Forum
Hiawatha rules for OSSEC
fred974
31 December 2014, 10:50
Hi Hugo,
Do you have Hiawatha rules for OSSEC?
This is what I used in Nginx https://github.com/ossec/ossec-docs/blob/master/rules/50_nginx_rules.xml
Hiawatha version: 9.8
Operating System: FreeBSD 10
Do you have Hiawatha rules for OSSEC?
This is what I used in Nginx https://github.com/ossec/ossec-docs/blob/master/rules/50_nginx_rules.xml
Hiawatha version: 9.8
Operating System: FreeBSD 10
Hugo Leisink
31 December 2014, 11:16
I have no idea what I'm looking at...
fred974
31 December 2014, 12:36
Hi Hugo,
Is it my question that you don't understand or you just not familiar with OSSEC ?
Is it my question that you don't understand or you just not familiar with OSSEC ?
Hugo Leisink
31 December 2014, 12:41
I'm not familiar with OSSEC, I have no idea what the file you linked to is for and what it is you ask of me.
fred974
31 December 2014, 13:52
Ok..
OSSEC uses decoders to parse log files. After it finds the proper decoder for a log, it will parse out fields defined in /etc/decoders.xml, then compare these values to values in rule files - and will trigger an alert when values in the deciphered log file match values specified in rule files. These values can also be passed to active response commands.
So for example with the following nginx rule
if my log file contain the keyword [b]Invalid URI, file name too long[b]
I can then drop that IP address using the following active response
Sorry I'm not the best at explaining.
Please take a look at http://www.sans.org/reading-room/whitepapers/detection/practical-ossec-33699 if What I said make no sense.
Maybe another user of the forum could help me explaining it more clearly.
Thank you
Fred
OSSEC uses decoders to parse log files. After it finds the proper decoder for a log, it will parse out fields defined in /etc/decoders.xml, then compare these values to values in rule files - and will trigger an alert when values in the deciphered log file match values specified in rule files. These values can also be passed to active response commands.
So for example with the following nginx rule
<rule id="31320" level="10">
<if_sid>31303</if_sid>
<match>failed (63: File name too long)</match>
<description>Invalid URI, file name too long.</description>
<group>invalid_request,</group>
</rule>
if my log file contain the keyword [b]Invalid URI, file name too long[b]
I can then drop that IP address using the following active response
<active-response>
<command>firewall-drop</command>
<location>server</location>
<rules_id>31320</rules_id>
<timeout>600</timeout>
</active-response>
Sorry I'm not the best at explaining.
Please take a look at http://www.sans.org/reading-room/whitepapers/detection/practical-ossec-33699 if What I said make no sense.
Maybe another user of the forum could help me explaining it more clearly.
Thank you
Fred
Hugo Leisink
1 January 2015, 19:08
You can use Hiawatha's LogFormat setting to produce Apache like logfiles. This way you don't need to create a log parser for Hiawatha.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
