Rules

Rules compare log messsages to a set of pre-defined conditions. The comparisons can happen on the entire log message, or on fields defined in decoders.

rule

Each rule begins by defining certain settings

  • level

This defines the severity of the rule. Valid levels are 0-16.

  • id

A unique identification number for the rule.

  • maxsize

Specifies the maximum size of the event. The valid range is 1-99999

  • frequency

Specifies the number of times the rule must have matched before firing. The number that triggers the rule is actually 2 more than this setting.

Note

More information about how frequency is counted can be found in this thread.

  • timeframe

The timeframe in seconds. This option is intended to be used with the frequency option.

  • ignore

The time (in seconds) to ignore this rule after firing it (to avoid floods).

  • overwrite

Used to supercede an OSSEC rule with local changes. This is useful to change the level or other options of rules included with OSSEC.

  • noalert

Prevent the rule from triggering an alert. Further rule checks will not happen, except for rules specifically using this rule in an <if_sid> configuraiton.

match

A simple string comparison.

regex

This option uses the OSSEC regex syntax for comparisons.

pcre2

The pcre2 option utlizes OSSEC’s pcre2 support. Refer to the pcre2 page for information on the syntax.

decoded_as

Define a decoder that must be matched for the rule comparison to continue.

category

The decoded category to match (ids, syslog, firewall, web-log, squid or windows).

srcip

Any IP address or CIDR block to be compared to an IP decoded as srcip. Use “!” to negate it.

dstip

Any IP address or CIDR block to be compared to an IP decoded as dstip. Use “!” to negate it.

extra_data

Any string that is decoded into the extra_data field.

user

Any username (decoded as the username).

program_name

Program name is decoded from syslog process name.

hostname

Any hostname (decoded as the syslog hostname) or log file.

time

Time that the event was generated. Any time range can be defined, in the format of hh:mm-hh:mm. AM/PM can also be used: <time>6 am - 6 pm</time>

weekday

Specify a week day that the event was generated. Multiple entries can be separated by commas.

id

Any ID (decoded as the ID).

url

Any string decoded into the url field.

if_sid

Matches if the rule ID has matched. This is used to create children to other rules.

if_group

Matches if the group has matched before. This can be used to create children of other rules.

if_level

Matches if the level has matched before.

if_matched_sid

Matches if an alert of the defined ID has been triggered in a set number of seconds. This option is used in conjunction with frequency and timeframe.

Note

Rules at level 0 are discarded immediately and will not be used with the if_matched_ rules. The level must be at least 1, but the <no_log> option can be added to the rule to make sure it does not get logged.

if_matched_group

Matches if an alert of the defined group has been triggered in a set number of seconds. This option is used in conjunction with frequency and timeframe.

same_id

Specifies that the decoded id must be the same. This option is used in conjunction with frequency and timeframe.

same_source_ip

Specifies that the decoded source ip must be the same. This option is used in conjunction with frequency and timeframe.

same_source_port

Specifies that the decoded source port must be the same. This option is used in conjunction with frequency and timeframe.

same_dst_port

Specifies that the decoded destination port must be the same. This option is used in conjunction with frequency and timeframe.

same_location

Specifies that the location must be the same. This option is used in conjunction with frequency and timeframe.

same_user

Specifies that the decoded user must be the same. This option is used in conjunction with frequency an timeframe.

description

The rule description.

list

Preform a CDB lookup using an ossec list. This is a fast on disk database which will always find keys within two seeks of the file.

  • field

    Field that is used as the key to look up in the CDB file:

    • Value: srcip
    • Value: srcport
    • Value: dstip
    • Value: dstport
    • Value: extra_data
    • Value: user
    • Value: url
    • Value: id
    • Value: hostname
    • Value: program_name
    • Value: status
    • Value: action

  • lookup

    This is the type of lookup that is preformed:

    • Value: match_key

      • Positive key match: field is the key to search within the cdb and will match if they key is present.
      • This is the default if no lookup is specified.

    • Value: not_match_key

      • Negative key match: field is the key to search and will match if it IS NOT present in the database.

    • Value: match_key_value

      • Key and Value Match: field is searched for in the cdb and if found the value will be compared with regex from attribute check_value.

      Note

      This feature is not yet complete.

    • Value: address_match_key

      • Positive key match: field is an IP address and the key to search within the cdb and will match if they key is present.

    • Value: not_address_match_key

      • Negative key match: field is an IP address the key to search and will match if it IS NOT present in the database.

    • Value: address_match_key_value

      • Key and Value Match: field is an IP address searched for in the cdb and if found the value will be compared with regex from attribute check_value.

      Note

      This feature is not yet complete.

  • check_value

    • regex pattern for matching on the value pulled out of the cdb when using lookup types: address_match_key_value, match_key_value

    Path to the CDB file to be used for lookup from the OSSEC directory. This file must also be included in the ossec.conf file.

Example:

<rule id="100000" level="7">
      <list lookup="match_key" field="srcip">path/to/list/file</list>
      <description>Checking srcip against cdb list file</description>
</rule>

info

Extra information may be added to an alert using info. The type must be specified using one of the following options:

  • type

    • Value: text

      This is the default when no type is selected. Just used for additional information about the alert/event.

    • Value: link

      Link to more information about the alert/event.

    • Value: cve

      The CVE Number related to this alert/event.

    • Value: ovsdb

      The osvdb id related to this alert/event.

Example:

<rule id="502" level="3">
    <if_sid>500</if_sid>
    <options>alert_by_email</options>
    <match>Ossec started</match>
    <description>Ossec server started.</description>
    <info type="link">http://ossec.net/wiki/Rule:205</info>
    <info type="cve">2009-1002</info>
    <info type="osvdb"> 61509</info>
    <info type="text">Internal Why we are running this run in our company</info>
    <info>Type text is the default</info>
</rule>

options

Additional rule options

  • alert_by_email

    Always alert by email.

    • Example: <options>alert_by_email</options>

  • no_email_alert

    Never alert by email.

    • Example: <options>no_email_alert</options>

  • no_log

    Do not log this alert.

    • Example: <options>no_log</options>

check_diff

Used to determine when the output of a command changes.

group

Add additional groups to the alert. Groups are optional tags added to alerts. They can be used by other rules by using if_group or if_matched_group, or by alert parsing tools to categorize alerts.