On 05/23/2014 12:28 PM, PAL 18 wrote:
Can you share the script you've made?
Ideally, OSSEC would have a fancy update daemon that was responsible for
this and rules/decoders, but it's only been talked about so far.
I have a script which downloads from several sources and compiles into
CDB lists. I haven't shared it because I don't want to put it into
contrib and then have someone's personal site hammered with lots of
OSSEC users. But I can send it to you privately if you like.
Btw, I am not entirely convinced that it works to update a CDB list
without restarting OSSEC. It's supposed to, but I saw some strange
things I have yet to look into.
At any rate, I maintain a doc of lists I have found here:
https://docs.google.com/document/d/1sAI8-_kAP02IpLCYeRnoI4ZV6a3VnWeItR2SdbUb_Ps/edit?usp=sharing
It hasn't been updated in awhile, so comment in the doc if I should add
something.
One final note: Use this info in rules wisely. Just because someone
connects to you from, say, a Tor IP, it might not be an indicator of
concern. You really need to look at this stuff in context.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
