Monday, 16 December 2013


There are a series of rules.xml files in /var/ossec/rules

To customize rules, change only the local_rules.xml file.

During the upgrade process, the scripts overwrite all rules files, except the local_rules.xml file.
Any user rule created to replace a preexisting OSSEC HIDS rule must contain the overwrite="yes" option within the rule.

Rules are applied as follows:
-an Event is logged
-Pre-Decoding is done on event
-Decoding is done on event
-Rule Matching is applied
-Alerting is triggered, either to DB storage, to Email Alert, or to Active Response


Sample logged event:
Apr 14 17:32:06 linux_server sshd[1025]: Accepted password for dcid from port 1618 ssh2


Extracts hostname, program_name, datestamp, and log message of event.


Decoder options available:

Executes the decoder if the program_name matches the syslog program name.
Executes the decoder if prematch matches any portion of the log field.
Regular expression to specify where each field is.
Attribute of regex. It can be after_prematch or after_parent. It essentially tells the regex where to start computing the expression.
Order within the regular expression. It can be all the fields in the normalized event (srcip, user, dstip, dstport, etc.)
Parent decoder that must be matched for this decoder to be called.

Example rule to extract user and srcip from sshd:

<decoder name="sshd-test">
  <regex>^Accepted \S+ for (\S+) from (\S+) port </regex>
  <order>user, srcip</order>

Extracts dcid as user, and as srcip from sample event:

Apr 14 17:32:06 linux_server sshd[1025]: Accepted password for dcid from port 1618 ssh2

See /var/ossec/etc/decoder.xml for existing decoder examples.

Rule Matching 

There are two kinds of OSSEC Rules: atomic and composite.

There are two types of OSSEC HIDS rules: Atomic, which are based on single events without any correlation; and Composite, which are based on multiple events.

Important note from manual:

User-defined rules should range from 100,000 to 119,999. If you choose any other ID, it might collide with the official ones from the OSSEC HIDS project
Custom Decoders and Rules
OSSEC Rules syntax.
Rule Alert levels


OSSEC Output and Alert Options

Active Responses

No comments:

Post a Comment