Hi Matthew, I just remembered that the script only works with the new release of Wazuh. Anyway, you can do it manually:
1. Backup your current installation 2. Copy ossec-rules/decoders/ to /var/ossec/etc/decoders 3. Copy ossec-rules/rules/ to /var/ossec/rules. 4. Copy ossec-rules/rootchecks to /var/ossec/etc/shared 5. Use this configuration <https://github.com/wazuh/ossec-rules/blob/master/rules/rules.template> in your ossec.conf (if you do not use *local_decoder.xml*, you can remove that line). 6. Restart OSSEC. You will see some errors (some rules/decoders are not compatible). So, replace the "no compatible rules" with the backup rules. Of course, you can do the "same" procedure from OSSEC-HIDS but Wazuh is doing a great effort to centralize, test and maintain decoders and rules submitted by Open Source contributors and create new ones. Regards. On Friday, November 4, 2016 at 9:43:58 AM UTC+1, Jesus Linares wrote: > > Hi Matthew, > > Wazuh has a repository <https://github.com/wazuh/ossec-rules> for > decoders, rules, rootchecks, etc. Almost all decoders/rules should work in > every OSSEC version, except some of them that use new features. I recommend > you to create a backup of OSSEC, then update the rules using the script > <https://github.com/wazuh/ossec-rules/blob/master/ossec_ruleset.py>. Some > rules will be failing, so replace them with the proper backup. In this way > you will have the most up to date "signatures". > > Regards. > > On Wednesday, November 2, 2016 at 5:03:51 PM UTC+1, dan (ddpbsd) wrote: >> >> On Wed, Nov 2, 2016 at 12:00 PM, Matthew Casperson >> <matthews...@gmail.com> wrote: >> > I've been trying to track down where it details how often signatures >> are >> > updated for OSSEC. Are new signatures part of each version? E.g. if I >> am >> > on 2.8.2 and want to have the most up to date signatures would I have >> to >> > upgrade to the current version of OSSEC or are signatures updated >> > independent of new version releases? Help greatly appreciated. >> > >> >> The rules are currently updated with releases. >> >> > Matt >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
