Hi,
usually all rules in wazuh ruleset <https://github.com/wazuh/wazuh-ruleset>
should work with OSSEC but in some cases it could be a compatibility issue
due to some new capabilities of Wazuh (like support dynamic fields
<https://github.com/wazuh/wazuh-ruleset/blob/master/decoders/0040-auditd_decoders.xml#L29>
in the tag *<order>* of a rule). In other cases, we change the structure or
names of a decoder/rule for something that we consider more proper.
The USB rules use the *kernel decoder* which does not exist in OSSEC. If
you change *kernel* for *iptables* it should work. This is due to the old
decoder was:
<decoder name="iptables">
<program_name>^kernel</program_name>
</decoder>
And we changed
<https://github.com/wazuh/wazuh-ruleset/commit/5a29440886fa54187cc51fb1d92a1a7c4305eafc>
it to:
<decoder name="kernel">
<program_name>^kernel</program_name>
</decoder>
I hope it helps.
Regards.
On Wednesday, December 28, 2016 at 4:36:53 PM UTC+1, namobud...@gmail.com
wrote:
>
> I don't have the Wazuh OSSEC fork installed, but I pull out individual
> rules such the USB rule and put in my local_rules.xlm?
>
> <group name="usb,">
> <rule id="81100" level="0">
> <decoded_as>kernel</decoded_as>
> <id>usb</id>
> <description>USB messages grouped.</description>
> </rule>
> <!--
> USB Connected
> Feb 3 10:23:08 testsys kernel: usb 1-1.2: New USB device found,
> idVendor=0781, idProduct=5575
> -->
> <rule id="81101" level="3">
> <if_sid>81100</if_sid>
> <match>New USB device found</match>
> <description>Attached USB Storage</description>
> </rule>
> </group>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
