Monday 16 December 2013

OSSEC Rules

There are a series of rules.xml files in /var/ossec/rules

To customize rules, change only the local_rules.xml file.

During the upgrade process, the scripts overwrite all rules files, except the local_rules.xml file.
Any user rule created to replace a preexisting OSSEC HIDS rule must contain the overwrite="yes" option within the rule.

Rules are applied as follows:
-an Event is logged
-Pre-Decoding is done on event
-Decoding is done on event
-Rule Matching is applied
-Alerting is triggered, either to DB storage, to Email Alert, or to Active Response

Event

Sample logged event:
 
Apr 14 17:32:06 linux_server sshd[1025]: Accepted password for dcid from
192.168.2.180 port 1618 ssh2
 

Pre-Decoding

Extracts hostname, program_name, datestamp, and log message of event.

Decoding

Decoder options available:

program_name
Executes the decoder if the program_name matches the syslog program name.
prematch
Executes the decoder if prematch matches any portion of the log field.
regex
Regular expression to specify where each field is.
offset
Attribute of regex. It can be after_prematch or after_parent. It essentially tells the regex where to start computing the expression.
order
Order within the regular expression. It can be all the fields in the normalized event (srcip, user, dstip, dstport, etc.)
parent
Parent decoder that must be matched for this decoder to be called.

Example rule to extract user and srcip from sshd:

<decoder name="sshd-test">
  <program_name>sshd</program_name>
  <regex>^Accepted \S+ for (\S+) from (\S+) port </regex>
  <order>user, srcip</order>
</decoder>

Extracts dcid as user, and 192.168.2.180 as srcip from sample event: 


Apr 14 17:32:06 linux_server sshd[1025]: Accepted password for dcid from
192.168.2.180 port 1618 ssh2

See /var/ossec/etc/decoder.xml for existing decoder examples.

Rule Matching 

There are two kinds of OSSEC Rules: atomic and composite.


There are two types of OSSEC HIDS rules: Atomic, which are based on single events without any correlation; and Composite, which are based on multiple events.

Important note from manual:

User-defined rules should range from 100,000 to 119,999. If you choose any other ID, it might collide with the official ones from the OSSEC HIDS project
Custom Decoders and Rules
OSSEC Rules syntax.
Rule Alert levels

Alerting

OSSEC Output and Alert Options

Active Responses

Posted by at
Labels: , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)