Easiest is to write a local rule using the Match directive Example <Match>Found TLS version Lower than V1.2</Match>
You can use ossec-logtest to verify the results was it helpful? On Friday, May 4, 2018 at 7:23:08 PM UTC-4, DG wrote: > > Hi, > > I am a total newb to ossec so I apologize ahead of time. I have been > tasked to see if OSSEC can be leveraged to alert on TLS version used for > connections on a given instance/vm/computer. > > So far I know if I have a scanner (custom script) write to a log, have > that log file configured in ossec.conf (as well as a rule in the > corresponding rule xml file) an alert will generate. > > Example: > ** Alert 1525474620.36076: mail - syslog,yum, > 2018 May 04 22:57:00 ip-10-0-5-117->/var/log/test > Rule: 2946 (level 12) -> 'Need to upgrade TLS version' > May 4 22:50:13 ip-10-0-5-117 tlsd: bad : Found TLS version Lower than V1.2 > > My question is there a way for ossec to actually run the script that does > the check instead of just parsing logs after it is executed externally > (cron). My research seems to keep bringing me back to executing scripts in > response to an event (active response) but I want the inverse; script > executed to check if we have a violation. > > Or please let me know if I am overthinking this and ossec can inherently > check for a connection using TLS version lower than 1.2 and alert. > > I appreciate any help! > > DG > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
