On Wed, Aug 10, 2011 at 2:35 PM, cgzones <[email protected]> wrote: > Hi list, > i'am running ossec 2.6 (the first snapshot after the release) on debian 6. > I have some questions/requests about ossec. > 1 > In the help text of "/bin/ossec-logtest -h" stands still "-f Run in > foreground". I thought this was edited?
Which commit do you think that was changed in? It appears to still be in the code. > 2 > Could it be possible to give more output during "/bin/ossec-logtest -f" > about the decoders. For rules the output is detailed but for the > decoders you don't see what decoders were executed and what > children/parent decoders were tested. This would be great. I'm guessing it'd be possible to add that code. > 3 > Is it possible to configure several command-logfiles > (process-monitoring) with different time intervals? Yes. > 4 > By the syscheck option for directories "report_changes" it is possible > to display the exactly change in one file. But of security reasons it is > not recommendable to do this because someone unwanted can read the mail > and see some internal config-files. So is it possible to check these > exactly changes, not sending them per email, but save them to disk so > that (only) root can check out these changes? Not that I'm aware of. Keep a backup of the files, use the diff command to see the changes. > 5 > Will there be /or is there a rule option <same_dst_ip/> and > <same_dst_port/> for frequency rules? analysisd/rules.c: char *xml_same_dst_port = "same_dst_port"; I don't see anything about destination ip. > 6 > Why is the process-id in the filename of the pid-file? Because without > these (mostly) random number it is easier to monitor the pid-file (e.g. > with monit). > 7 > Can this issue > (https://bitbucket.org/dcid/ossec-hids/issue/26/ossec-init-script-misses-insserv-tags-for) > be handled, so that there are no warning during the debian-command > insserv (here is they debian-page with a default init-script-header: > http://wiki.debian.org/LSBInitScripts) > 8 > I want observe a directory with syscheck totaly, so with <directories > check_all="yes">/dir</directories> (maybe with report_changes and realtime). > But in one specific child-directory i don't want to observe the > file-contents, only owner, group and permission. What of the following > methods do work? > i > <directories check_all="yes">/dir</directories> > <ignore>/dir/child/</ignore> > <directories check_owner="yes" check_group="yes" > check_perm="yes">/dir/child/</directory> > ii > <directories check_all="yes">/dir</directories> > <directories check_owner="yes" check_group="yes" > check_perm="yes">/dir/child/</directory> > iii > <directories check_all="yes">/dir</directories> > <directories check_sum="no">/dir/child/</directories> > iv > ignore /dir/chlid/ with al rule with <match>/dir/child/</match> > Create rules to ignore the alerts you don't want to see about that child directory. The syscheck configuration is limited. > 9 > I read that level 0 rule are forgotten immediately so they aren't count > for frequency rules. Would following works? > (if maybe two times test1 and onetime test2 trigged, would rule 101080 > fire?) > > <rule id="101000" level="4"> > <decoded_as>someone</decoded_as> > <description>Catch all entry.</description> > </rule> > <rule id="101010" level="0"> > <if_sid>101000</if_sid> > <match>test1</match> > <description>log 1</description> > </rule> > <rule id="101011" level="0"> > <if_sid>101000</if_sid> > <match>test2</match> > <description>log 2</description> > </rule> > <rule id="101080" level="4" frequency="3" timeframe="120"> > <if_matched_sid>101000</if_matched_sid> > <description>Multiple log.</description> > </rule> > > Best regards, > Christian Göttsche >
