On Tue, May 24, 2016 at 12:44 PM, Tahir Hafiz <
tahir...@gmail.com> wrote:
> Thanks I found the link earlier on.
>
> I have read through the document but I am not sure how to do the tests
> (using Ubuntu 14.04 LTS).
> I have downloaded the OSSEC version that we are using (2.8.2):
> wget -U ossec
http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz
>
> I have unpacked the tarball, moved the ossec-testing directory that was in
> the tarball to /var/ossec/contrib, and then changed my working directory to
> that directory.
> I have started the tests by executing as root:
> python runtests.py
>
> I looked in /var/ossec/alerts/alerts.log, but I did not see the alerts going
> off there.
>
It does not create alerts. It uses ossec-logtest to see if the log
messages produce the expected result.
If you do not see ossec-logtest output, everything is working as expected.
> Also, in my ossec-testing/tests directory I can only see two test files:
> named.ini
> sshd.ini
>
> Should there not be more? As in as many as the number of rules files.
> I am just not sure how to run the runtests.py and have more .ini test files
> and have the alerts showing in /var/ossec/logs/alerts/alerts.log.
>
Should there be more? Of course. But these tests aren't free.They take
time and effort.
Looks like there's 25 in the current development source, but they're
underpopulated.
I'm guessing I just hadn't done much with them back when 2.8.2 was
finalized. It's a semi-new feature
that I only recently began to properly appreciate.
If you want more tests, I can think of 3 options:
1. Do the work yourself. (and consider contributing back if you do)
2. Provide me with log samples.
3. Provide me with time.