Rules的语法
http://www.ossec.net/doc/syntax/head_rules.html
rule Defines a rule
level: 0-16
id: 100-99999, 100000-109999 are assigned to user
maxsize: 指定event的最大长度, 1-99999
frequency: 指定触发该规则需要的匹配次数,1-9999,实际匹配次数还要多两次。比如:如果值为2,则该规则匹配4次后才会触发。
timeframe: 单位为秒,需同frequence一同使用,1-9999
ignore: 单位为秒,规则触发后的忽略时间(避免泛洪),1-9999
overwrite: 用于重载ossec本来的rules,值:yes
match
Any string to match against the log event.
Allowed: Any OS_Match or sregex.
regex
Any regex to match against the log event.
Allowed: Any OR_Regex/regex Syntax.
decoded_as
Any decoder name
category
The decoded category to match(ids, syslog, firewall, web-log, squid or windows).
srcip
Any IP address or CIDR block to be compared to an IP decoded as srcip
可以用"!"取反
dstip
同srcip
user
Allowed: any OS_Match or sregex.
program_name
Allowed: any OS_Match or sregex.
hostname
Allowed: any OS_Match or sregex.
id
Allowed: any OS_Match or sregex.
url
Allowed: any OS_Match or sregex.
time
Time that the event was generated.
Allowed: Any time range (hh:mm-hh:mm)
weekday
Allowed: monday - sunday, weekday, weekend
if_sid
Matches if the ID has matched.
if_group
Matches if the group has matched before.
if_level
Matches if the level has matched before, 1-16
if_matched_sid
如果之前某条规则在一段时间内被触发多次则匹配, 同frequence和timeframe一起使用。
level 0的规则会被立即丢弃,所以不能用if_matched_sid。如果rule中加了<no_log>选项,也不被记录,也不能用。
if_matched_group
同上
同上
same_source_ip
指定源ip必须相同,同frequence和timeframe一起使用。
例如: <same_source_ip />
same_source_port
同上
same_dst_port
同上
same_location
同上
description
规则描述,Any string.
list
Preform a CDB lookup using an ossec list.
info
以其他格式添加信息。Extra information may be added through the following attributes:
value: text 默认值
value: link 链接到更多信息
value: cve 与alert/event相关的CVE号(Common Vulnerabilities & Exposures”公共漏洞和暴露)
value: ovsdb 与之相关的ovsdb id(osvdb是一个极轻量级db)
Example:
<rule id="502" level="3"> <if_sid>500</if_sid> <options>alert_by_email</options> <match>Ossec started</match> <description>Ossec server started.</description> <info type="link">http://ossec.net/wiki/Rule:205</info> <info type="cve">2009-1002</info> <info type="osvdb"> 61509</info> <info type="text">Internal Why we are running this run in our company</info> <info>Type text is the default</info> </rule>
options
额外的rule选项。
alert_by_email: Always alert by email.
no_email_alert: Never alert by email.
no_log: do not log this alert.
check_diff
用于比较命令的输出是否有变化
用法<check_diff />
group
add additional groups to the alert.