with report_changes and realtime).
But in one specific child-directory i don't want to observe the
file-contents, only owner, group and permission. What of the following
methods do work?
i
<directories check_all="yes">/dir</directories>
<ignore>/dir/child/</ignore>
<directories check_owner="yes" check_group="yes"
check_perm="yes">/dir/child/</directory>
ii
<directories check_all="yes">/dir</directories>
<directories check_owner="yes" check_group="yes"
check_perm="yes">/dir/child/</directory>
iii
<directories check_all="yes">/dir</directories>
<directories check_sum="no">/dir/child/</directories>
iv
ignore /dir/chlid/ with al rule with <match>/dir/child/</match>
9
I read that level 0 rule are forgotten immediately so they aren't count
for frequency rules. Would following works?
(if maybe two times test1 and onetime test2 trigged, would rule 101080
fire?)
<rule id="101000" level="4">
<decoded_as>someone</decoded_as>
<description>Catch all entry.</description>
</rule>
<rule id="101010" level="0">
<if_sid>101000</if_sid>
<match>test1</match>
<description>log 1</description>
</rule>
<rule id="101011" level="0">
<if_sid>101000</if_sid>
<match>test2</match>
<description>log 2</description>
</rule>
<rule id="101080" level="4" frequency="3" timeframe="120">
<if_matched_sid>101000</if_matched_sid>
<description>Multiple log.</description>
</rule>
Best regards,
Christian Göttsche
