Thanks but I think this is not quite what I am after as this seems more like a log parser tool. I think what I am looking for is an "automated intruder" tool, like a script that can be run which will cause alerts to happen at the various OSSEC alert levels from 0 to 16.
I will see if a google search or two can find me an automated intruder tool. Cheers, Tahir On Tuesday, 24 May 2016 18:15:42 UTC+1, dan (ddpbsd) wrote: > > On Tue, May 24, 2016 at 12:44 PM, Tahir Hafiz <[email protected] > <javascript:>> wrote: > > Thanks I found the link earlier on. > > > > I have read through the document but I am not sure how to do the tests > > (using Ubuntu 14.04 LTS). > > I have downloaded the OSSEC version that we are using (2.8.2): > > wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz > > > > I have unpacked the tarball, moved the ossec-testing directory that was > in > > the tarball to /var/ossec/contrib, and then changed my working directory > to > > that directory. > > I have started the tests by executing as root: > > python runtests.py > > > > I looked in /var/ossec/alerts/alerts.log, but I did not see the alerts > going > > off there. > > > > It does not create alerts. It uses ossec-logtest to see if the log > messages produce the expected result. > If you do not see ossec-logtest output, everything is working as expected. > > > Also, in my ossec-testing/tests directory I can only see two test files: > > named.ini > > sshd.ini > > > > Should there not be more? As in as many as the number of rules files. > > I am just not sure how to run the runtests.py and have more .ini test > files > > and have the alerts showing in /var/ossec/logs/alerts/alerts.log. > > > > Should there be more? Of course. But these tests aren't free.They take > time and effort. > > Looks like there's 25 in the current development source, but they're > underpopulated. > I'm guessing I just hadn't done much with them back when 2.8.2 was > finalized. It's a semi-new feature > that I only recently began to properly appreciate. > > If you want more tests, I can think of 3 options: > 1. Do the work yourself. (and consider contributing back if you do) > 2. Provide me with log samples. > 3. Provide me with time. > > > > Cheers, > > Tahir > > > > > > > > > > > > > > On Tuesday, 24 May 2016 16:47:12 UTC+1, dan (ddpbsd) wrote: > >> > >> On Tue, May 24, 2016 at 11:33 AM, Tahir Hafiz <[email protected]> > wrote: > >> > Hi Dan, > >> > > >> > Is there any documentation as to how to set-up and run the tests? > >> > Where can I find said documentation? > >> > > >> > >> > >> > https://ossec.github.io/docs/development/build/test-rules.html?highlight=runtests > > >> > >> > Cheers, > >> > Tahir > >> > > >> > > >> > On Tuesday, 24 May 2016 13:55:58 UTC+1, dan (ddpbsd) wrote: > >> >> > >> >> On Tue, May 24, 2016 at 5:50 AM, Tahir Hafiz <[email protected]> > >> >> wrote: > >> >> > Dear All, > >> >> > > >> >> > Is there a test suite available which can be used to test a fully > >> >> > functioning OSSEC server/client installation? > >> >> > I am looking to test the rule sets systematically, I know I can > >> >> > modify a > >> >> > system file and it will alert etc, but I am looking for a more > >> >> > automated > >> >> > test suite and methods across the rule sets. > >> >> > > >> >> > >> >> In the source tarball, there is contrib/ossec-testing. The > >> >> run-tests.py file uses the information in tests/*.ini to check > rules. > >> >> It'll require some setup, and plenty of log samples. There aren't a > >> >> lot of tests in there currently, but I try to keep it updated when I > >> >> see interesting log samples. > >> >> It's not perfect, but it can help find some issues. > >> >> > >> >> > Thank you, > >> >> > Tahir > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
