hi pedro good news with "dynamic fields" Thanks i didn't notice that
>I am feeling curious about the botnet issue, please feel free to explain in >detail your botnet issue and maybe we can help, it seems interesting :P, you >mention there is a limit of the decoders fields in your case, what do you need >to extract ? are you using active response ? yes we used AR an example of the botnet we saw: XX.XX.XX.X1 - - [30/Jan/2017:17:32:26 +0100] "POST /xmlrpc.php HTTP/1.1" 200 605 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" XX.XX.XX.X2 - - [30/Jan/2017:17:35:26 +0100] "POST /xmlrpc.php HTTP/1.1" 200 605 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" XX.XX.XX.X3 - - [30/Jan/2017:17:37:26 +0100] "POST /xmlrpc.php HTTP/1.1" 200 605 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" XX.XX.XX.X4 - - [30/Jan/2017:17:38:26 +0100] "POST /xmlrpc.php HTTP/1.1" 200 605 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" XX.XX.XX.X5 - - [30/Jan/2017:17:40:27 +0100] "POST /xmlrpc.php HTTP/1.1" 200 605 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" XX.XX.XX.X6 - - [30/Jan/2017:17:41:10 +0100] "POST /xmlrpc.php HTTP/1.1" 200 605 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" XX.XX.XX.X7 - - [30/Jan/2017:17:45:26 +0100] "POST /xmlrpc.php HTTP/1.1" 200 605 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" XX.XX.XX.X8 - - [30/Jan/2017:19:14:31 +0100] "POST /xmlrpc.php HTTP/1.1" 200 605 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" Same size response or useragent, everything else is different except url Thanks best regards ----- Mail original ----- De: "Pedro S" <[email protected]> À: "ossec-list" <[email protected]> Cc: [email protected] Envoyé: Mercredi 1 Février 2017 13:50:05 Objet: Re: [ossec-list] Regular OSSEC vs OSSEC Wazuh Hi, Philip, Wazuh still supports CEF format, it integrates all the functionality from OSSEC 2.8.3 and 2.9beta, I am pretty sure you will be able to integrate Wazuh with your current Graylog instance, same way you can do it with OSSEC. Regarding to the ruleset, last version from Wazuh rules is not totally compatible with OSSEC 2.8.3 because the "dynamic fields", this new functionality allow us to extract as many fields as we want on the decoders, so we are not limited to the static ones "srcip, srcport, extra_data..", moreover you will be able to use those fields later when creating rules ( I would recommend you to take a look at the Changelog ) If the decoders does not contain any dynamic field, you could use them on your standard OSSEC. I don't have any experience with Greylog, but I can see how it could ingest data in JSON format ( http://docs.graylog.org/en/2.1/pages/extractors.html#using-the-json-extractor ) maybe you can use JSON output, that could be an amazing improvement for your architecture. I am feeling curious about the botnet issue, please feel free to explain in detail your botnet issue and maybe we can help, it seems interesting :P, you mention there is a limit of the decoders fields in your case, what do you need to extract ? are you using active response ? Kind regards, Pedro Sanchez. On Tuesday, January 31, 2017 at 11:22:31 AM UTC+1, [email protected] wrote: hi Wazuh has rules update and a nice integration of PCI DSS compliance. More and more Wazuh is different from ossec, but i think they contribute on it too. I still using ossec with our ELK, but ELK is a pain in the ass to upgrade, so i think graylog is better for searching logs. there is siemonster that integrate ossec/wazuh too, great job but still a bit disappointing. I really hope Ossec will still have improvement, this is a great tools, but i can only debug for helping. The problem we face now, is botnet using each different ip for brute forcing.. that is a limit of the decoder checking only urp/ip/etc.. There is a big step bewteen HIDS and SIEM and the cost For us, Ossec need better reporting and correlation ----- Mail original ----- De: "Philip Alexander" < [email protected] > À: "ossec-list" < [email protected] > Envoyé: Lundi 30 Janvier 2017 19:05:50 Objet: [ossec-list] Regular OSSEC vs OSSEC Wazuh I intend to set up OSSEC and noticed there seem to be two main flavours: regular OSSEC and Wazuh fork. >From what I've been able to gather, the main advantages of Wazuh are: * its ability to integrate with ELK * an improved ruleset * restful API I have no interest in using ELK for this project, but we already have a preexisting graylog instance that I'd like to hook up with OSSEC, which should be possible in regular OSSEC using syslog cef format, according to this: https://github.com/Graylog2/graylog-guide-ossec . I assume I can still use the improved ruleset even if I run regular OSSEC, atleast I haven't seen anything that indicates otherwise. As for the restful API, I'm still very inexperienced and I've only recently heard about REST - I don't even know how I would begin putting it to use - so I'm not sure if I should use the Wazuh fork just for that. The objective is to run OSSEC agents on the machines in our cloud environment and point them to an OSSEC Server in a machine that's already being used for log management and monitoring on the same network . Are there any other advantages to running Wazuh instead of regular OSSEC? Is there much of a performance difference? Anything else I should take into consideration? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] . For more options, visit https://groups.google.com/d/optout . -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
