[ossec-list] ossec users and group should be in system groups

Over the past several years, I have submitted diff's for InstallServer.sh and InstallAgent.sh to make the users and group be in the range for system users/groups. I use openSUSE that has always supported the '-r' flag in the "groupadd" and "useradd" commands. Even though I don't use other

Re: [ossec-list] A rule to detect that Regsvr32.exe has been run?

Remediations include: - restricting permissions to the binary - windows firewall blocking network access to binary If a user has admin or a path to admin, these are just speed bumps. Sysmon would be useful here for instrumentation: e.g. look for regsvr32.exe executing and/or making any network

[ossec-list] Re: A rule to detect that Regsvr32.exe has been run?

Interesting.. thanks for that blog post. COM+ lol, classic! anyhow, here is a crude one but it works.. ;-) 18100 Regsvr32.exe Suspicious - "Regsvr32" Capable of application whitelisting bypass. On Tuesday, April 26, 2016 at 11:37:07 AM UTC-4, namobud...@gmail.com wrote: > >

[ossec-list] Change alert level for changes to system configuration files and system binaries

Guys I am staring at this: /etc,/usr/bin,/usr/sbin /bin,/sbin Does anyone know where I can change the default alert level for those directories above - I want to modify changes to the above to Alert Level 14? Basically, I am hooking OSSEC into Nagios alerting with a shell script

Re: [ossec-list] What's your favorite rules?

I find this a very interesting set of rule(s) 18100 /services.exe Sysmon - Suspicious Process - services.exe pci_dss_10.6.1,pci_dss_11.4, 184746 wininit.exe Sysmon - Legitimate Parent Image - services.exe On Tuesday, April 26, 2016 at 10:17:17 AM UTC-4, dan (ddpbsd)

[ossec-list] A rule to detect that Regsvr32.exe has been run?

Hello group, Here an interesting article on how Regsvr32.exe can use .com script files to execute code. I didn’t see a remediation, but it’s good to at least be aware of it. http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html My question is can we write a rule to

Re: [ossec-list] What's your favorite rules?

NM, found it! ;-) syslog duh. On Tuesday, April 26, 2016 at 10:15:03 AM UTC-4, Rob B wrote: > > what _rules.xml file is 1002 located? I wish I had some kind of rules > legend to reference. Thanks. ;-) > > > > On Tuesday, April 26, 2016 at 8:20:11 AM UTC-4, theresa mic-snare

Re: [ossec-list] What's your favorite rules?

On Tue, Apr 26, 2016 at 10:15 AM, Rob B wrote: > what _rules.xml file is 1002 located? I wish I had some kind of rules > legend to reference. Thanks. ;-) > [ddp@ix] :; grep '"1002"' /var/ossec/rules/*_rules.xml /var/ossec/rules/syslog_rules.xml: > > > On Tuesday,

Re: [ossec-list] What's your favorite rules?

what _rules.xml file is 1002 located? I wish I had some kind of rules legend to reference. Thanks. ;-) On Tuesday, April 26, 2016 at 8:20:11 AM UTC-4, theresa mic-snare wrote: > > Also, I should explain why I first wrote 1002 > I often check for this rule (2 - Unknown problem

Re: [ossec-list] What's your favorite rules?

Also, I should explain why I first wrote 1002 I often check for this rule (2 - Unknown problem somewhere in the system.) just to see if there are any false-positives that haven't been covered by an existing rule yet. Then I would see which log event needs a new rule or decoder, so that it

Re: [ossec-list] What's your favorite rules?

I woke up this morning with a notification on my phone that this following rule fired again: 31108 "\(\)\s*{\s*:;\s*}\s*; Shellshock attack detected attack,pci_dss_11.4, Just as I thought that the Shellshock hype was over..someone from China tried

Re: [ossec-list] What's your favorite rules?

Interesting thread. lately I'm using Amazon EC2 Rules , I feel them really useful and you can find more rules for Amazon in the linked repository. Also, you can find interesting this script

[ossec-list] Re: Prerrequisites Instalation OSSEC

Hi, Regarding to the hardware requirements, depends on your environment and how much agents do you want to deploy. Disk: Depends on the traffic load of your agents, if we could know that we can calculate the EPS... how long do want to store the logs? I think 300 GB or 500 GB should be enough.