On Tue, May 24, 2016 at 12:44 PM, Tahir Hafiz <[email protected]> wrote: > Thanks I found the link earlier on. > > I have read through the document but I am not sure how to do the tests > (using Ubuntu 14.04 LTS). > I have downloaded the OSSEC version that we are using (2.8.2): > wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz > > I have unpacked the tarball, moved the ossec-testing directory that was in > the tarball to /var/ossec/contrib, and then changed my working directory to > that directory. > I have started the tests by executing as root: > python runtests.py > > I looked in /var/ossec/alerts/alerts.log, but I did not see the alerts going > off there. >
It does not create alerts. It uses ossec-logtest to see if the log messages produce the expected result. If you do not see ossec-logtest output, everything is working as expected. > Also, in my ossec-testing/tests directory I can only see two test files: > named.ini > sshd.ini > > Should there not be more? As in as many as the number of rules files. > I am just not sure how to run the runtests.py and have more .ini test files > and have the alerts showing in /var/ossec/logs/alerts/alerts.log. > Should there be more? Of course. But these tests aren't free.They take time and effort. Looks like there's 25 in the current development source, but they're underpopulated. I'm guessing I just hadn't done much with them back when 2.8.2 was finalized. It's a semi-new feature that I only recently began to properly appreciate. If you want more tests, I can think of 3 options: 1. Do the work yourself. (and consider contributing back if you do) 2. Provide me with log samples. 3. Provide me with time. > Cheers, > Tahir > > > > > > > On Tuesday, 24 May 2016 16:47:12 UTC+1, dan (ddpbsd) wrote: >> >> On Tue, May 24, 2016 at 11:33 AM, Tahir Hafiz <[email protected]> wrote: >> > Hi Dan, >> > >> > Is there any documentation as to how to set-up and run the tests? >> > Where can I find said documentation? >> > >> >> >> https://ossec.github.io/docs/development/build/test-rules.html?highlight=runtests >> >> > Cheers, >> > Tahir >> > >> > >> > On Tuesday, 24 May 2016 13:55:58 UTC+1, dan (ddpbsd) wrote: >> >> >> >> On Tue, May 24, 2016 at 5:50 AM, Tahir Hafiz <[email protected]> >> >> wrote: >> >> > Dear All, >> >> > >> >> > Is there a test suite available which can be used to test a fully >> >> > functioning OSSEC server/client installation? >> >> > I am looking to test the rule sets systematically, I know I can >> >> > modify a >> >> > system file and it will alert etc, but I am looking for a more >> >> > automated >> >> > test suite and methods across the rule sets. >> >> > >> >> >> >> In the source tarball, there is contrib/ossec-testing. The >> >> run-tests.py file uses the information in tests/*.ini to check rules. >> >> It'll require some setup, and plenty of log samples. There aren't a >> >> lot of tests in there currently, but I try to keep it updated when I >> >> see interesting log samples. >> >> It's not perfect, but it can help find some issues. >> >> >> >> > Thank you, >> >> > Tahir >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
