'Re: [ossec-list] Modify rules.xml files best practice'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    Re: [ossec-list] Modify rules.xml files best practice
From:       Jesus Linares <jesus () wazuh ! com>
Date:       2016-08-29 10:15:21
Message-ID: bf7aa9e2-8f28-4b50-b3c8-1e4a902b7c4d () googlegroups ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi Derek,

as Dan said, the best practice is to use the file *local_rules.xml*. But, 
if you are improving or creating new rules, it would be great if you share 
them with OSSEC <https://github.com/ossec/ossec-hids> or with Wazuh ruleset 
repository <https://github.com/wazuh/ossec-rules>. On the other hand, if 
you just want to adapt the rules to your environment (overwrite, levels, 
descriptions) just use the *local_rules* file.

Thanks.
Regards.


On Friday, August 26, 2016 at 3:46:05 PM UTC+2, dan (ddpbsd) wrote:
> 
> On Fri, Aug 26, 2016 at 9:39 AM, Derek Day <dday...@gmail.com 
> <javascript:>> wrote: 
> > I have hopefully an easily answered question regarding modifying some of 
> the 
> > rules.xml files that come with ossec. I guess my question centers 
> around, 
> > what is the best practice for doing something like that? i want to give 
> > certain windows eveint ID's higher levels and lower certain other ones. 
> > should i just modify the msauth_rules.xml files as required or is there 
> a 
> > different best practice? 
> > 
> 
> Usually what we recommend is to add the rules with your changes to 
> local_rules.xml and add the overwrite option. 
> 
> > Thanks 
> > 
> > Derek 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com <javascript:>. 
> > For more options, visit https://groups.google.com/d/optout. 
> 

-- 

--- 
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.


[Attachment #5 (text/html)]

<div dir="ltr">Hi Derek,<div><br></div><div>as Dan said, the best practice is to use \
the file <i>local_rules.xml</i>. But, if you are improving or creating new rules, it \
would be great if you share them with <a \
href="https://github.com/ossec/ossec-hids">OSSEC</a> or with <a \
href="https://github.com/wazuh/ossec-rules">Wazuh ruleset repository</a>. On the \
other hand, if you just want to adapt the rules to your environment (overwrite, \
levels, descriptions) just use the <i>local_rules</i> \
file.</div><div><br></div><div>Thanks.</div><div>Regards.</div><div><br><br>On \
Friday, August 26, 2016 at 3:46:05 PM UTC+2, dan (ddpbsd) wrote:<blockquote \
class="gmail_quote" style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc \
solid;padding-left: 1ex;">On Fri, Aug 26, 2016 at 9:39 AM, Derek Day &lt;<a \
href="javascript:" target="_blank" gdf-obfuscated-mailto="juovRZiGAQAJ" \
rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" \
onclick="this.href=&#39;javascript:&#39;;return true;">dday...@gmail.com</a>&gt; \
wrote: <br>&gt; I have hopefully an easily answered question regarding modifying some \
of the <br>&gt; rules.xml files that come with ossec. I guess my question centers \
around, <br>&gt; what is the best practice for doing something like that? i want to \
give <br>&gt; certain windows eveint ID&#39;s higher levels and lower certain other \
ones. <br>&gt; should i just modify the msauth_rules.xml files as required or is \
there a <br>&gt; different best practice?
<br>&gt;
<br>
<br>Usually what we recommend is to add the rules with your changes to
<br>local_rules.xml and add the overwrite option.
<br>
<br>&gt; Thanks
<br>&gt;
<br>&gt; Derek
<br>&gt;
<br>&gt; --
<br>&gt;
<br>&gt; ---
<br>&gt; You received this message because you are subscribed to the Google Groups
<br>&gt; &quot;ossec-list&quot; group.
<br>&gt; To unsubscribe from this group and stop receiving emails from it, send an
<br>&gt; email to <a href="javascript:" target="_blank" \
gdf-obfuscated-mailto="juovRZiGAQAJ" rel="nofollow" \
onmousedown="this.href=&#39;javascript:&#39;;return true;" \
onclick="this.href=&#39;javascript:&#39;;return \
true;">ossec-list+...@<wbr>googlegroups.com</a>. <br>&gt; For more options, visit <a \
href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" \
onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" \
onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return \
true;">https://groups.google.com/d/<wbr>optout</a>. <br></blockquote></div></div>

<p></p>

-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
&quot;ossec-list&quot; group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic