Rules¶
Rules compare log messsages to a set of pre-defined conditions. The comparisons can happen on the entire log message, or on fields defined in decoders.
rule¶
Each rule begins by defining certain settings
- level
This defines the severity of the rule. Valid levels are 0-16.
- id
A unique identification number for the rule.
- maxsize
Specifies the maximum size of the event. The valid range is 1-99999
- frequency
Specifies the number of times the rule must have matched before firing. The number that triggers the rule is actually 2 more than this setting.
Note
More information about how frequency is counted can be found in this thread.
- timeframe
The timeframe in seconds. This option is intended to be used with the frequency option.
- ignore
The time (in seconds) to ignore this rule after firing it (to avoid floods).
- overwrite
Used to supercede an OSSEC rule with local changes. This is useful to change the level or other options of rules included with OSSEC.
- noalert
Prevent the rule from triggering an alert. Further rule checks will not happen, except for rules specifically using this rule in an <if_sid> configuraiton.
match¶
A simple string comparison.
regex¶
This option uses the OSSEC regex syntax for comparisons.
pcre2¶
The pcre2 option utlizes OSSEC’s pcre2 support. Refer to the pcre2 page for information on the syntax.
decoded_as¶
Define a decoder that must be matched for the rule comparison to continue.
category¶
The decoded category to match (ids, syslog, firewall, web-log, squid or windows).
srcip¶
Any IP address or CIDR block to be compared to an IP decoded as srcip. Use “!” to negate it.
dstip¶
Any IP address or CIDR block to be compared to an IP decoded as dstip. Use “!” to negate it.
extra_data¶
Any string that is decoded into theextra_data
field.
user¶
Any username (decoded as the username).
program_name¶
Program name is decoded from syslog process name.
hostname¶
Any hostname (decoded as the syslog hostname) or log file.
time¶
Time that the event was generated. Any time range can be defined, in the format of hh:mm-hh:mm. AM/PM can also be used: <time>6 am - 6 pm</time>
weekday¶
Specify a week day that the event was generated. Multiple entries can be separated by commas.
id¶
Any ID (decoded as the ID).
url¶
Any string decoded into the url field.
if_sid¶
Matches if the rule ID has matched. This is used to create children to other rules.
if_group¶
Matches if the group has matched before. This can be used to create children of other rules.
if_level¶
Matches if the level has matched before.
if_matched_sid¶
Matches if an alert of the defined ID has been triggered in a set number of seconds. This option is used in conjunction with frequency and timeframe.
Note
Rules at level 0 are discarded immediately and will not be used with the
if_matched_
rules. The level must be at least1
, but the<no_log>
option can be added to the rule to make sure it does not get logged.
if_matched_group¶
same_id¶
same_source_ip¶
same_source_port¶
same_dst_port¶
same_location¶
same_user¶
description¶
The rule description.
list¶
Preform a CDB lookup using an ossec list. This is a fast on disk database which will always find keys within two seeks of the file.
field
Field that is used as the key to look up in the CDB file:
- Value: srcip
- Value: srcport
- Value: dstip
- Value: dstport
- Value: extra_data
- Value: user
- Value: url
- Value: id
- Value: hostname
- Value: program_name
- Value: status
- Value: action
lookup
This is the type of lookup that is preformed:
Value: match_key
- Positive key match: field is the key to search within the cdb and will match if they key is present.
- This is the default if no lookup is specified.
Value: not_match_key
- Negative key match: field is the key to search and will match if it IS NOT present in the database.
Value: match_key_value
- Key and Value Match: field is searched for in the cdb and if found the value will be compared with regex from attribute check_value.
Note
This feature is not yet complete.
Value: address_match_key
- Positive key match: field is an IP address and the key to search within the cdb and will match if they key is present.
Value: not_address_match_key
- Negative key match: field is an IP address the key to search and will match if it IS NOT present in the database.
Value: address_match_key_value
- Key and Value Match: field is an IP address searched for in the cdb and if found the value will be compared with regex from attribute check_value.
Note
This feature is not yet complete.
check_value
- regex pattern for matching on the value pulled out of the cdb when using lookup types: address_match_key_value, match_key_value
Path to the CDB file to be used for lookup from the OSSEC directory. This file must also be included in the ossec.conf file.
Example:
<rule id="100000" level="7"> <list lookup="match_key" field="srcip">path/to/list/file</list> <description>Checking srcip against cdb list file</description> </rule>
info¶
Extra information may be added to an alert using info. The type must be specified using one of the following options:
type
Value: text
This is the default when no type is selected. Just used for additional information about the alert/event.
Value: link
Link to more information about the alert/event.
Value: cve
The CVE Number related to this alert/event.
Value: ovsdb
The osvdb id related to this alert/event.
Example:
<rule id="502" level="3"> <if_sid>500</if_sid> <options>alert_by_email</options> <match>Ossec started</match> <description>Ossec server started.</description> <info type="link">http://ossec.net/wiki/Rule:205</info> <info type="cve">2009-1002</info> <info type="osvdb"> 61509</info> <info type="text">Internal Why we are running this run in our company</info> <info>Type text is the default</info> </rule>
options¶
Additional rule options
alert_by_email
Always alert by email.
- Example: <options>alert_by_email</options>
no_email_alert
Never alert by email.
- Example: <options>no_email_alert</options>
no_log
Do not log this alert.
- Example: <options>no_log</options>
check_diff¶
Used to determine when the output of a command changes.
group¶
Add additional groups to the alert. Groups are optional tags added to alerts. They can be used by other rules by usingif_group
orif_matched_group
, or by alert parsing tools to categorize alerts.