Hi, usually all rules in wazuh ruleset <https://github.com/wazuh/wazuh-ruleset> should work with OSSEC but in some cases it could be a compatibility issue due to some new capabilities of Wazuh (like support dynamic fields <https://github.com/wazuh/wazuh-ruleset/blob/master/decoders/0040-auditd_decoders.xml#L29> in the tag *<order>* of a rule). In other cases, we change the structure or names of a decoder/rule for something that we consider more proper.
The USB rules use the *kernel decoder* which does not exist in OSSEC. If you change *kernel* for *iptables* it should work. This is due to the old decoder was: <decoder name="iptables"> <program_name>^kernel</program_name> </decoder> And we changed <https://github.com/wazuh/wazuh-ruleset/commit/5a29440886fa54187cc51fb1d92a1a7c4305eafc> it to: <decoder name="kernel"> <program_name>^kernel</program_name> </decoder> I hope it helps. Regards. On Wednesday, December 28, 2016 at 4:36:53 PM UTC+1, namobud...@gmail.com wrote: > > I don't have the Wazuh OSSEC fork installed, but I pull out individual > rules such the USB rule and put in my local_rules.xlm? > > <group name="usb,"> > <rule id="81100" level="0"> > <decoded_as>kernel</decoded_as> > <id>usb</id> > <description>USB messages grouped.</description> > </rule> > <!-- > USB Connected > Feb 3 10:23:08 testsys kernel: usb 1-1.2: New USB device found, > idVendor=0781, idProduct=5575 > --> > <rule id="81101" level="3"> > <if_sid>81100</if_sid> > <match>New USB device found</match> > <description>Attached USB Storage</description> > </rule> > </group> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.