OSSEC 3.3

ossec.conf: Rules options

Overview

Supported types

Rules options are available in the the following installation types:

  • server
  • local

Location

All global options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.

XML excerpt to show location:

<ossec_config>
    <rules>
        <!--
        Rules options here
        -->
    </rules>
</ossec_config>

Options

include

Load a single rule file.

Allowed: Path and file name of rule to load example: rules/config.xml

rule

Load a single rule file.

Allowed: Path and file name of rule to load example: rules/config.xml

Note

This is the same as include, but created to keep the syntax constant with other sections of the rules config.

rule_dir

Load a directory of rules. The order of loaded files will be in alphabetical order and will not load any files that have been loaded before.

Attributes:

  • pattern: is a regex match string use to determine if a file needs to be loaded.

    • Default: regex “_rules.xml$” is used unless another one is specified.

Allowed: Path to a directory of rule files

Example:

  1. Loading all rules in directory /var/ossec/rules ending ending with _rules.xml

    <ossec_config>
    <rules>
        <rule_dir>rules</rule_dir>
    </rules>
</ossec_config>

  2. Loading all rules in directory /var/ossec/rules/plugins ending with .xml

    <ossec_config>
    <rules>
        <rule_dir pattern=".xml$">rules/plugins</rule_dir>
    </rules>
</ossec_config>
decoder

Load a single decoder file. The path should be relative to the install directory, typically /var/ossec.

Note

If no decoders are specified in ossec.conf the legacy etc/decoder.xml and etc/local_decoder.xml are loaded

Warning

If <decoder> or <decoder_dir> are used, the default decoder.xml will not be used. It must be specified explicitly.

Allowed: Path and file name of decoder to load example: rules/decoder/decoder.xml

decoder_dir

Load a directory of decoders. The order of loaded files will be in alphabetical order and will not load any files that have been loaded before. The path should be relative to the install directory, typically /var/ossec.

Attributes:

  • pattern: is a regex match string use to determine if a file needs to be loaded.

    • Defaults: regex ”.xml$” is used unless another one is specified.

Allowed: Path to a directory of decoder files

Example:

  1. Loading all decoders in directory /var/ossec/rules ending ending with _decoder.xml

    <ossec_config>
    <rules>
        <decoder_dir>rules</decoder_dir>
    </rules>
</ossec_config>

  2. Loading all decoders in directory /var/ossec/rules/plugins/plugins/decoders ending with .xml

    <ossec_config>
    <rules>
        <decoder_dir pattern=".xml$">rules/plugins/decoders</decoder_dir>
    </rules>
</ossec_config>

Warning

If <decoder> or <decoder_dir> are used, the default decoder.xml will not be used. It must be specified explicitly.

list

Load a single cdb references for inclusion by other rules.

Note

Due to the way cdb files are compiled using tmp files by the ossec-makelists program the file extension should not be include in this directive. ossec’s tools will correctly append the correct .cdb or .txt extension as needed.

Allowed: Path to a list file to be loaded and compiled.

<rules>
   <list>rules/lists/blocked_hosts</list>
</rules>