Table Of Contents

OSSEC Links

Rules Syntax

Overview

Options

rule

Defines a rule

Attributes:

  • level

    • Specifies the level of the rule. Alerts and responses use this value.
    • Allowed: Any number (0 to 16)
  • id

    • Specifies the ID of the rule.
    • Allowed: Any number from 100 to 99999
  • maxsize

    • Specifies the maximum size of the event.
    • Allowed: Any number from 1 to 99999
  • frequency

    • Specifies the number of times the rule must have matched before firing. The number that triggers the rule is actually 2 more than this setting.
    • Allowed: Any number from 1 to 999
    • Example: frequency=”2” would mean the rule must be matched 4 times

    Note

    More information about how frequency is counted can be found in this thread.

  • timeframe

    • The timeframe in seconds.
    • This option is intended to be used with the frequency option.
    • Allowed: Any number from 1 to 9999
  • ignore

    • The time (in seconds) to ignore this rule after firing it (to avoid floods).
    • Allowed: Any number from 1 to 9999
  • overwrite
    • Used to supercede an OSSEC rule with local changes.
    • This is useful to change the level or other options of rules included with OSSEC.
    • Allowed yes
match
regex
decoded_as
category
  • The decoded category to match (ids, syslog, firewall, web-log, squid or windows).
  • Allowed: Any category categories
srcip
  • Any IP address or CIDR block to be compared to an IP decoded as srcip.
  • Use ”!” to negate it.
  • Allowed: Any srcip
dstip
  • Any IP address or CIDR block to be compared to an IP decoded as dstip.
  • Use ”!” to negate it.
  • Allowed: Any dstip
extra_data
  • Any string that is decoded into the extra_data field.
  • Allowed: Any string.
user
program_name
hostname
time
  • Time that the event was generated.
  • Allowed: Any time range (hh:mm-hh:mm)
  • Example: <time>6 am - 6 pm</time>
weekday
  • Week day that the event was generated.
  • Allowed: monday - sunday, weekday, weekend
id
url
if_sid
  • Matches if the ID has matched.
  • Allowed: Any rule id
if_group
  • Matches if the group has matched before.
  • Allowed: Any Group
if_level
  • Matches if the level has matched before.
  • Allowed: Any level from 1 to 16
if_matched_sid
  • Matches if an alert of the defined ID has been triggered in a set number of seconds.
  • This option is used in conjunction with frequency and timeframe.

Note

Rules at level 0 are discarded immediately and will not be used with the if_matched_ rules. The level must be at least 1, but the <no_log> option can be added to the rule to make sure it does not get logged.

  • Allowed: Any rule id
if_matched_group
  • Matches if an alert of the defined group has been triggered in a set number of seconds.
  • This option is used in conjunction with frequency and timeframe.
  • Allowed: Any group
same_id
  • Specifies that the decoded id must be the same.
  • This option is used in conjunction with frequency and timeframe.
  • Example: <same_id />
same_source_ip
  • Specifies that the decoded source ip must be the same.
  • This option is used in conjunction with frequency and timeframe.
  • Example: <same_source_ip />
same_source_port
  • Specifies that the decoded source port must be the same.
  • This option is used in conjunction with frequency and timeframe.
  • Example: <same_source_port />
same_dst_port
  • Specifies that the decoded destination port must be the same.
  • This option is used in conjunction with frequency and timeframe.
  • Example: <same_source_port />
same_location
  • Specifies that the location must be the same.
  • This option is used in conjunction with frequency and timeframe.
  • Example: <same_location />
same_user
  • Specifies that the decoded user must be the same.
  • This option is used in conjunction with frequency an timeframe.
  • Example: <same_user />
description
  • Rule description.
  • Allowed: Any string
list

Preform a CDB lookup using an ossec list. This is a fast on disk database which will always find keys within two seeks of the file.

Attributes:

  • field

    Field that is used as the key to look up in the CDB file:

    • Value: srcip
    • Value: srcport
    • Value: dstip
    • Value: dstport
    • Value: extra_data
    • Value: user
    • Value: url
    • Value: id
    • Value: hostname
    • Value: program_name
    • Value: status
    • Value: action
  • lookup

    This is the type of lookup that is preformed:

    • Value: match_key

      • Positive key match: field is the key to search within the cdb and will match if they key is present.
      • This is the default if no lookup is specified.
    • Value: not_match_key

      • Negative key match: field is the key to search and will match if it IS NOT present in the database.
    • Value: match_key_value

      • Key and Value Match: field is searched for in the cdb and if found the value will be compared with regex from attribute check_value.

      Note

      This feature is not yet complete.

    • Value: address_match_key

      • Positive key match: field is an IP address and the key to search within the cdb and will match if they key is present.
    • Value: not_address_match_key

      • Negative key match: field is an IP address the key to search and will match if it IS NOT present in the database.
    • Value: address_match_key_value

      • Key and Value Match: field is an IP address searched for in the cdb and if found the value will be compared with regex from attribute check_value.

      Note

      This feature is not yet complete.

  • check_value

    • regex pattern for matching on the value pulled out of the cdb when using lookup types: address_match_key_value, match_key_value

Allowed:

Path to the CDB file to be used for lookup from the OSSEC directory. This file must also be included in the ossec.conf file.

Example:

<rule id="100000" level="7">
  <list lookup="match_key" field="srcip">path/to/list/file</list>
  <description>Checking srcip against cdb list file</description>
</rule>
info

Extra information may be added through the following attributes:

Attributes:

  • type

    • Value: text

      This is the default when no type is selected. Just used for additional information about the alert/event.

    • Value: link

      Link to more information about the alert/event.

    • Value: cve

      The CVE Number related to this alert/event.

    • Value: ovsdb

      The osvdb id related to this alert/event.

Allowed: String but content is dependent on the type attribute.

Example:

<rule id="502" level="3">
    <if_sid>500</if_sid>
    <options>alert_by_email</options>
    <match>Ossec started</match>
    <description>Ossec server started.</description>
    <info type="link">http://ossec.net/wiki/Rule:205</info>
    <info type="cve">2009-1002</info>
    <info type="osvdb"> 61509</info>
    <info type="text">Internal Why we are running this run in our company</info>
    <info>Type text is the default</info>
</rule>
options

Additional rule options

Allowed:

  • alert_by_email
    • Always alert by email.
    • Example: <options>alert_by_email</options>
  • no_email_alert
    • Never alert by email.
    • Example: <options>no_email_alert</options>
  • no_log
    • Do not log this alert.
    • Example: <options>no_log</options>
check_diff

Used to determine when the output of a command changes.

Usage: <check_diff />

Additional info: Daniel Cid has written a blog post about the feature.

group
  • Add additional groups to the alert. Groups are optional tags added to alerts. They can be used by other rules by using if_group or if_matched_group, or by alert parsing tools to categorize alerts.
Example: <group>group1, group2</group>