Interesting thread. lately I'm using Amazon EC2 Rules <https://github.com/wazuh/ossec-rules/tree/master/rules-decoders/amazon-ec2>, I feel them really useful and you can find more rules for Amazon in the linked repository. Also, you can find interesting this script <http://blog.wazuh.com/keep-your-ruleset-updated-automatically/>to update your rules automatically.
I would like to know what rules are you missing in OSSEC. Regards. Jesus Linares. On Monday, April 25, 2016 at 12:20:50 AM UTC+2, theresa mic-snare wrote: > > 1002 ;)))))) > > Am Freitag, 22. April 2016 19:07:32 UTC+2 schrieb [email protected]: >> >> These worked great, just wondering if you have any updates. >> >> On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez wrote: >>> >>> Good thread idea. I’ve copied a few Windows-centric rules below. Some of >>> the rules that lean heavily on <match> could no doubt be improved, but they >>> don’t bother me with false positives or performance issues in my small >>> environment, so I don’t worry about it. YMMV. I also have some decoders and >>> rules for Cowrie honeypots, but intend to polish those up and submit a pull >>> request for those one of these days. If anyone is interested in testing >>> them though, I could send those off list. >>> >>> >>> >>> <rule id="100006" level="8"> >>> >>> <if_sid>594</if_sid> >>> >>> <match>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</match> >>> >>> <description>A change has been made to the software that >>> automatically runs at startup.</description> >>> >>> </rule> >>> >>> >>> >>> <rule id="100010" level="7"> >>> >>> <if_sid>18103</if_sid> >>> >>> <match>Length specified in network packet</match> >>> >>> <description>Somebody is sending malformed data to your SQL >>> Server. You should probably investigate.</description> >>> >>> </rule> >>> >>> >>> >>> <rule id="100011" level="10"> >>> >>> <if_sid>18101</if_sid> >>> >>> <match>PSEXESVC|PsExec</match> >>> >>> <description>Remote access via PSEXEC. If this wasn't initiated >>> by you, then you've got a problem.</description> >>> >>> </rule> >>> >>> >>> >>> <rule id="100013" level="8"> >>> >>> <if_sid>18102</if_sid> >>> >>> <id>^2004$</id> >>> >>> <match>diagnosed</match> >>> >>> <description>There's a problem with abnormal memory usage on >>> this system! Please investigate the indicated processes.</description> >>> >>> </rule> >>> >>> >>> >>> <rule id="100014" level="7"> >>> >>> <if_sid>18104</if_sid> >>> >>> <id>4698</id> >>> >>> <description>A scheduled task has been created on this machine. >>> Please review.</description> >>> >>> <info>Requires group policy modification to the Advanced >>> Security Audit policy/Audit Other Object Access Events. See: >>> https://technet.microsoft.com/en-us/library/dn319119.aspx</info> >>> >>> </rule> >>> >>> >>> >>> <rule id="100016" level="1"> >>> >>> <if_sid>18103</if_sid> >>> >>> <id>36874|36888</id> >>> >>> <group>recon_ssl,</group> >>> >>> <description>Add Schannel errors to the custom recon_ssl >>> group</description> >>> >>> </rule> >>> >>> >>> >>> <rule id="100017" level="7" frequency="38" timeframe="120" ignore="1800"> >>> >>> <if_matched_group>recon_ssl</if_matched_group> >>> >>> <description>There have been over 40 SSL cipher suite probes in >>> the last two minutes. Someone may be performing reconnaissance on your >>> servers, assessing whether one of your SSL-enabled services is vulnerable >>> to exploits.</description> >>> >>> <info>Unfortunately, Schannel errors are of limited usefulness. >>> They occur without any indication of which IP address caused them, so >>> consulting contextual log info or firewall logs is the only way to track >>> down who is responsible.</info> >>> >>> </rule> >>> >>> >>> >>> <rule id="100022" level="7"> >>> >>> <if_sid>18103</if_sid> >>> >>> <id>^1000$|^1002$|^7023$|^7034$</id> >>> >>> <!--<match>Fault|terminate</match>--> >>> >>> <description>A program or service has crashed. Investigate as >>> appropriate.</description> >>> >>> </rule> >>> >>> >>> >>> <rule id="100026" level="7"> >>> >>> <if_sid>18101</if_sid> >>> >>> <id>^7045$</id> >>> >>> <description>A new service has been installed on this >>> computer.</description> >>> >>> </rule> >>> >>> >>> >>> *From:* [email protected] [mailto:[email protected]] *On >>> Behalf Of *[email protected] >>> *Sent:* Thursday, March 3, 2016 6:35 AM >>> *To:* ossec-list <[email protected]> >>> *Subject:* [ossec-list] What's your favorite rules? >>> >>> >>> >>> I'm wondering what everyone's favorite rules are. >>> >>> >>> >>> I'm trying to come up with some new rules to tighten security, so I >>> would like to hear (and see code snippets) or folks favorites, and what >>> they are designed to detect. I.E. detect commands run, look for certain >>> IOC's and so on. I'm impressed with how much OSSEC does out of box too! >>> >>> >>> >>> Thanks! >>> >>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
