First, the rules with 0 levels are tried, and then all the other rules in a decreasing order by their level. If the level is the same, the order will be decided based on the rules list in /var/ossec/etc/ossec.conf file. Note, for rules which have some requirement (for example if_sid), the requirement is tried first.
Defines a rule
Attributes:
level
- Specifies the level of the rule. Alerts and responses use this value.
- Allowed: Any number (0 to 16)
id
- Specifies the ID of the rule.
- Allowed: Any number from 100 to 99999
maxsize
- Specifies the maximum size of the event.
- Allowed: Any number from 1 to 99999
frequency
- Specifies the number of times the rule must have matched before firing. The number that triggers the rule is actually 2 more than this setting.
- Allowed: Any number from 1 to 999
- Example: frequency=”2” would mean the rule must be matched 4 times
Note
More information about how frequency is counted can be found in this thread.
noalert
- Specifies whether the rule generates an alert or not in a sense, that if it does, no new rules are tried, except the rules which specify this in their if_sid. Setting this to 1 is useful if trying other rules are the sensible thing to do if this one matches, but it’s child rules (rules which specify this in their if_sid) do not.
- Allowed: 0 or 1
- Default: 0
timeframe
- The timeframe in seconds.
- This option is intended to be used with the frequency option.
- Allowed: Any number from 1 to 9999
ignore
- The time (in seconds) to ignore this rule after firing it (to avoid floods).
- Allowed: Any number from 1 to 9999
overwrite
- Used to supercede an OSSEC rule with local changes.
- This is useful to change the level or other options of rules included with OSSEC.
- Allowed yes
Note
Rules at level 0 are discarded immediately and will not be used with the if_matched_ rules. The level must be at least 1, but the <no_log> option can be added to the rule to make sure it does not get logged.
Preform a CDB lookup using an ossec list. This is a fast on disk database which will always find keys within two seeks of the file.
Attributes:
field
Field that is used as the key to look up in the CDB file:
- Value: srcip
- Value: srcport
- Value: dstip
- Value: dstport
- Value: extra_data
- Value: user
- Value: url
- Value: id
- Value: hostname
- Value: program_name
- Value: status
- Value: action
lookup
This is the type of lookup that is preformed:
Value: match_key
- Positive key match: field is the key to search within the cdb and will match if they key is present.
- This is the default if no lookup is specified.
Value: not_match_key
- Negative key match: field is the key to search and will match if it IS NOT present in the database.
Value: match_key_value
- Key and Value Match: field is searched for in the cdb and if found the value will be compared with regex from attribute check_value.
Note
This feature is not yet complete.
Value: address_match_key
- Positive key match: field is an IP address and the key to search within the cdb and will match if they key is present.
Value: not_address_match_key
- Negative key match: field is an IP address the key to search and will match if it IS NOT present in the database.
Value: address_match_key_value
- Key and Value Match: field is an IP address searched for in the cdb and if found the value will be compared with regex from attribute check_value.
Note
This feature is not yet complete.
check_value
- regex pattern for matching on the value pulled out of the cdb when using lookup types: address_match_key_value, match_key_value
Allowed:
Path to the CDB file to be used for lookup from the OSSEC directory. This file must also be included in the ossec.conf file.
Example:
<rule id="100000" level="7">
<list lookup="match_key" field="srcip">path/to/list/file</list>
<description>Checking srcip against cdb list file</description>
</rule>
Extra information may be added through the following attributes:
Attributes:
type
Value: text
This is the default when no type is selected. Just used for additional information about the alert/event.
Value: link
Link to more information about the alert/event.
Value: cve
The CVE Number related to this alert/event.
Value: ovsdb
The osvdb id related to this alert/event.
Allowed: String but content is dependent on the type attribute.
Example:
<rule id="502" level="3">
<if_sid>500</if_sid>
<options>alert_by_email</options>
<match>Ossec started</match>
<description>Ossec server started.</description>
<info type="link">http://ossec.net/wiki/Rule:205</info>
<info type="cve">2009-1002</info>
<info type="osvdb"> 61509</info>
<info type="text">Internal Why we are running this run in our company</info>
<info>Type text is the default</info>
</rule>
Additional rule options
Allowed:
Used to determine when the output of a command changes.
Usage: <check_diff />
Example: <group>group1, group2</group>