rule
¶Defines a rule
Attributes:
level
- Specifies the level of the rule. Alerts and responses use this value.
- Allowed: Any number (0 to 16)
id
- Specifies the ID of the rule.
- Allowed: Any number from 100 to 99999
maxsize
- Specifies the maximum size of the event.
- Allowed: Any number from 1 to 99999
frequency
- Specifies the number of times the rule must have matched before firing. The number that triggers the rule is actually 2 more than this setting.
- Allowed: Any number from 1 to 999
- Example: frequency=”2” would mean the rule must be matched 4 times
Note
More information about how frequency is counted can be found in this thread.
timeframe
- The timeframe in seconds.
- This option is intended to be used with the frequency option.
- Allowed: Any number from 1 to 9999
ignore
- The time (in seconds) to ignore this rule after firing it (to avoid floods).
- Allowed: Any number from 1 to 9999
match
¶regex
¶decoded_as
¶category
¶srcip
¶dstip
¶extra_data
¶extra_data
field.user
¶program_name
¶hostname
¶time
¶<time>6 am - 6 pm</time>
weekday
¶id
¶url
¶if_sid
¶if_group
¶if_level
¶if_matched_sid
¶Note
Rules at level 0 are discarded immediately and will not be used with the if_matched_
rules. The level must be at least 1
, but the <no_log>
option can be added to the rule to make sure it does not get logged.
if_matched_group
¶same_id
¶same_source_ip
¶same_source_port
¶same_dst_port
¶same_location
¶same_user
¶description
¶list
¶Preform a CDB lookup using an ossec list. This is a fast on disk database which will always find keys within two seeks of the file.
Attributes:
field
Field that is used as the key to look up in the CDB file:
- Value: srcip
- Value: srcport
- Value: dstip
- Value: dstport
- Value: extra_data
- Value: user
- Value: url
- Value: id
- Value: hostname
- Value: program_name
- Value: status
- Value: action
lookup
This is the type of lookup that is preformed:
Value: match_key
- Positive key match: field is the key to search within the cdb and will match if they key is present.
- This is the default if no lookup is specified.
Value: not_match_key
- Negative key match: field is the key to search and will match if it IS NOT present in the database.
Value: match_key_value
- Key and Value Match: field is searched for in the cdb and if found the value will be compared with regex from attribute check_value.
Note
This feature is not yet complete.
Value: address_match_key
- Positive key match: field is an IP address and the key to search within the cdb and will match if they key is present.
Value: not_address_match_key
- Negative key match: field is an IP address the key to search and will match if it IS NOT present in the database.
Value: address_match_key_value
- Key and Value Match: field is an IP address searched for in the cdb and if found the value will be compared with regex from attribute check_value.
Note
This feature is not yet complete.
check_value
- regex pattern for matching on the value pulled out of the cdb when using lookup types: address_match_key_value, match_key_value
Allowed:
Path to the CDB file to be used for lookup from the OSSEC directory. This file must also be included in the ossec.conf file.
Example:
<rule id="100000" level="7">
<list lookup="match_key" field="srcip">path/to/list/file</list>
<description>Checking srcip against cdb list file</description>
</rule>
info
¶Extra information may be added through the following attributes:
Attributes:
type
Value: text
This is the default when no type is selected. Just used for additional information about the alert/event.
Value: link
Link to more information about the alert/event.
Value: cve
The CVE Number related to this alert/event.
Value: ovsdb
The osvdb id related to this alert/event.
Allowed: String but content is dependent on the type attribute.
Example:
<rule id="502" level="3">
<if_sid>500</if_sid>
<options>alert_by_email</options>
<match>Ossec started</match>
<description>Ossec server started.</description>
<info type="link">http://ossec.net/wiki/Rule:205</info>
<info type="cve">2009-1002</info>
<info type="osvdb"> 61509</info>
<info type="text">Internal Why we are running this run in our company</info>
<info>Type text is the default</info>
</rule>
options
¶Additional rule options
Allowed:
check_diff
¶Used to determine when the output of a command changes.
Usage: <check_diff />
group
¶if_group
or if_matched_group
, or by alert parsing tools to categorize alerts.Example: <group>group1, group2</group>