To customize rules, change only the local_rules.xml file.
During the upgrade process, the scripts overwrite all rules files, except the local_rules.xml file.
Any user rule created to replace a preexisting OSSEC HIDS rule must contain the overwrite="yes" option within the rule.
Rules are applied as follows:
-an Event is logged
-Pre-Decoding is done on event
-Decoding is done on event
-Rule Matching is applied
-Alerting is triggered, either to DB storage, to Email Alert, or to Active Response
Event
Sample logged event:Apr 14 17:32:06 linux_server sshd[1025]: Accepted password for dcid from 192.168.2.180 port 1618 ssh2
Pre-Decoding
Extracts hostname, program_name, datestamp, and log message of event.Decoding
Decoder options available:Example rule to extract user and srcip from sshd:
<decoder name="sshd-test"> <program_name>sshd</program_name> <regex>^Accepted \S+ for (\S+) from (\S+) port </regex> <order>user, srcip</order> </decoder>
Extracts dcid as user, and 192.168.2.180 as srcip from sample event:
Apr 14 17:32:06 linux_server sshd[1025]: Accepted password for dcid from 192.168.2.180 port 1618 ssh2
See /var/ossec/etc/decoder.xml for existing decoder examples.
Rule Matching
There are two kinds of OSSEC Rules: atomic and composite.There are two types of OSSEC HIDS rules: Atomic, which are based on single events without any correlation; and Composite, which are based on multiple events.
User-defined rules should range from 100,000 to 119,999. If you choose any other ID, it might collide with the official ones from the OSSEC HIDS projectCustom Decoders and Rules
OSSEC Rules syntax.
Rule Alert levels
Alerting
OSSEC Output and Alert OptionsActive Responses
No comments:
Post a Comment