[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: How are rules enacted?

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: How are rules enacted?
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Tue, 16 Oct 2007 23:28:28 -0300
Authentication-results: mx.google.com; spf=pass (google.com: domain of daniel.cid@xxxxxxxxx designates 64.233.178.248 as permitted sender) smtp.mail=daniel.cid@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
Cc: johnhinton@xxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=WzXcdAWqRrOhXJMEsK7P/3F33g32Zgbui1AYXBawHSU=; b=S3kQql4xeS9uutkoBxCYsxWu4PbA4JF4T9d7nAO7tdjQyRR07hQ1mqjXlf+GyNan7twitR8tMoPQ9RjMTgJXpMIr8IFkRF8sOHvm3wEsVmApGXA5WkZD/pL98PSkt1mAdeww+5/PcfcrTDZ59Rrkn01cnGBxo93PaEDahiEflVg=

Hi John,

Rick explained it well, just edit your rules at local_rules.xml and
restart the server when
done. Nothing needs to be restarted at the agent side. As for writing
your own rules,
the following document can be very helpful:

http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf


Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On 10/12/07, John Hinton <johnhinton@xxxxxxxxxxxxxx> wrote:
>
> I have set up a server/agents system. These are on CentOS systems so it
> would be equivalent to RedHat EL servers.
>
> I'm wondering what needs to be done upon the edit of a rule.
>
> Does the server need to be restarted? Do each of the agents need to be
> restarted? Does the server and all of the agents need to be restarted?
> Or, does the rule go into effect at the time of the edit or maybe
> something is set to reread the rules at some time afterwards?
>
> Yes, I'm experimenting with rules and am trying to figure out if I have
> an 'order' situation, where one rule steps in before my new rule is
> enacted.... which will likely be the topic of my next post after knowing
> the answer to this.
>
> Thanks for a great program!
>
> Best,
> John Hinton
>

References:
- [ossec-list] How are rules enacted?
  - From: John Hinton

Prev by Date: [ossec-list] Re: Windows client communication issue
Next by Date: [ossec-list] Re: Active Responses
Previous by thread: [ossec-list] Re: How are rules enacted?
Next by thread: [ossec-list] Mysql database output
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.