[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-dev
Subject: Re: [ossec-dev] threat detection with OSSEC?
From: theresa mic-snare <rockprinzess () gmail ! com>
Date: 2015-08-14 19:59:10
Message-ID: 110de31c-30ed-4764-8df4-ea282fb5ec72 () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I just stumbled upon SCAP (or openSCAP). It seems it does something similar
to CIS?
what do you guys think of it?
could it be integrated into OSSEC? could OSSEC be capable of detecting and
creating alerts for SCAP?
openSCAP seems to be well integrated in RHEL-based systems...but I've also
seen packages for Ubuntu/debian based systems...
https://launchpad.net/ubuntu/+source/openscap
https://github.com/OpenSCAP/scap-security-guide
what do you think?
is it worth a shot?
best,
theresa
Am Freitag, 14. August 2015 19:25:21 UTC+2 schrieb Scott R. Shinn:
>
> This is the right list, especially if you're contributing updates. So
> thanks for that!
>
> The existing lists are all static, we don't currently have a mechanism to
> update them, and at this time we don't have anyone updating the rootkit
> malware sources. The original data was sourced from the rkhunter project,
> but since then it really hasnt been updated at all.
>
> The audit checks Ive been working on from time to time, and the assistance
> there would be great. Ive used both the CIS benchmarks and the DISA STIG's
> as source material there. Given the scope there (I think its something like
> 900 controls), Ive been doing PR's on them as I go along.
>
> -Scott
>
> On Fri, 2015-08-14 at 10:06 -0700, theresa mic-snare wrote:
>
> hi guys,
>
> i'm not sure if this actually belongs on the regular ossec-list or here...
> i'm not the expert here and only just dived into ossec..but how does the
> threat and malware detection work in ossec? it seems a bit "static" to me,
> since the checks are being based on .txt files that came with the
> installation.
> how does ossec discover new threats or exploits like shellshock,
> heartbleed, poodle, freak? does it even scan for these?
> are there any plans to interact with a dynamic threat database (such as
> OTX?)!
>
> i'm currently working on the cis_rhel6_linux_cl checks...as soon as it's
> complete i will create a pull request on github.
>
> and sorry, if this is on the wrong mailing list.
>
> cheers,
> theresa
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-dev+...@googlegroups.com <javascript:>.
> For more options, visit https://groups.google.com/d/optout.
>
>
--
---
You received this message because you are subscribed to the Google Groups "ossec-dev" \
group. To unsubscribe from this group and stop receiving emails from it, send an \
email to ossec-dev+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #5 (text/html)]
<div dir="ltr">I just stumbled upon SCAP (or openSCAP). It seems it does something \
similar to CIS?<br><br>what do you guys think of it?<br>could it be integrated into \
OSSEC? could OSSEC be capable of detecting and creating alerts for SCAP?<br>openSCAP \
seems to be well integrated in RHEL-based systems...but I've also seen packages \
for Ubuntu/debian based \
systems...<br>https://launchpad.net/ubuntu/+source/openscap<br>https://github.com/OpenSCAP/scap-security-guide<br><br>what \
do you think?<br>is it worth a shot?<br><br>best,<br>theresa<br><br>Am Freitag, 14. \
August 2015 19:25:21 UTC+2 schrieb Scott R. Shinn:<blockquote class="gmail_quote" \
style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc solid;padding-left: \
1ex;"><div><div>This is the right list, especially if you're contributing \
updates. So thanks for that!</div><div><br></div><div>The existing lists are all \
static, we don't currently have a mechanism to update them, and at this time we \
don't have anyone updating the rootkit malware sources. The original data was \
sourced from the rkhunter project, but since then it really hasnt been updated at \
all.</div><div><br></div><div>The audit checks Ive been working on from time to time, \
and the assistance there would be great. Ive used both the CIS benchmarks and the \
DISA STIG's as source material there. Given the scope there (I think its \
something like 900 controls), Ive been doing PR's on them as I go along. \
</div><div><br></div><div>-Scott</div><div><br></div><div>On Fri, 2015-08-14 at 10:06 \
-0700, theresa mic-snare wrote:</div><blockquote type="cite"><div dir="ltr">hi \
guys,<br><br>i'm not sure if this actually belongs on the regular ossec-list or \
here...<br>i'm not the expert here and only just dived into ossec..but how does \
the threat and malware detection work in ossec? it seems a bit "static" to \
me, since the checks are being based on .txt files that came with the \
installation.<br>how does ossec discover new threats or exploits like shellshock, \
heartbleed, poodle, freak? does it even scan for these?<br>are there any plans to \
interact with a dynamic threat database (such as OTX?)!<br><br>i'm currently \
working on the cis_rhel6_linux_cl checks...as soon as it's complete i will create \
a pull request on github.<br><br>and sorry, if this is on the wrong mailing \
list.<br><br>cheers,<br>theresa<br><br></div>
<p></p>
-- <br>
<br>
--- <br>
You received this message because you are subscribed to the Google Groups \
"ossec-dev" group.<br> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a href="javascript:" target="_blank" \
gdf-obfuscated-mailto="chGY8yu6EQAJ" rel="nofollow" \
onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return \
true;">ossec-dev+...@<wbr>googlegroups.com</a>.<br> For more options, visit <a \
href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" \
onmousedown="this.href='https://groups.google.com/d/optout';return true;" \
onclick="this.href='https://groups.google.com/d/optout';return \
true;">https://groups.google.com/d/<wbr>optout</a>.<br> \
</blockquote></div></blockquote></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-dev" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-dev+unsubscribe@googlegroups.com">ossec-dev+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
------=_Part_728_1343148373.1439582351017--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic