On Sun, Mar 29, 2015 at 7:31 AM, DefensiveDepth <[email protected]> wrote: > @dan > > How does the project typically like to see pull requests with custom > decoders and/or rulesets? > > ie drop the new decoder in /etc/decoder.xml & create a new rules file under > etc/rules/ ? >
That should be fine. Or if the rules fit into one of the other categories, you can add them to the existing files. Once the pull request is up we can either guide you better, or massage the rules once they're committed. It'd also be very helpful if you could provide sample logs to go with the rules and decoders. If you can add tests to contrib/ossec-testing/tests it would also be super helpful. I think the format is mostly self explanatory, but please ask if I'm mistaken. > -Josh > > On Friday, March 27, 2015 at 9:32:18 AM UTC-4, dan (ddpbsd) wrote: >> >> On Fri, Mar 27, 2015 at 9:27 AM, DefensiveDepth <[email protected]> >> wrote: >> > Newly published paper: Using Sysmon to Enrich Security Onion's >> > Host-Level >> > Capabilities >> > >> > Of particular note, I wrote an OSSEC decoder and a number of rules for >> > Sysmon Event ID 1: Process Created... >> > >> > They can be found on Github... Feel free to tweak, contribute back, send >> > feedback, etc >> > >> >> If you want to contribute them, we do enjoy pull requests. >> >> > Keep in mind that there may be issues with the current stable release >> > (2.8) >> > as the <eventchannel> bug is unfixed-- >> > >> > I believe the bug fix is slated to be released with >> > 2.9...(https://github.com/ossec/ossec-hids/issues/224) >> > >> > -Josh >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
