OSSEC的rules語法

Rules的語法

http://www.ossec.net/doc/syntax/head_rules.html

rule Defines a rule
    level: 0-16
    id: 100-99999, 100000-109999 are assigned to user
    maxsize: 指定event的最大長度, 1-99999
    frequency: 指定觸發該規則需要的匹配次數，1-9999，實際匹配次數還要多兩次。比如：如果值爲2，則該規則匹配4次後纔會觸發。
    timeframe: 單位爲秒，需同frequence一同使用，1-9999
    ignore: 單位爲秒，規則觸發後的忽略時間（避免泛洪），1-9999
    overwrite: 用於重載ossec本來的rules，值：yes

match
Any string to match against the log event.
Allowed: Any OS_Match or sregex.

regex
Any regex to match against the log event.
Allowed: Any OR_Regex/regex Syntax.

decoded_as
Any decoder name

category
The decoded category to match(ids, syslog, firewall, web-log, squid or windows).

srcip
Any IP address or CIDR block to be compared to an IP decoded as srcip
可以用"!"取反

dstip
同srcip

user
Allowed: any OS_Match or sregex.

program_name
Allowed: any OS_Match or sregex.

hostname
Allowed: any OS_Match or sregex.

id
Allowed: any OS_Match or sregex.

url
Allowed: any OS_Match or sregex.

time
Time that the event was generated.
Allowed: Any time range (hh:mm-hh:mm)

weekday
Allowed: monday - sunday, weekday, weekend

if_sid
Matches if the ID has matched.

if_group
Matches if the group has matched before.

if_level
Matches if the level has matched before, 1-16

if_matched_sid
如果之前某條規則在一段時間內被觸發多次則匹配, 同frequence和timeframe一起使用。
level 0的規則會被立即丟棄，所以不能用if_matched_sid。如果rule中加了<no_log>選項，也不被記錄，也不能用。

if_matched_group
同上

if_matched_level
同上

same_source_ip
指定源ip必須相同，同frequence和timeframe一起使用。
例如: <same_source_ip />

same_source_port
同上

same_dst_port
同上

same_location
同上

description
規則描述，Any string.

list
Preform a CDB lookup using an ossec list.

info
以其他格式添加信息。Extra information may be added through the following attributes:
       value: text        默認值
       value: link        鏈接到更多信息
       value: cve        與alert/event相關的CVE號（Common Vulnerabilities & Exposures”公共漏洞和暴露）
       value: ovsdb    與之相關的ovsdb id（osvdb是一個極輕量級db）
       Example:

<rule id="502" level="3">
    <if_sid>500</if_sid>
    <options>alert_by_email</options>
    <match>Ossec started</match>
    <description>Ossec server started.</description>
    <info type="link">http://ossec.net/wiki/Rule:205</info>
    <info type="cve">2009-1002</info>
    <info type="osvdb"> 61509</info>
    <info type="text">Internal Why we are running this run in our company</info>
    <info>Type text is the default</info>
</rule>

options
    額外的rule選項。
    alert_by_email:  Always alert by email.
    no_email_alert:  Never alert by email.
    no_log:               do not log this alert.

check_diff
    用於比較命令的輸出是否有變化
    用法<check_diff />

group
   add additional groups to the alert.