OSSEC Signature Update Frequency

719 views
Skip to first unread message

Matthew Casperson

unread,
Nov 2, 2016, 12:03:03 PM11/2/16
to ossec-list
I've been trying to track down where it details how often signatures are updated for OSSEC.  Are new signatures part of each version?  E.g. if I am on 2.8.2 and want to have the most up to date signatures would I have to upgrade to the current version of OSSEC or are signatures updated independent of new version releases?  Help greatly appreciated.

Matt

dan (ddp)

unread,
Nov 2, 2016, 12:03:51 PM11/2/16
to ossec...@googlegroups.com
The rules are currently updated with releases.

> Matt
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Jesus Linares

unread,
Nov 4, 2016, 4:43:58 AM11/4/16
to ossec-list
Hi Matthew,

Wazuh has a repository for decoders, rules, rootchecks, etc. Almost all decoders/rules should work in every OSSEC version, except some of them that use new features. I recommend you to create a backup of OSSEC, then update the rules using the script. Some rules will be failing, so replace them with the proper backup. In this way you will have the most up to date "signatures".

Regards.

Jesus Linares

unread,
Nov 4, 2016, 6:25:15 AM11/4/16
to ossec-list
Hi Matthew,

I just remembered that the script only works with the new release of Wazuh. Anyway, you can do it manually:
  1. Backup your current installation
  2. Copy ossec-rules/decoders/ to /var/ossec/etc/decoders
  3. Copy ossec-rules/rules/ to /var/ossec/rules.
  4. Copy ossec-rules/rootchecks to /var/ossec/etc/shared
  5. Use this configuration in your ossec.conf (if you do not use local_decoder.xml, you can remove that line).
  6. Restart OSSEC. You will see some errors (some rules/decoders are not compatible). So, replace the "no compatible rules" with the backup rules. 
Of course, you can do the "same" procedure from OSSEC-HIDS but Wazuh is doing a great effort to centralize, test and maintain decoders and rules submitted by Open Source contributors and create new ones.

Regards.

dan (ddp)

unread,
Nov 4, 2016, 9:07:57 AM11/4/16
to ossec...@googlegroups.com
On Fri, Nov 4, 2016 at 6:25 AM, Jesus Linares <je...@wazuh.com> wrote:
> Hi Matthew,
>
> Of course, you can do the "same" procedure from OSSEC-HIDS but Wazuh is
> doing a great effort to centralize, test and maintain decoders and rules
> submitted by Open Source contributors and create new ones.
>

Wow, just wow.
Reply all
Reply to author
Forward
0 new messages