There are a series of rules.xml files in /var/ossec/rules
To customize rules, change only the local_rules.xml file.
During the upgrade process, the scripts overwrite all rules files, except the local_rules.xml file.
Any user rule created to replace a preexisting OSSEC HIDS rule must contain the overwrite="yes" option within the rule.
Rules are applied as follows:
-an Event is logged
-Pre-Decoding is done on event
-Decoding is done on event
-Rule Matching is applied
-Alerting is triggered, either to DB storage, to Email Alert, or to Active Response
Event
Sample logged event:
Apr 14 17:32:06 linux_server sshd[1025]: Accepted password for dcid from
192.168.2.180 port 1618 ssh2
Pre-Decoding
Extracts hostname, program_name, datestamp, and log message of event.
Decoding
Decoder options available:
program_name
|
Executes the decoder if the program_name matches the syslog program name.
|
prematch
|
Executes the decoder if prematch matches any portion of the log field.
|
regex
|
Regular expression to specify where each field is.
|
offset
|
Attribute of regex. It can be after_prematch or after_parent. It essentially tells the regex where to start computing the expression.
|
order
|
Order within the regular expression. It can be all the fields in the normalized event (srcip, user, dstip, dstport, etc.)
|
parent
|
Parent decoder that must be matched for this decoder to be called.
|
Example rule to extract user and srcip from sshd:
<decoder name="sshd-test">
<program_name>sshd</program_name>
<regex>^Accepted \S+ for (\S+) from (\S+) port </regex>
<order>user, srcip</order>
</decoder>
Extracts
dcid as
user, and
192.168.2.180 as
srcip from sample event:
Apr 14 17:32:06 linux_server sshd[1025]: Accepted password for dcid from
192.168.2.180 port 1618 ssh2
See /var/ossec/etc/decoder.xml for existing decoder examples.
Rule Matching
There are two kinds of OSSEC Rules: atomic and composite.
There are two types of OSSEC HIDS
rules: Atomic, which are based on single events without any correlation;
and Composite, which are based on multiple events.
Important note from manual:
User-defined rules should range from 100,000 to 119,999. If you choose
any other ID, it might collide with the official ones from the OSSEC
HIDS project
Custom Decoders and Rules
OSSEC Rules syntax.
Rule Alert levels
Alerting
OSSEC Output and Alert Options
Active Responses