Upgrading to version 3.3.0 from earlier release

[Buddha Man]

I have some questions:

Do changes need to be made to config files to activate or utilize the new rules/decoders related to rootcheck, last root login, active response, PCRE2 reg ex engine, etc  in the new version?

If yes, what are the recommended settings and how should each rule be utilized? 

How are folks using active response be used on endpoints to fend off potential attacks? 

Thanks,

[dan (ddp)]

On Tue, May 28, 2019 at 3:59 PM Buddha Man <namobud...@gmail.com> wrote:
>
> I have some questions:
>
> Do changes need to be made to config files to activate or utilize the new rules/decoders related to rootcheck, last root login, active response, PCRE2 reg ex engine, etc in the new version?
>

rootcheck: It doesn't look like all of the audit files are added to
the configuration, so you may have to add them manually.
I'll have to look at the installation templates to see if they're
present on new installs, but there isn't a built-in way to update them
during upgrades.

active-response: I don't think anything changed beyond maybe a script
update. The scripts will be updated, so those changes should be used
by default.

PCRE2: I don't think there is anything using it in 3.3, but you may
have to run contrib/ossec-pcre2-config.pl on the OSSEC server.

> If yes, what are the recommended settings and how should each rule be utilized?
>
> How are folks using active response be used on endpoints to fend off potential attacks?
>
> Thanks,
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/c79b2828-767e-43c5-a290-a0bcba3980a9%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.