First, the rules with 0 levels are tried, and then all the other rules in a decreasing order by their level. If the level is the same, the order will be decided based on the rules list in /var/ossec/etc/ossec.conf file. Note, for rules which have some requirement (for example if_sid), the requirement is tried first.
rule
Defines a rule
Attributes:
level
- Specifies the level of the rule. Alerts and responses use this value.
- Allowed: Any number (0 to 16)
id
- Specifies the ID of the rule.
- Allowed: Any number from 100 to 99999
maxsize
- Specifies the maximum size of the event.
- Allowed: Any number from 1 to 99999
frequency
- Specifies the number of times the rule must have matched before firing. The number that triggers the rule is actually 2 more than this setting.
- Allowed: Any number from 1 to 999
- Example: frequency=”2” would mean the rule must be matched 4 times
Note
More information about how frequency is counted can be found in this thread.
noalert
- Specifies whether the rule generates an alert or not in a sense, that if it does, no new rules are tried, except the rules which specify this in their if_sid. Setting this to 1 is useful if trying other rules are the sensible thing to do if this one matches, but it’s child rules (rules which specify this in their if_sid) do not.
- Allowed: 0 or 1
- Default: 0
timeframe
- The timeframe in seconds.
- This option is intended to be used with the frequency option.
- Allowed: Any number from 1 to 9999
ignore
- The time (in seconds) to ignore this rule after firing it (to avoid floods).
- Allowed: Any number from 1 to 9999
overwrite
- Used to supercede an OSSEC rule with local changes.
- This is useful to change the level or other options of rules included with OSSEC.
- Allowed yes
match
- Any string to match against the log event.
- Allowed: Any OS_Match/sregex Syntax
regex
- Any regex to match against the log event.
- Allowed: Any OS_Regex/regex Syntax
pcre2
- A string using the pcre2 syntax to match a log message.
- Allowed: Any pcre2 valid string
decoded_as
- Any decoder name (see Decoders Syntax)
- Allowed: Any decoder name
category
- The decoded category to match (ids, syslog, firewall, web-log, squid or windows).
- Allowed: Any category categories
srcip
- Any IP address or CIDR block to be compared to an IP decoded as srcip.
- Use “!” to negate it.
- Allowed: Any srcip
dstip
- Any IP address or CIDR block to be compared to an IP decoded as dstip.
- Use “!” to negate it.
- Allowed: Any dstip
extra_data
- Any string that is decoded into the
extra_datafield.- Allowed: Any string.
user
- Any username (decoded as the username).
- Allowed: any OS_Match/sregex Syntax
program_name
- Program name is decoded from syslog process name.
- Allowed: any OS_Match/sregex Syntax
hostname
- Any hostname (decoded as the syslog hostname) or log file.
- Allowed: any OS_Match/sregex Syntax
time
- Time that the event was generated.
- Allowed: Any time range (hh:mm-hh:mm)
- Example:
<time>6 am - 6 pm</time>
weekday
- Week day that the event was generated. Multiple entries can be separated by commas.
- Allowed: monday - sunday, weekdays, weekends
id
- Any ID (decoded as the ID).
- Allowed: any OS_Match/sregex Syntax
url
- Any URL (decoded as the URL).
- Allowed: any OS_Match/sregex Syntax
if_sid
- Matches if the ID has matched.
- Allowed: Any rule id
if_group
- Matches if the group has matched before.
- Allowed: Any Group
if_level
- Matches if the level has matched before.
- Allowed: Any level from 1 to 16
if_matched_sid
- Matches if an alert of the defined ID has been triggered in a set number of seconds.
- This option is used in conjunction with frequency and timeframe.
Note
Rules at level 0 are discarded immediately and will not be used with the
if_matched_rules. The level must be at least1, but the<no_log>option can be added to the rule to make sure it does not get logged.
- Allowed: Any rule id
if_matched_group
same_id
same_source_ip
same_source_port
same_dst_port
same_location
same_user
description
- Rule description.
- Allowed: Any string
list
Preform a CDB lookup using an ossec list. This is a fast on disk database which will always find keys within two seeks of the file.
Attributes:
field
Field that is used as the key to look up in the CDB file:
- Value: srcip
- Value: srcport
- Value: dstip
- Value: dstport
- Value: extra_data
- Value: user
- Value: url
- Value: id
- Value: hostname
- Value: program_name
- Value: status
- Value: action
lookup
This is the type of lookup that is preformed:
Value: match_key
- Positive key match: field is the key to search within the cdb and will match if they key is present.
- This is the default if no lookup is specified.
Value: not_match_key
- Negative key match: field is the key to search and will match if it IS NOT present in the database.
Value: match_key_value
- Key and Value Match: field is searched for in the cdb and if found the value will be compared with regex from attribute check_value.
Note
This feature is not yet complete.
Value: address_match_key
- Positive key match: field is an IP address and the key to search within the cdb and will match if they key is present.
Value: not_address_match_key
- Negative key match: field is an IP address the key to search and will match if it IS NOT present in the database.
Value: address_match_key_value
- Key and Value Match: field is an IP address searched for in the cdb and if found the value will be compared with regex from attribute check_value.
Note
This feature is not yet complete.
check_value
- regex pattern for matching on the value pulled out of the cdb when using lookup types: address_match_key_value, match_key_value
Allowed:
Path to the CDB file to be used for lookup from the OSSEC directory. This file must also be included in the ossec.conf file.
Example:
<rule id="100000" level="7"> <list lookup="match_key" field="srcip">path/to/list/file</list> <description>Checking srcip against cdb list file</description> </rule>
info
Extra information may be added through the following attributes:
Attributes:
type
Value: text
This is the default when no type is selected. Just used for additional information about the alert/event.
Value: link
Link to more information about the alert/event.
Value: cve
The CVE Number related to this alert/event.
Value: ovsdb
The osvdb id related to this alert/event.
Allowed: String but content is dependent on the type attribute.
Example:
<rule id="502" level="3"> <if_sid>500</if_sid> <options>alert_by_email</options> <match>Ossec started</match> <description>Ossec server started.</description> <info type="link">http://ossec.net/wiki/Rule:205</info> <info type="cve">2009-1002</info> <info type="osvdb"> 61509</info> <info type="text">Internal Why we are running this run in our company</info> <info>Type text is the default</info> </rule>
options
Additional rule options
Allowed:
- alert_by_email
- Always alert by email.
- Example: <options>alert_by_email</options>
- no_email_alert
- Never alert by email.
- Example: <options>no_email_alert</options>
- no_log
- Do not log this alert.
- Example: <options>no_log</options>
check_diff
Used to determine when the output of a command changes.
Usage: <check_diff />
group
- Add additional groups to the alert. Groups are optional tags added to alerts. They can be used by other rules by using
if_grouporif_matched_group, or by alert parsing tools to categorize alerts.Example: <group>group1, group2</group>
OSSEC