Rules Syntax¶
Overview¶
Order of execution¶
First, the rules with 0 levels are tried, and then all the other rules in a decreasing order by their level. If the level is the same, the order will be decided based on the rules list in /var/ossec/etc/ossec.conf file. Note, for rules which have some requirement (for example if_sid), the requirement is tried first.
Options¶
rule
Defines a rule
Attributes:
level
Specifies the level of the rule. Alerts and responses use this value.
Allowed: Any number (0 to 16)
id
Specifies the ID of the rule.
Allowed: Any number from 100 to 99999
maxsize
Specifies the maximum size of the event.
Allowed: Any number from 1 to 99999
frequency
Specifies the number of times the rule must have matched before firing. The number that triggers the rule is actually 2 more than this setting.
Allowed: Any number from 1 to 999
Example: frequency=”2” would mean the rule must be matched 4 times
Note
More information about how frequency is counted can be found in this thread.
noalert
Specifies whether the rule generates an alert or not in a sense, that if it does, no new rules are tried, except the rules which specify this in their if_sid. Setting this to 1 is useful if trying other rules are the sensible thing to do if this one matches, but it’s child rules (rules which specify this in their if_sid) do not.
Allowed: 0 or 1
Default: 0
timeframe
The timeframe in seconds.
This option is intended to be used with the frequency option.
Allowed: Any number from 1 to 9999
ignore
The time (in seconds) to ignore this rule after firing it (to avoid floods).
Allowed: Any number from 1 to 9999
overwrite
Used to supercede an OSSEC rule with local changes.
This is useful to change the level or other options of rules included with OSSEC.
Allowed yes
match
Any string to match against the log event.
Allowed: Any OS_Match/sregex Syntax
regex
Any regex to match against the log event.
Allowed: Any OS_Regex/regex Syntax
pcre2
A string using the pcre2 syntax to match a log message.
Allowed: Any pcre2 valid string
decoded_as
Any decoder name (see Decoders Syntax)
Allowed: Any decoder name
category
The decoded category to match (ids, syslog, firewall, web-log, squid or windows).
Allowed: Any category categories
srcip
Any IP address or CIDR block to be compared to an IP decoded as srcip.
Use “!” to negate it.
Allowed: Any srcip
dstip
Any IP address or CIDR block to be compared to an IP decoded as dstip.
Use “!” to negate it.
Allowed: Any dstip
extra_data
Any string that is decoded into the
extra_datafield.Allowed: Any string.
user
Any username (decoded as the username).
Allowed: any OS_Match/sregex Syntax
program_name
Program name is decoded from syslog process name.
Allowed: any OS_Match/sregex Syntax
hostname
Any hostname (decoded as the syslog hostname) or log file.
Allowed: any OS_Match/sregex Syntax
time
Time that the event was generated.
Allowed: Any time range (hh:mm-hh:mm)
Example:
<time>6 am - 6 pm</time>
weekday
Week day that the event was generated. Multiple entries can be separated by commas.
Allowed: monday - sunday, weekdays, weekends
id
Any ID (decoded as the ID).
Allowed: any OS_Match/sregex Syntax
url
Any URL (decoded as the URL).
Allowed: any OS_Match/sregex Syntax
if_sid
Matches if the ID has matched.
Allowed: Any rule id
if_group
Matches if the group has matched before.
Allowed: Any Group
if_level
Matches if the level has matched before.
Allowed: Any level from 1 to 16
if_matched_sid
Matches if an alert of the defined ID has been triggered in a set number of seconds.
This option is used in conjunction with frequency and timeframe.
Note
Rules at level 0 are discarded immediately and will not be used with the
if_matched_rules. The level must be at least1, but the<no_log>option can be added to the rule to make sure it does not get logged.Allowed: Any rule id
if_matched_group
same_id
same_source_ip
same_source_port
same_dst_port
same_location
same_user
description
Rule description.
Allowed: Any string
list
Preform a CDB lookup using an ossec list. This is a fast on disk database which will always find keys within two seeks of the file.
Attributes:
field
Field that is used as the key to look up in the CDB file:
Value: srcip
Value: srcport
Value: dstip
Value: dstport
Value: extra_data
Value: user
Value: url
Value: id
Value: hostname
Value: program_name
Value: status
Value: action
lookup
This is the type of lookup that is preformed:
Value: match_key
Positive key match: field is the key to search within the cdb and will match if they key is present.
This is the default if no lookup is specified.
Value: not_match_key
Negative key match: field is the key to search and will match if it IS NOT present in the database.
Value: match_key_value
Key and Value Match: field is searched for in the cdb and if found the value will be compared with regex from attribute check_value.
Note
This feature is not yet complete.
Value: address_match_key
Positive key match: field is an IP address and the key to search within the cdb and will match if they key is present.
Value: not_address_match_key
Negative key match: field is an IP address the key to search and will match if it IS NOT present in the database.
Value: address_match_key_value
Key and Value Match: field is an IP address searched for in the cdb and if found the value will be compared with regex from attribute check_value.
Note
This feature is not yet complete.
check_value
regex pattern for matching on the value pulled out of the cdb when using lookup types: address_match_key_value, match_key_value
Allowed:
Path to the CDB file to be used for lookup from the OSSEC directory. This file must also be included in the ossec.conf file.
Example:
<rule id="100000" level="7"> <list lookup="match_key" field="srcip">path/to/list/file</list> <description>Checking srcip against cdb list file</description> </rule>
info
Extra information may be added through the following attributes:
Attributes:
type
Value: text
This is the default when no type is selected. Just used for additional information about the alert/event.
Value: link
Link to more information about the alert/event.
Value: cve
The CVE Number related to this alert/event.
Value: ovsdb
The osvdb id related to this alert/event.
Allowed: String but content is dependent on the type attribute.
Example:
<rule id="502" level="3"> <if_sid>500</if_sid> <options>alert_by_email</options> <match>Ossec started</match> <description>Ossec server started.</description> <info type="link">http://ossec.net/wiki/Rule:205</info> <info type="cve">2009-1002</info> <info type="osvdb"> 61509</info> <info type="text">Internal Why we are running this run in our company</info> <info>Type text is the default</info> </rule>
options
Additional rule options
Allowed:
- alert_by_email
Always alert by email.
Example: <options>alert_by_email</options>
- no_email_alert
Never alert by email.
Example: <options>no_email_alert</options>
- no_log
Do not log this alert.
Example: <options>no_log</options>
check_diff
Used to determine when the output of a command changes.
Usage: <check_diff />
group
Add additional groups to the alert. Groups are optional tags added to alerts. They can be used by other rules by using
if_grouporif_matched_group, or by alert parsing tools to categorize alerts.
Example: <group>group1, group2</group>