Directory path loading of rules and decoders

To allow whole directories of files to be loaded as decoders, lists, or rules by ossec-anaylistd.

Use case

Greatly simplifies working with decoders as there can be as many files as needed. Also will make packaging of rules and decoders a simple unzip/untar and restart operation. This will also greatly reduce the amount of code needed to manage the upgrade scripts of ossec.

Details

Syntax for OSSEC

All Directory loading is done in alphabetical form. This is much like init.d where the use of numeric prefixes on file names can affect the order of loading. Example of file names and the order they would be loaded:

  1. 00_sshd_rules.xml
  2. 01_local_sshd_rules.xml
  3. 99_shun_rules.xml

Directory loading

The basic format for selection of rules file is as follows. This will load all files in the rules dir that match the regex _rules.xml$.

<ossec_config>
    <rules>
        <rule_dir pattern="_rules.xml">rules</rule_dir>

The pattern is optional and defaults to _rules.xml for rules loading so this could be writen as:

<ossec_config>
    <rules>
        <rule_dir>rules</rule_dir>

Order of the directives in ossec.conf is still respected, and duplicate files will not be loaded. In the following example 00_setup_rules.xml is always loaded first, and will NOT be loaded a second time by the rule_dir directive.

<ossec_config>
    <rules>
        <include>rules/00_setup_rules.xml</include>
        <rule_dir>rules</rule_dir>

For full details on all the Syntax see rule_dir and decoder_dir

Compete Examples of syntax

This is an example where the decoders and rules have been broken out into subdirectories.

  • rules/

    • 00_rules_config.xml

    • 50_apache_rules.xml

    • 50_arpwatch_rules.xml

    • plugins/

      • 50_wimax_rules.xml
      • 50_wimax_decoders.xml
  • etc/

    • decoder.xml
    • local_decoder.xml
<ossec_config>
    <rules>
        <decoder>etc/decoder.xml</decoder>
        <decoder_dir>rules/plugins</decoder_dir>

        <rule>rules/rules/00_rules_config.xml</rule>
        <rule_dir pattern=".xml$">rules/</rule_dir>
        <rule_dir>rules/plugins</rule_dir>
    </rules>
</ossec_config>