Rules的語法
http://www.ossec.net/doc/syntax/head_rules.html
rule Defines a rule
level: 0-16
id: 100-99999, 100000-109999 are assigned to user
maxsize: 指定event的最大長度, 1-99999
frequency: 指定觸發該規則需要的匹配次數,1-9999,實際匹配次數還要多兩次。比如:如果值爲2,則該規則匹配4次後纔會觸發。
timeframe: 單位爲秒,需同frequence一同使用,1-9999
ignore: 單位爲秒,規則觸發後的忽略時間(避免泛洪),1-9999
overwrite: 用於重載ossec本來的rules,值:yes
match
Any string to match against the log event.
Allowed: Any OS_Match or sregex.
regex
Any regex to match against the log event.
Allowed: Any OR_Regex/regex Syntax.
decoded_as
Any decoder name
category
The decoded category to match(ids, syslog, firewall, web-log, squid or windows).
srcip
Any IP address or CIDR block to be compared to an IP decoded as srcip
可以用"!"取反
dstip
同srcip
user
Allowed: any OS_Match or sregex.
program_name
Allowed: any OS_Match or sregex.
hostname
Allowed: any OS_Match or sregex.
id
Allowed: any OS_Match or sregex.
url
Allowed: any OS_Match or sregex.
time
Time that the event was generated.
Allowed: Any time range (hh:mm-hh:mm)
weekday
Allowed: monday - sunday, weekday, weekend
if_sid
Matches if the ID has matched.
if_group
Matches if the group has matched before.
if_level
Matches if the level has matched before, 1-16
if_matched_sid
如果之前某條規則在一段時間內被觸發多次則匹配, 同frequence和timeframe一起使用。
level 0的規則會被立即丟棄,所以不能用if_matched_sid。如果rule中加了<no_log>選項,也不被記錄,也不能用。
if_matched_group
同上
同上
same_source_ip
指定源ip必須相同,同frequence和timeframe一起使用。
例如: <same_source_ip />
same_source_port
同上
same_dst_port
同上
same_location
同上
description
規則描述,Any string.
list
Preform a CDB lookup using an ossec list.
info
以其他格式添加信息。Extra information may be added through the following attributes:
value: text 默認值
value: link 鏈接到更多信息
value: cve 與alert/event相關的CVE號(Common Vulnerabilities & Exposures”公共漏洞和暴露)
value: ovsdb 與之相關的ovsdb id(osvdb是一個極輕量級db)
Example:
<rule id="502" level="3"> <if_sid>500</if_sid> <options>alert_by_email</options> <match>Ossec started</match> <description>Ossec server started.</description> <info type="link">http://ossec.net/wiki/Rule:205</info> <info type="cve">2009-1002</info> <info type="osvdb"> 61509</info> <info type="text">Internal Why we are running this run in our company</info> <info>Type text is the default</info> </rule>
options
額外的rule選項。
alert_by_email: Always alert by email.
no_email_alert: Never alert by email.
no_log: do not log this alert.
check_diff
用於比較命令的輸出是否有變化
用法<check_diff />
group
add additional groups to the alert.