Hi, I am a total newb to ossec so I apologize ahead of time. I have been tasked to see if OSSEC can be leveraged to alert on TLS version used for connections on a given instance/vm/computer.
So far I know if I have a scanner (custom script) write to a log, have that log file configured in ossec.conf (as well as a rule in the corresponding rule xml file) an alert will generate. Example: ** Alert 1525474620.36076: mail - syslog,yum, 2018 May 04 22:57:00 ip-10-0-5-117->/var/log/test Rule: 2946 (level 12) -> 'Need to upgrade TLS version' May 4 22:50:13 ip-10-0-5-117 tlsd: bad : Found TLS version Lower than V1.2 My question is there a way for ossec to actually run the script that does the check instead of just parsing logs after it is executed externally (cron). My research seems to keep bringing me back to executing scripts in response to an event (active response) but I want the inverse; script executed to check if we have a violation. Or please let me know if I am overthinking this and ossec can inherently check for a connection using TLS version lower than 1.2 and alert. I appreciate any help! DG -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
