I have been working on decoders and rules to process Hadoop logs which I
wrote a blog about:<shameless-plug>
http://vichargrave.com/securing-hadoop-with-ossec/ </shameless-plug>. I'd
like to share these rules with the community as I comne up with more and
expand into other big data platforms - cassandra, mongodb, etc.. However
these rules are not for everybody and are still a work in progress, so I'm
loath to put them into the rules set in the ossec-hids.
I'm thinking about creating an ossec-rules repo on OSSEC Github site that
would serve as a place to collect rules like this that have a limited
audience. From here people could grab them and use them if interested or
even fork the repo and add new rules or revisions.
I suggest a structure something like this:
ossec-rules
- hadoop
- mongodb
...
- some other system
One problem with this that I can see is keeping the rule ids for new rules
unique. We'd have to figure out how to set aside rule id ranges that would
serve as namespaces or at least log the ids used by people as they add
rules. If we do this we should have a well maintained READ me that
identifies the rule ID ranges and what they do.
If this seems to weird an idea I may just set an ossec-rule repo on my own
Github account.
Any thoughts?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
