[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: Re: [ossec-list] Scaling OSSEC (presentation from OpenNSM project / scripts / rules)
From: Santiago Bassett <santiago.bassett () gmail ! com>
Date: 2016-03-22 0:12:41
Message-ID: CANzo5PWRZpXoTS_1r83YGB5UUfNNMxHK5Q_ybnqcPVt85e=szA () mail ! gmail ! com
[Download RAW message or body]
Very nice indeed!!
On Fri, Mar 18, 2016 at 10:52 AM, Antonio Querubin <tony@lavanauts.org>
wrote:
> Nice work!
>
> Sent from my iPad
>
> On Mar 18, 2016, at 03:36, Rodrigo Montoro(Sp0oKeR) <spooker@gmail.com>
> wrote:
>
> Presentation here: https://www.youtube.com/watch?v=TllGa-POslQ
>
> Nice content here https://github.com/ncsa/ossec-tools
>
> Custom AR scripts
>
> - active-response/virustotal_lookup.sh/virus_total.py - Look up hash
> from syscheck alerts in VT database
> - active-response/cymru_lookup.sh - Look up hash from sysheck alerts
> in Team Cymru Malware Hash Registery
> - active-response/puppetdb_lookup.sh - Look up managed files in
> PuppetDB
> - active-response/rpm_lookup.sh - Look up files that changed from RPM
> install (must be present on agents)
> - active-response/deb_lookup.sh - Lookup file that changes from DEB
> install (must be present on agents)
> - active-response/time_lookup.sh - Check if system clock is off or
> time zone differs for analyzed logs
> - active-response/command_search.sh - Search for malicious commands
> across logs
> - active-response/cif.sh - Create intelligence feed from alerts
> - active-response/bhr.sh - Block hosts at perimeter using Black Hole
> Router by Justin Azoff
> - active-response/add_to_cdb.sh - Add entries from alerts to system
> database e.g. system users
> - active-response/rule-all.sh - Run many of the above scripts
> - active-response/syscheck-all.sh - Run many of the syscheck scripts
>
> And more rules and tips there.
>
> Regards,
> --
> Rodrigo Montoro (Sp0oKeR)
> http://spookerlabs.blogspot.com
> http://www.twitter.com/spookerlabs
> http://www.linkedin.com/in/spooker
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #3 (text/html)]
<div dir="ltr">Very nice indeed!!</div><div class="gmail_extra"><br><div \
class="gmail_quote">On Fri, Mar 18, 2016 at 10:52 AM, Antonio Querubin <span \
dir="ltr"><<a href="mailto:tony@lavanauts.org" \
target="_blank">tony@lavanauts.org</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="auto"><div>Nice work!<br><br>Sent from my \
iPad</div><div><div class="h5"><div><br>On Mar 18, 2016, at 03:36, Rodrigo \
Montoro(Sp0oKeR) <<a href="mailto:spooker@gmail.com" \
target="_blank">spooker@gmail.com</a>> wrote:<br><br></div><blockquote \
type="cite"><div><div dir="ltr">Presentation here: <a \
href="https://www.youtube.com/watch?v=TllGa-POslQ" \
target="_blank">https://www.youtube.com/watch?v=TllGa-POslQ</a><br><br>Nice content \
here <a href="https://github.com/ncsa/ossec-tools" \
target="_blank">https://github.com/ncsa/ossec-tools</a><br><p>Custom AR scripts</p>
<ul><li>active-response/<a href="http://virustotal_lookup.sh/virus_total.py" \
target="_blank">virustotal_lookup.sh/virus_total.py</a> - Look up hash from syscheck \
alerts in VT database</li><li>active-response/cymru_lookup.sh - Look up hash from \
sysheck alerts in Team Cymru Malware Hash \
Registery</li><li>active-response/puppetdb_lookup.sh - Look up managed files in \
PuppetDB</li><li>active-response/rpm_lookup.sh - Look up files that changed from RPM \
install (must be present on agents)</li><li>active-response/deb_lookup.sh - Lookup \
file that changes from DEB install (must be present on \
agents)</li><li>active-response/time_lookup.sh - Check if system clock is off or time \
zone differs for analyzed logs</li><li>active-response/command_search.sh - Search for \
malicious commands across logs</li><li>active-response/cif.sh - Create intelligence \
feed from alerts</li><li>active-response/bhr.sh - Block hosts at perimeter using \
Black Hole Router by Justin Azoff</li><li>active-response/add_to_cdb.sh - Add entries \
from alerts to system database e.g. system users</li><li>active-response/rule-all.sh \
- Run many of the above scripts</li><li>active-response/syscheck-all.sh - Run many of \
the syscheck scripts</li></ul><div>And more rules and tips \
there.<br><br></div><div>Regards,<br></div><div>-- <br><div>Rodrigo Montoro \
(Sp0oKeR)<br><a href="http://spookerlabs.blogspot.com" \
target="_blank">http://spookerlabs.blogspot.com</a><br><a \
href="http://www.twitter.com/spookerlabs" \
target="_blank">http://www.twitter.com/spookerlabs</a><br><a \
href="http://www.linkedin.com/in/spooker" \
target="_blank">http://www.linkedin.com/in/spooker</a><br></div> </div></div>
<p></p>
-- <br>
<br>
--- <br>
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com" \
target="_blank">ossec-list+unsubscribe@googlegroups.com</a>.<br> For more options, \
visit <a href="https://groups.google.com/d/optout" \
target="_blank">https://groups.google.com/d/optout</a>.<br> \
</div></blockquote></div></div></div><div class="HOEnZb"><div class="h5">
<p></p>
-- <br>
<br>
--- <br>
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com" \
target="_blank">ossec-list+unsubscribe@googlegroups.com</a>.<br> For more options, \
visit <a href="https://groups.google.com/d/optout" \
target="_blank">https://groups.google.com/d/optout</a>.<br> \
</div></div></blockquote></div><br></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic