Rules Syntax¶

Overview¶

Order of execution¶

First, the rules with 0 levels are tried, and then all the other rules in a decreasing order by their level. If the level is the same, the order will be decided based on the rules list in /var/ossec/etc/ossec.conf file. Note, for rules which have some requirement (for example if_sid), the requirement is tried first.

Options¶

rule¶

Defines a rule

Attributes:

level
- Specifies the level of the rule. Alerts and responses use this value.
- Allowed: Any number (0 to 16)

id
- Specifies the ID of the rule.
- Allowed: Any number from 100 to 99999

maxsize
- Specifies the maximum size of the event.
- Allowed: Any number from 1 to 99999

frequency
- Specifies the number of times the rule must have matched before firing. The number that triggers the rule is actually 2 more than this setting.
- Allowed: Any number from 1 to 999
- Example: frequency=”2” would mean the rule must be matched 4 times
Note

More information about how frequency is counted can be found in this thread.
noalert
- Specifies whether the rule generates an alert or not in a sense, that if it does, no new rules are tried, except the rules which specify this in their if_sid. Setting this to 1 is useful if trying other rules are the sensible thing to do if this one matches, but it’s child rules (rules which specify this in their if_sid) do not.
- Allowed: 0 or 1
- Default: 0

timeframe
- The timeframe in seconds.
- This option is intended to be used with the frequency option.
- Allowed: Any number from 1 to 9999

ignore
- The time (in seconds) to ignore this rule after firing it (to avoid floods).
- Allowed: Any number from 1 to 9999

overwrite
- Used to supercede an OSSEC rule with local changes.
- This is useful to change the level or other options of rules included with OSSEC.
- Allowed yes

match¶

Any string to match against the log event.
Allowed: Any OS_Match/sregex Syntax

regex¶

Any regex to match against the log event.
Allowed: Any OS_Regex/regex Syntax

pcre2¶

A string using the pcre2 syntax to match a log message.
Allowed: Any pcre2 valid string

decoded_as¶

Any decoder name (see Decoders Syntax)
Allowed: Any decoder name

category¶

The decoded category to match (ids, syslog, firewall, web-log, squid or windows).
Allowed: Any category categories

srcip¶

Any IP address or CIDR block to be compared to an IP decoded as srcip.
Use ”!” to negate it.
Allowed: Any srcip

dstip¶

Any IP address or CIDR block to be compared to an IP decoded as dstip.
Use ”!” to negate it.
Allowed: Any dstip

extra_data¶

Any string that is decoded into the extra_data field.
Allowed: Any string.

user¶

Any username (decoded as the username).
Allowed: any OS_Match/sregex Syntax

program_name¶

Program name is decoded from syslog process name.
Allowed: any OS_Match/sregex Syntax

hostname¶

Any hostname (decoded as the syslog hostname) or log file.
Allowed: any OS_Match/sregex Syntax

time¶

Time that the event was generated.
Allowed: Any time range (hh:mm-hh:mm)
Example: <time>6 am - 6 pm</time>

weekday¶

Week day that the event was generated. Multiple entries can be separated by commas.
Allowed: monday - sunday, weekdays, weekends

id¶

Any ID (decoded as the ID).
Allowed: any OS_Match/sregex Syntax

url¶

Any URL (decoded as the URL).
Allowed: any OS_Match/sregex Syntax

if_sid¶

Matches if the ID has matched.
Allowed: Any rule id

if_group¶

Matches if the group has matched before.
Allowed: Any Group

if_level¶

Matches if the level has matched before.
Allowed: Any level from 1 to 16

if_matched_sid¶

Matches if an alert of the defined ID has been triggered in a set number of seconds.
This option is used in conjunction with frequency and timeframe.

Note

Rules at level 0 are discarded immediately and will not be used with the if_matched_ rules. The level must be at least 1, but the <no_log> option can be added to the rule to make sure it does not get logged.

Allowed: Any rule id

if_matched_group¶

Matches if an alert of the defined group has been triggered in a set number of seconds.
This option is used in conjunction with frequency and timeframe.
Allowed: Any group

same_id¶

Specifies that the decoded id must be the same.
This option is used in conjunction with frequency and timeframe.
Example: <same_id />

same_source_ip¶

Specifies that the decoded source ip must be the same.
This option is used in conjunction with frequency and timeframe.
Example: <same_source_ip />

same_source_port¶

Specifies that the decoded source port must be the same.
This option is used in conjunction with frequency and timeframe.
Example: <same_source_port />

same_dst_port¶

Specifies that the decoded destination port must be the same.
This option is used in conjunction with frequency and timeframe.
Example: <same_source_port />

same_location¶

Specifies that the location must be the same.
This option is used in conjunction with frequency and timeframe.
Example: <same_location />

same_user¶

Specifies that the decoded user must be the same.
This option is used in conjunction with frequency an timeframe.
Example: <same_user />

description¶

Rule description.
Allowed: Any string

list¶

Preform a CDB lookup using an ossec list. This is a fast on disk database which will always find keys within two seeks of the file.

Attributes:

field
Field that is used as the key to look up in the CDB file:
- Value: srcip
- Value: srcport
- Value: dstip
- Value: dstport
- Value: extra_data
- Value: user
- Value: url
- Value: id
- Value: hostname
- Value: program_name
- Value: status
- Value: action

lookup
This is the type of lookup that is preformed:
- Value: match_key
  Positive key match: field is the key to search within the cdb and will match if they key is present.
  
  This is the default if no lookup is specified.
- Value: not_match_key
  Negative key match: field is the key to search and will match if it IS NOT present in the database.
- Value: match_key_value
  Key and Value Match: field is searched for in the cdb and if found the value will be compared with regex from attribute check_value.
  
  Note
  
  This feature is not yet complete.
- Value: address_match_key
  Positive key match: field is an IP address and the key to search within the cdb and will match if they key is present.
- Value: not_address_match_key
  Negative key match: field is an IP address the key to search and will match if it IS NOT present in the database.
- Value: address_match_key_value
  Key and Value Match: field is an IP address searched for in the cdb and if found the value will be compared with regex from attribute check_value.
  
  Note
  
  This feature is not yet complete.

check_value
- regex pattern for matching on the value pulled out of the cdb when using lookup types: address_match_key_value, match_key_value

Allowed:

Path to the CDB file to be used for lookup from the OSSEC directory. This file must also be included in the ossec.conf file.

Example:

<rule id="100000" level="7">
  <list lookup="match_key" field="srcip">path/to/list/file</list>
  <description>Checking srcip against cdb list file</description>
</rule>

info¶

Extra information may be added through the following attributes:

Attributes:

type
- Value: text
  
  This is the default when no type is selected. Just used for additional information about the alert/event.
- Value: link
  
  Link to more information about the alert/event.
- Value: cve
  
  The CVE Number related to this alert/event.
- Value: ovsdb
  
  The osvdb id related to this alert/event.

Allowed: String but content is dependent on the type attribute.

Example:

<rule id="502" level="3">
    <if_sid>500</if_sid>
    <options>alert_by_email</options>
    <match>Ossec started</match>
    <description>Ossec server started.</description>
    <info type="link">http://ossec.net/wiki/Rule:205</info>
    <info type="cve">2009-1002</info>
    <info type="osvdb"> 61509</info>
    <info type="text">Internal Why we are running this run in our company</info>
    <info>Type text is the default</info>
</rule>

options¶

Additional rule options

Allowed:

alert_by_email
- Always alert by email.
- Example: <options>alert_by_email</options>
no_email_alert
- Never alert by email.
- Example: <options>no_email_alert</options>
no_log
- Do not log this alert.
- Example: <options>no_log</options>

check_diff¶

Used to determine when the output of a command changes.

Usage: <check_diff />

group¶

Add additional groups to the alert. Groups are optional tags added to alerts. They can be used by other rules by using if_group or if_matched_group, or by alert parsing tools to categorize alerts.

Example: <group>group1, group2</group>