👍 On Fri, Apr 12, 2019 at 2:56 PM Zack Vanderbilt <[email protected]> wrote:
> Hey Wayne, > > Your understanding is correct however in version 3.3.x (currently > available in master) there has been the addition of dynamic decoders which > will allow you to create whatever key value pairs you want. Should be a new > release in the coming weeks but I am not 100% on when specifically it will > be. > > Stay tuned! > > - Zack > > On Fri, Apr 12, 2019 at 11:42 AM Wayne Villars <[email protected]> > wrote: > >> I was looking at doing this as well. The main thing holding me back is >> the limited fields that can be extracted. My current understanding is that >> osecc decoder's field extraction is limited to the following fields: >> >> location - where the log came from (only on FTS) >> srcuser - extracts the source username >> dstuser - extracts the destination (target) username >> user - an alias to dstuser (only one of the two can be used) >> srcip - source ip >> dstip - dst ip >> srcport - source port >> dstport - destination port >> protocol - protocol >> id - event id >> url - url of the event >> action - event action (deny, drop, accept, etc) >> status - event status (success, failure, etc) >> extra_data - Any extra data >> >> (from https://github.com/ossec/ossec-rules/blob/master/etc/decoder.xml) >> >> Is my understanding correct? How do you intend to overcome this >> limitation? I mean, the opportunities for detection, if osquery and ossec >> were combined, are incredible, so I would love to take a stab at it. >> >> >> On Thursday, February 28, 2019 at 10:23:40 AM UTC-5, [email protected] >> wrote: >>> >>> Actually, there is a solution for this, but it is a separate package >>> that has to be installed and configured. It is called OSQUERY and can be >>> found here: >>> >>> https://osquery.io/ >>> >>> OSQUERY is open source under the Apache license. Like OSSEC, it runs on >>> almost every platform. It can provide a HUGE amount of information about >>> the client system. It was developed by Facebook as an asset management >>> subsystem and uses its own structured query language for pulling data from >>> clients. There are several third-party modules that have been developed for >>> it as well, including an installer and auto-updater (Kolide launcher). The >>> Kolide tool for auto-updating might be a good model for building a tool to >>> auto-update OSSEC someday too. >>> >>> We have been looking at integrating OSQUERY with OSSEC for a while. The >>> easiest way to do this would be to build a separate encrypted communication >>> channel between the OSSEC server and OSQUERY. I will submit a pull request >>> if we work all the details out for full integration. We are working on a >>> PCI DSS compliant port monitoring tool for OSSEC right now that we will >>> submit on a separate pull request when it is done. If anyone is interested, >>> I will be at the OSSEC conference on Mach 20th. Best, >>> >>> Dave Stoddard >>> Network Alarm Corporation >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/fT6Hd_-Nem0/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
