Re: [ossec-list] rootcheck rule at sev 7 (bad word match)?
Cool. That's what I was looking for. I think I'm just going to remove my labeling from the sev levels in my dashboards. It might be useful to have a note on that page advising that these labels may not always be true today. Thanks. Daniel On 18 June 2015 at 09:39, dan (ddp) wrote: > > On Jun 17, 2015 7:26 PM, "Daniel X" wrote: > > > > Thanks for the reply Dan, > > > > I understand that line in the default rules. What I don't understand is > how Sev 7 is (according to the doc I linked to above): > > > > _07 - “Bad word” matching. They include words like “bad”, “error”, etc. > These events are most of the time unclassified and may have some security > relevance.'_ > > > > yet Sev 11 is described as (and thus seems more fitting to me): > > > > _11 - Integrity checking warning - They include messages regarding the > modification of binaries or the presence of rootkits (by rootcheck)._ > > > > I'm thinkng this doc may not be entirely correct in it's descriptions so > will probably just ignore the descriptions. > > > > It's a generic document written probably 10+ years ago. I thought it might > be interesting in a general or historical sense, so I made sure to include > it. > I feel like the severity of the file integrity alerts was lessened or not > raised to that level because the alerts aren't that interesting. > > > Daniel > > > > On 17 June 2015 at 23:24, dan (ddp) wrote: > >> > >> On Wed, Jun 10, 2015 at 2:15 AM, Daniel X > wrote: > >> > Hi OSSECers, > >> > > >> > > >> > I've recently been working with Splunk dashboarding (using the Splunk > for > >> > OSSEC app as a starting point). > >> > > >> > One of the features I've expanded is the 'top severities list', where > I've > >> > named the severities according to the Rules Classification > documentation > >> > ( > http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/rule-levels.html > ) > >> > > >> > What I've noticed is that the 'Integrity Checksum Changed' signature > is > >> > coming in as Severity 7 (Bad Word Match), and looking into the rules > I can > >> > see that reflected, and the only thing I see at sev "11" are the IDS > rules. > >> > > >> > Below are relevant sections in the rules in OSSEC 2.8.1. Is it > correct that > >> > rule id 510 has level="7"? I'm going to change it 10 11 in my local > config, > >> > but it'd be good to know the intentions of this if it's not an > oversight. > >> > > >> > >> Yes, level 7 appears to be correct: > >> > https://github.com/ossec/ossec-hids/blob/master/etc/rules/ossec_rules.xml#L61 > >> > >> > rules/ids_rules.xml > >> > > >> > 509 > >> > Host-based anomaly detection event > >> > (rootcheck). > >> > rootcheck, > >> > > >> > > >> > > >> > > >> > rules/ids_rules.xml > >> > > >> > > >> > 20151 > >> > > >> > > >> > srcip, id > >> > Multiple IDS events from same source ip > > >> > (ignoring now this srcip and id). > >> > > >> > > >> > > >> > 20152 > >> > > >> > id > >> > Multiple IDS alerts for same id > >> > (ignoring now this id). > >> > > >> > > >> > Thanks! > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an > >> > email to ossec-list+unsubscr...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+unsubscr...@googlegroups.com. > >> For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] rootcheck rule at sev 7 (bad word match)?
On Jun 17, 2015 7:26 PM, "Daniel X" wrote: > > Thanks for the reply Dan, > > I understand that line in the default rules. What I don't understand is how Sev 7 is (according to the doc I linked to above): > > _07 - “Bad word” matching. They include words like “bad”, “error”, etc. These events are most of the time unclassified and may have some security relevance.'_ > > yet Sev 11 is described as (and thus seems more fitting to me): > > _11 - Integrity checking warning - They include messages regarding the modification of binaries or the presence of rootkits (by rootcheck)._ > > I'm thinkng this doc may not be entirely correct in it's descriptions so will probably just ignore the descriptions. > It's a generic document written probably 10+ years ago. I thought it might be interesting in a general or historical sense, so I made sure to include it. I feel like the severity of the file integrity alerts was lessened or not raised to that level because the alerts aren't that interesting. > Daniel > > On 17 June 2015 at 23:24, dan (ddp) wrote: >> >> On Wed, Jun 10, 2015 at 2:15 AM, Daniel X wrote: >> > Hi OSSECers, >> > >> > >> > I've recently been working with Splunk dashboarding (using the Splunk for >> > OSSEC app as a starting point). >> > >> > One of the features I've expanded is the 'top severities list', where I've >> > named the severities according to the Rules Classification documentation >> > ( http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/rule-levels.html ) >> > >> > What I've noticed is that the 'Integrity Checksum Changed' signature is >> > coming in as Severity 7 (Bad Word Match), and looking into the rules I can >> > see that reflected, and the only thing I see at sev "11" are the IDS rules. >> > >> > Below are relevant sections in the rules in OSSEC 2.8.1. Is it correct that >> > rule id 510 has level="7"? I'm going to change it 10 11 in my local config, >> > but it'd be good to know the intentions of this if it's not an oversight. >> > >> >> Yes, level 7 appears to be correct: >> https://github.com/ossec/ossec-hids/blob/master/etc/rules/ossec_rules.xml#L61 >> >> > rules/ids_rules.xml >> > >> > 509 >> > Host-based anomaly detection event >> > (rootcheck). >> > rootcheck, >> > >> > >> > >> > >> > rules/ids_rules.xml >> > >> > >> > 20151 >> > >> > >> > srcip, id >> > Multiple IDS events from same source ip >> > (ignoring now this srcip and id). >> > >> > >> > >> > 20152 >> > >> > id >> > Multiple IDS alerts for same id >> > (ignoring now this id). >> > >> > >> > Thanks! >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to ossec-list+unsubscr...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] rootcheck rule at sev 7 (bad word match)?
Thanks for the reply Dan, I understand that line in the default rules. What I don't understand is how Sev 7 is (according to the doc I linked to above): _07 - “Bad word” matching. They include words like “bad”, “error”, etc. These events are most of the time unclassified and may have some security relevance.'_ yet Sev 11 is described as (and thus seems more fitting to me): _11 - Integrity checking warning - They include messages regarding the modification of binaries or the presence of rootkits (by rootcheck)._ I'm thinkng this doc may not be entirely correct in it's descriptions so will probably just ignore the descriptions. Daniel On 17 June 2015 at 23:24, dan (ddp) wrote: > On Wed, Jun 10, 2015 at 2:15 AM, Daniel X > wrote: > > Hi OSSECers, > > > > > > I've recently been working with Splunk dashboarding (using the Splunk for > > OSSEC app as a starting point). > > > > One of the features I've expanded is the 'top severities list', where > I've > > named the severities according to the Rules Classification documentation > > ( > http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/rule-levels.html > ) > > > > What I've noticed is that the 'Integrity Checksum Changed' signature is > > coming in as Severity 7 (Bad Word Match), and looking into the rules I > can > > see that reflected, and the only thing I see at sev "11" are the IDS > rules. > > > > Below are relevant sections in the rules in OSSEC 2.8.1. Is it correct > that > > rule id 510 has level="7"? I'm going to change it 10 11 in my local > config, > > but it'd be good to know the intentions of this if it's not an oversight. > > > > Yes, level 7 appears to be correct: > > https://github.com/ossec/ossec-hids/blob/master/etc/rules/ossec_rules.xml#L61 > > > rules/ids_rules.xml > > > > 509 > > Host-based anomaly detection event > > (rootcheck). > > rootcheck, > > > > > > > > > > rules/ids_rules.xml > > > > > > 20151 > > > > > > srcip, id > > Multiple IDS events from same source ip > > (ignoring now this srcip and id). > > > > > > > > 20152 > > > > id > > Multiple IDS alerts for same id > > (ignoring now this id). > > > > > > Thanks! > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] rootcheck rule at sev 7 (bad word match)?
On Wed, Jun 10, 2015 at 2:15 AM, Daniel X wrote: > Hi OSSECers, > > > I've recently been working with Splunk dashboarding (using the Splunk for > OSSEC app as a starting point). > > One of the features I've expanded is the 'top severities list', where I've > named the severities according to the Rules Classification documentation > (http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/rule-levels.html) > > What I've noticed is that the 'Integrity Checksum Changed' signature is > coming in as Severity 7 (Bad Word Match), and looking into the rules I can > see that reflected, and the only thing I see at sev "11" are the IDS rules. > > Below are relevant sections in the rules in OSSEC 2.8.1. Is it correct that > rule id 510 has level="7"? I'm going to change it 10 11 in my local config, > but it'd be good to know the intentions of this if it's not an oversight. > Yes, level 7 appears to be correct: https://github.com/ossec/ossec-hids/blob/master/etc/rules/ossec_rules.xml#L61 > rules/ids_rules.xml > > 509 > Host-based anomaly detection event > (rootcheck). > rootcheck, > > > > > rules/ids_rules.xml > > > 20151 > > > srcip, id > Multiple IDS events from same source ip > (ignoring now this srcip and id). > > > > 20152 > > id > Multiple IDS alerts for same id > (ignoring now this id). > > > Thanks! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.