Thanks Bill. This makes complete sense. In fact it is something I had tested (searching through log for a match). I was curious if there is a way to have OSSEC perform TLS version checks rather than introducing a script/program that looks for TLS, writes to a log and then have OSSEC parse through the logs for a word match.
in other words, just like ossec can check file integrity/host intrusion, can it check for TLS version as part of a system check? On Monday, May 7, 2018 at 5:53:25 AM UTC-7, Bill Price wrote: > > Easiest is to write a local rule using the Match directive Example > > <Match>Found TLS version Lower than V1.2</Match> > > You can use ossec-logtest to verify the results > > was it helpful? > > > > On Friday, May 4, 2018 at 7:23:08 PM UTC-4, DG wrote: >> >> Hi, >> >> I am a total newb to ossec so I apologize ahead of time. I have been >> tasked to see if OSSEC can be leveraged to alert on TLS version used for >> connections on a given instance/vm/computer. >> >> So far I know if I have a scanner (custom script) write to a log, have >> that log file configured in ossec.conf (as well as a rule in the >> corresponding rule xml file) an alert will generate. >> >> Example: >> ** Alert 1525474620.36076: mail - syslog,yum, >> 2018 May 04 22:57:00 ip-10-0-5-117->/var/log/test >> Rule: 2946 (level 12) -> 'Need to upgrade TLS version' >> May 4 22:50:13 ip-10-0-5-117 tlsd: bad : Found TLS version Lower than >> V1.2 >> >> My question is there a way for ossec to actually run the script that does >> the check instead of just parsing logs after it is executed externally >> (cron). My research seems to keep bringing me back to executing scripts in >> response to an event (active response) but I want the inverse; script >> executed to check if we have a violation. >> >> Or please let me know if I am overthinking this and ossec can inherently >> check for a connection using TLS version lower than 1.2 and alert. >> >> I appreciate any help! >> >> DG >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.