0

I am new to OSSEC and Cyber Security in general and would like to understand it a bit better. OSSEC provides so called "Rules Groups" alerts get assigned to and I would like to understand those groups a bit better.

https://www.ossec.net/docs/docs/manual/rules-decoders/rule-levels.html#rules-group

Some of the 12 groups are pretty straight forward and do not need any explanation what kind of alert gets assigned to the group. However, I do not know what the following groups mean:

attacks
adduser
sshd
ids
firewall
squid
apache
syslog

Maybe someone of you knows that and could help me out or give me something to read! I tried to google but didnt find anything helpful.

0xDr0id
  • 11
  • Half of those things are easily searchable. Are you saying that you don't know what `squid` is, for instance? – schroeder Jul 09 '20 at 11:29
  • 1
    Yeah this goes in the right direction. For example what type of alerts does OSSEC assign to the group of "attacks" for example – 0xDr0id Jul 09 '20 at 11:36

1 Answers1

1

Here's a brief explanation regarding the kind of alerts assigned to each group:

attacks: Events associated with attacker activity (brute force and code injection attempts for example).

adduser: New accounts created in the system.

sshd: Events associated with the Secure Shell daemon (for remote access to terminal in Linux machines)

ids: Alerts from Intrusion Detection Systems.

firewall: Events from firewall software or hardware.

squid: Events from the Squid proxy.

apache: Events from the Apache web server.

syslog: Syslog messages from various sources (this can be software, network devices or other syslog producing sources).

Sandra
  • 11
  • 1