[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: Re: [ossec-list] Modify rules.xml files best practice
From: Jesus Linares <jesus () wazuh ! com>
Date: 2016-08-29 10:15:21
Message-ID: bf7aa9e2-8f28-4b50-b3c8-1e4a902b7c4d () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Derek,
as Dan said, the best practice is to use the file *local_rules.xml*. But,
if you are improving or creating new rules, it would be great if you share
them with OSSEC <https://github.com/ossec/ossec-hids> or with Wazuh ruleset
repository <https://github.com/wazuh/ossec-rules>. On the other hand, if
you just want to adapt the rules to your environment (overwrite, levels,
descriptions) just use the *local_rules* file.
Thanks.
Regards.
On Friday, August 26, 2016 at 3:46:05 PM UTC+2, dan (ddpbsd) wrote:
>
> On Fri, Aug 26, 2016 at 9:39 AM, Derek Day <dday...@gmail.com
> <javascript:>> wrote:
> > I have hopefully an easily answered question regarding modifying some of
> the
> > rules.xml files that come with ossec. I guess my question centers
> around,
> > what is the best practice for doing something like that? i want to give
> > certain windows eveint ID's higher levels and lower certain other ones.
> > should i just modify the msauth_rules.xml files as required or is there
> a
> > different best practice?
> >
>
> Usually what we recommend is to add the rules with your changes to
> local_rules.xml and add the overwrite option.
>
> > Thanks
> >
> > Derek
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #5 (text/html)]
<div dir="ltr">Hi Derek,<div><br></div><div>as Dan said, the best practice is to use \
the file <i>local_rules.xml</i>. But, if you are improving or creating new rules, it \
would be great if you share them with <a \
href="https://github.com/ossec/ossec-hids">OSSEC</a> or with <a \
href="https://github.com/wazuh/ossec-rules">Wazuh ruleset repository</a>. On the \
other hand, if you just want to adapt the rules to your environment (overwrite, \
levels, descriptions) just use the <i>local_rules</i> \
file.</div><div><br></div><div>Thanks.</div><div>Regards.</div><div><br><br>On \
Friday, August 26, 2016 at 3:46:05 PM UTC+2, dan (ddpbsd) wrote:<blockquote \
class="gmail_quote" style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc \
solid;padding-left: 1ex;">On Fri, Aug 26, 2016 at 9:39 AM, Derek Day <<a \
href="javascript:" target="_blank" gdf-obfuscated-mailto="juovRZiGAQAJ" \
rel="nofollow" onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return true;">dday...@gmail.com</a>> \
wrote: <br>> I have hopefully an easily answered question regarding modifying some \
of the <br>> rules.xml files that come with ossec. I guess my question centers \
around, <br>> what is the best practice for doing something like that? i want to \
give <br>> certain windows eveint ID's higher levels and lower certain other \
ones. <br>> should i just modify the msauth_rules.xml files as required or is \
there a <br>> different best practice?
<br>>
<br>
<br>Usually what we recommend is to add the rules with your changes to
<br>local_rules.xml and add the overwrite option.
<br>
<br>> Thanks
<br>>
<br>> Derek
<br>>
<br>> --
<br>>
<br>> ---
<br>> You received this message because you are subscribed to the Google Groups
<br>> "ossec-list" group.
<br>> To unsubscribe from this group and stop receiving emails from it, send an
<br>> email to <a href="javascript:" target="_blank" \
gdf-obfuscated-mailto="juovRZiGAQAJ" rel="nofollow" \
onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return \
true;">ossec-list+...@<wbr>googlegroups.com</a>. <br>> For more options, visit <a \
href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" \
onmousedown="this.href='https://groups.google.com/d/optout';return true;" \
onclick="this.href='https://groups.google.com/d/optout';return \
true;">https://groups.google.com/d/<wbr>optout</a>. <br></blockquote></div></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic