Rules compare log messsages to a set of pre-defined conditions. The comparisons can happen on the entire log message, or on fields defined in decoders.
rule
Each rule begins by defining certain settings
level
This defines the severity of the rule. Valid levels are 0-16.
id
A unique identification number for the rule.
maxsize
Specifies the maximum size of the event. The valid range is 1-99999
frequency
Specifies the number of times the rule must have matched before firing. The number that triggers the rule is actually 2 more than this setting.
Note
More information about how frequency is counted can be found in this thread.
timeframe
The timeframe in seconds. This option is intended to be used with the frequency option.
ignore
The time (in seconds) to ignore this rule after firing it (to avoid floods).
overwrite
Used to supercede an OSSEC rule with local changes. This is useful to change the level or other options of rules included with OSSEC.
noalert
Prevent the rule from triggering an alert. Further rule checks will not happen, except for rules specifically using this rule in an configuraiton.
match
A simple string comparison.
regex
This option uses the OSSEC regex syntax for comparisons.
pcre2
The pcre2 option utlizes OSSEC’s pcre2 support. Refer to the pcre2 page for information on the syntax. ==》PCRE - Perl Compatible Regular Expressions
decoded_as
Define a decoder that must be matched for the rule comparison to continue. 从后面示例可以看到主要是自定义一些“解码”“检查”函数,提取数据等!!!
^Failed \S+ for invalid user|^Failed \S+ for illegal user
from (\S+) port \d+ \w+$
srcip
sshd
^Failed \S+
^for (\S+) from (\S+) port \d+
user, srcip
sshd
^error: PAM: Authentication \w+
^for (\S+) from (\S+)$
user, srcip
sshd
^error: PAM:
user (\S+) from (\S+)
user, srcip
sshd
^reverse mapping checking
^\w+ for \S+ \[(\S+)\] |^\w+ for (\S+)
srcip
sshd
^Invalid user|^Illegal user
from (\S+)
srcip
sshd
^scanned from
(\S+)
srcip
sshd
^Received disconnect
^from (\S+): |^from (\S+)
srcip
sshd
^Disconnected from invalid user
\S+ (\S+)
srcip
ossec
syscheck_integrity_changed
Integrity checksum changed.
syscheck,
ossec
syscheck_integrity_changed_2nd
Integrity checksum changed again (2nd time).
syscheck,
ossec
syscheck_integrity_changed_3rd
Integrity checksum changed again (3rd time).
syscheck,
ossec
syscheck_deleted
File deleted. Unable to retrieve checksum.
syscheck,
ossec
syscheck_new_entry
File added to the system.
syscheck,
500
^ossec: agentless:
Integrity checksum for agentless device changed.
syscheck,agentless
ossec
hostinfo_modified
Host information changed.
hostinfo,
category
The decoded category to match (ids, syslog, firewall, web-log, squid or windows).
srcip
Any IP address or CIDR block to be compared to an IP decoded as srcip. Use “!” to negate it.
dstip
Any IP address or CIDR block to be compared to an IP decoded as dstip. Use “!” to negate it.
extra_data
Any string that is decoded into the extra_data field.
user
Any username (decoded as the username).
program_name
Program name is decoded from syslog process name.
hostname
Any hostname (decoded as the syslog hostname) or log file.
time
Time that the event was generated. Any time range can be defined, in the format of hh:mm-hh:mm. AM/PM can also be used:
weekday
Specify a week day that the event was generated. Multiple entries can be separated by commas.
id
Any ID (decoded as the ID).
url
Any string decoded into the url field.
if_sid
Matches if the rule ID has matched. This is used to create children to other rules. ==》数据过滤用
if_group
Matches if the group has matched before. This can be used to create children of other rules.
if_level
Matches if the level has matched before.
if_matched_sid
Matches if an alert of the defined ID has been triggered in a set number of seconds. This option is used in conjunction with frequency and timeframe.
Note
Rules at level 0 are discarded immediately and will not be used with the if_matched_ rules. The level must be at least 1, but the option can be added to the rule to make sure it does not get logged.
if_matched_group
Matches if an alert of the defined group has been triggered in a set number of seconds. This option is used in conjunction with frequency and timeframe.
same_id
Specifies that the decoded id must be the same. This option is used in conjunction with frequency and timeframe.
same_source_ip
Specifies that the decoded source ip must be the same. This option is used in conjunction with frequency and timeframe.
same_source_port
Specifies that the decoded source port must be the same. This option is used in conjunction with frequency and timeframe.
same_dst_port
Specifies that the decoded destination port must be the same. This option is used in conjunction with frequency and timeframe.
same_location
Specifies that the location must be the same. This option is used in conjunction with frequency and timeframe.
same_user
Specifies that the decoded user must be the same. This option is used in conjunction with frequency an timeframe.
举例:登录尝试最后攻击成功!!!==》这样看,ossec做得还是不错的!!!
674
675 authentication_success
676 authentication_failures
677
678 Multiple authentication failures followed
679 by a success.
680
其中有一个group是认证成功的,我们看看其定义,可知道是表示是各个场景下认证成功的数据采集:
830
831 4715
832 ^%SEC_LOGIN-5-LOGIN_SUCCESS
833 Successful login to the router.
834 authentication_success,
835
836
960
961 3900
962 ^LOGIN,
963 Courier (imap/pop3) authentication success.
964 authentication_success,
965
1169
1170 51000
1171 password auth succeeded for
1172 User successfully logged in using a password.
1069 Dovecot brute force attack (multiple auth failures).
1070 authentication_failures,
1071
description
The rule description.
list
Preform a CDB lookup using an ossec list. This is a fast on disk database which will always find keys within two seeks of the file.
field
Field that is used as the key to look up in the CDB file:
Value: srcip
Value: srcport
Value: dstip
Value: dstport
Value: extra_data
Value: user
Value: url
Value: id
Value: hostname
Value: program_name
Value: status
Value: action
lookup
This is the type of lookup that is preformed:
Value: match_key
Positive key match: field is the key to search within the cdb and will match if they key is present.
This is the default if no lookup is specified.
Value: not_match_key
Negative key match: field is the key to search and will match if it IS NOT present in the database.
Value: match_key_value
Key and Value Match: field is searched for in the cdb and if found the value will be compared with regex from attribute check_value.
Note
This feature is not yet complete.
Value: address_match_key
Positive key match: field is an IP address and the key to search within the cdb and will match if they key is present.
Value: not_address_match_key
Negative key match: field is an IP address the key to search and will match if it IS NOT present in the database.
Value: address_match_key_value
Key and Value Match: field is an IP address searched for in the cdb and if found the value will be compared with regex from attribute check_value.
Note
This feature is not yet complete.
check_value
regex pattern for matching on the value pulled out of the cdb when using lookup types: address_match_key_value, match_key_value
Path to the CDB file to be used for lookup from the OSSEC directory. This file must also be included in the ossec.conf file.
Example:
path/to/list/file
Checking srcip against cdb list file
info
Extra information may be added to an alert using info. The type must be specified using one of the following options:
type
Value: text
This is the default when no type is selected. Just used for additional information about the alert/event.
Value: link
Link to more information about the alert/event.
Value: cve
The CVE Number related to this alert/event.
Value: ovsdb
The osvdb id related to this alert/event.
Example:
500
alert_by_email
Ossec started
Ossec server started.
http://ossec.net/wiki/Rule:205
2009-1002
61509
Internal Why we are running this run in our company
Type text is the default
options
Additional rule options
alert_by_email
Always alert by email.
Example: alert_by_email
no_email_alert
Never alert by email.
Example: no_email_alert
no_log
Do not log this alert.
Example: no_log
check_diff
Used to determine when the output of a command changes.
group
Add additional groups to the alert. Groups are optional tags added to alerts. They can be used by other rules by using if_group or if_matched_group, or by alert parsing tools to categorize alerts.
发表评论