On Fri, May 4, 2018 at 7:21 PM, DG <daniel.guev...@gmail.com> wrote: > Hi, > > I am a total newb to ossec so I apologize ahead of time. I have been tasked > to see if OSSEC can be leveraged to alert on TLS version used for > connections on a given instance/vm/computer. > > So far I know if I have a scanner (custom script) write to a log, have that > log file configured in ossec.conf (as well as a rule in the corresponding > rule xml file) an alert will generate. > > Example: > ** Alert 1525474620.36076: mail - syslog,yum, > 2018 May 04 22:57:00 ip-10-0-5-117->/var/log/test > Rule: 2946 (level 12) -> 'Need to upgrade TLS version' > May 4 22:50:13 ip-10-0-5-117 tlsd: bad : Found TLS version Lower than V1.2 > > My question is there a way for ossec to actually run the script that does > the check instead of just parsing logs after it is executed externally > (cron). My research seems to keep bringing me back to executing scripts in > response to an event (active response) but I want the inverse; script > executed to check if we have a violation. > > Or please let me know if I am overthinking this and ossec can inherently > check for a connection using TLS version lower than 1.2 and alert. >
The <command> or <full_command> localfile options might do what you're looking for. I'm not sure there are any real benefits beyond a scan run from cron, but it's an option. > I appreciate any help! > > DG > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.