Monolitic rules file

From OSSEC Wiki

Jump to: navigation, search

Rules management

by Meir Michanie

meirm ( at ) riunx dot com

OSSEC rules management Mini Howto

Patching an Ossec installation

[edit]

Reordering the rules

Stop ossec

root@topgun:/var/ossec#/etc/init.d/ossec stop

Backup the whole ossec directory

/root# tar -C /var -zcpvf ossec-orig.tar.gz ossec

Move the contrib directory from the source package to the oseec installation

/var/ossec# cp -a /tmp/ossec/contrib .

Create directories to host the rules

/var/ossec# mkdir signatures user_signatures repository

Move the file rules_config.xml to the etc directory.

/var/ossec# mv rules/rules_config.xml etc/

Move the rest of the rules to the repository directory

/var/ossec# mv rules/* repository/

copy the rules tag portion to a file under /var/ossec. i.e. rules.txt
delete the rules opening and closing tags
remove all xml code leaving only the list of the files. i.e.

pam_rules.xml
sshd_rules.xml
telnetd_rules.xml
syslog_rules.xml
pix_rules.xml
named_rules.xml
smbd_rules.xml
vsftpd_rules.xml
pure-ftpd_rules.xml
proftpd_rules.xml
hordeimp_rules.xml
web_rules.xml
apache_rules.xml
ids_rules.xml
squid_rules.xml
firewall_rules.xml
netscreenfw_rules.xml
postfix_rules.xml
sendmail_rules.xml
imapd_rules.xml
spamd_rules.xml
msauth_rules.xml
policy_rules.xml
attack_rules.xml

modify the rules tag to:

<rules>
 <include>rules_ossec.xml</include>
</rules>

list of repository directory.

/var/ossec# ls -1 repository/
apache_rules.xml
attack_rules.xml
firewall_rules.xml
ftpd_rules.xml
hordeimp_rules.xml
ids_rules.xml
imapd_rules.xml
msauth_rules.xml
named_rules.xml
netscreenfw_rules.xml
ossec_rules.xml
pam_rules.xml
pix_rules.xml
policy_rules.xml
postfix_rules.xml
proftpd_rules.xml
pure-ftpd_rules.xml
rules-backup
sendmail_rules.xml
smbd_rules.xml
spamd_rules.xml
squid_rules.xml
sshd_rules.xml
syslog_rules.xml
telnetd_rules.xml
vsftpd_rules.xml
web_rules.xml

Viewing the content of file rules.txt

/var/ossec# cat rules.txt
pam_rules.xml
sshd_rules.xml
telnetd_rules.xml
syslog_rules.xml
pix_rules.xml
named_rules.xml
smbd_rules.xml
vsftpd_rules.xml
pure-ftpd_rules.xml
proftpd_rules.xml
hordeimp_rules.xml
web_rules.xml
apache_rules.xml
ids_rules.xml
squid_rules.xml
firewall_rules.xml
netscreenfw_rules.xml
postfix_rules.xml
sendmail_rules.xml
imapd_rules.xml
spamd_rules.xml
msauth_rules.xml
policy_rules.xml
attack_rules.xml

Build links to the original rules files under the signatures directory

/var/ossec# COUNT=0; for i in `cat rules.txt`; do 
(( COUNT = COUNT + 1)) ;
ln -s ../repository/$i `printf "signatures/%02d%s" $COUNT $i`; 
done

If you wish to alterate a rule you should remove the link of the file from signature where XX denotes the two digits number prefixing the name of the file.

/var/ossec# unlink signatures/XXattack_rules.xml

Copy the file to be modified

/var/ossec# cp repository/attack_rules.xml signatures/XXattack_rules.xml

Edit your file.
write your own rules file under the directory user_signatures

/var/ossec# cat user_signatures/user_defined.xml
<group name="syslog,scans">
 <rule id="9000" level="0">
      <regex>Accepted publickey</regex>

      <description>Accepted publickey bypass</description>
 </rule>
</group>

List the rules under signature

/var/ossec# ls -l signatures/
total 0
lrwxrwxrwx 1 root root 27 2006-07-24 23:37 01pam_rules.xml -> ../repository/pam_rules.xml
lrwxrwxrwx 1 root root 28 2006-07-24 23:37 02sshd_rules.xml -> ../repository/sshd_rules.xml
lrwxrwxrwx 1 root root 31 2006-07-24 23:37 03telnetd_rules.xml -> ../repository/telnetd_rules.xml
lrwxrwxrwx 1 root root 30 2006-07-24 23:37 04syslog_rules.xml -> ../repository/syslog_rules.xml
lrwxrwxrwx 1 root root 27 2006-07-24 23:37 05pix_rules.xml -> ../repository/pix_rules.xml
lrwxrwxrwx 1 root root 29 2006-07-24 23:37 06named_rules.xml -> ../repository/named_rules.xml
lrwxrwxrwx 1 root root 28 2006-07-24 23:37 07smbd_rules.xml -> ../repository/smbd_rules.xml
lrwxrwxrwx 1 root root 30 2006-07-24 23:37 08vsftpd_rules.xml -> ../repository/vsftpd_rules.xml
lrwxrwxrwx 1 root root 33 2006-07-24 23:37 09pure-ftpd_rules.xml -> ../repository/pure-ftpd_rules.xml
lrwxrwxrwx 1 root root 31 2006-07-24 23:37 10proftpd_rules.xml -> ../repository/proftpd_rules.xml
lrwxrwxrwx 1 root root 32 2006-07-24 23:37 11hordeimp_rules.xml -> ../repository/hordeimp_rules.xml
lrwxrwxrwx 1 root root 27 2006-07-24 23:37 12web_rules.xml -> ../repository/web_rules.xml
lrwxrwxrwx 1 root root 30 2006-07-24 23:37 13apache_rules.xml -> ../repository/apache_rules.xml
lrwxrwxrwx 1 root root 27 2006-07-24 23:37 14ids_rules.xml -> ../repository/ids_rules.xml
lrwxrwxrwx 1 root root 29 2006-07-24 23:37 15squid_rules.xml -> ../repository/squid_rules.xml
lrwxrwxrwx 1 root root 32 2006-07-24 23:37 16firewall_rules.xml -> ../repository/firewall_rules.xml
lrwxrwxrwx 1 root root 35 2006-07-24 23:37 17netscreenfw_rules.xml -> ../repository/netscreenfw_rules.xml
lrwxrwxrwx 1 root root 31 2006-07-24 23:37 18postfix_rules.xml -> ../repository/postfix_rules.xml
lrwxrwxrwx 1 root root 32 2006-07-24 23:37 19sendmail_rules.xml -> ../repository/sendmail_rules.xml
lrwxrwxrwx 1 root root 29 2006-07-24 23:37 20imapd_rules.xml -> ../repository/imapd_rules.xml
lrwxrwxrwx 1 root root 29 2006-07-24 23:37 21spamd_rules.xml -> ../repository/spamd_rules.xml
lrwxrwxrwx 1 root root 30 2006-07-24 23:37 22msauth_rules.xml -> ../repository/msauth_rules.xml
lrwxrwxrwx 1 root root 30 2006-07-24 23:37 23policy_rules.xml -> ../repository/policy_rules.xml
lrwxrwxrwx 1 root root 30 2006-07-24 23:37 24attack_rules.xml -> ../repository/attack_rules.xml

Compile the alerts into a monolitic rule file.

/var/ossec# perl contrib/compile_alerts.pl --user-signatures /var/ossec/user_signatures --signatures \
/var/ossec/signatures --rules-config /var/ossec/etc/rules_config.xml > rules/rules_ossec.xml
Adding /var/ossec/etc/rules_config.xml
Adding /var/ossec/user_signatures/user_defined_rules.xml
Adding /var/ossec/signatures/01pam_rules.xml
Adding /var/ossec/signatures/02sshd_rules.xml
Adding /var/ossec/signatures/03telnetd_rules.xml
Adding /var/ossec/signatures/04syslog_rules.xml
Adding /var/ossec/signatures/05pix_rules.xml
Adding /var/ossec/signatures/06named_rules.xml
Adding /var/ossec/signatures/07smbd_rules.xml
Adding /var/ossec/signatures/08vsftpd_rules.xml
Adding /var/ossec/signatures/09pure-ftpd_rules.xml
Adding /var/ossec/signatures/10proftpd_rules.xml
Adding /var/ossec/signatures/11hordeimp_rules.xml
Adding /var/ossec/signatures/12web_rules.xml
Adding /var/ossec/signatures/13apache_rules.xml
Adding /var/ossec/signatures/14ids_rules.xml
Adding /var/ossec/signatures/15squid_rules.xml
Adding /var/ossec/signatures/16firewall_rules.xml
Adding /var/ossec/signatures/17netscreenfw_rules.xml
Adding /var/ossec/signatures/18postfix_rules.xml
Adding /var/ossec/signatures/19sendmail_rules.xml
Adding /var/ossec/signatures/20imapd_rules.xml
Adding /var/ossec/signatures/21spamd_rules.xml
Adding /var/ossec/signatures/22msauth_rules.xml
Adding /var/ossec/signatures/23policy_rules.xml
Adding /var/ossec/signatures/24attack_rules.xml
processing: /var/ossec/etc/rules_config.xml
processing: /var/ossec/user_signatures/user_defined_rules.xml
processing: /var/ossec/signatures/01pam_rules.xml
processing: /var/ossec/signatures/02sshd_rules.xml
processing: /var/ossec/signatures/03telnetd_rules.xml
processing: /var/ossec/signatures/04syslog_rules.xml
processing: /var/ossec/signatures/05pix_rules.xml
processing: /var/ossec/signatures/06named_rules.xml
processing: /var/ossec/signatures/07smbd_rules.xml
processing: /var/ossec/signatures/08vsftpd_rules.xml
processing: /var/ossec/signatures/09pure-ftpd_rules.xml
processing: /var/ossec/signatures/10proftpd_rules.xml
processing: /var/ossec/signatures/11hordeimp_rules.xml
processing: /var/ossec/signatures/12web_rules.xml
processing: /var/ossec/signatures/13apache_rules.xml
processing: /var/ossec/signatures/14ids_rules.xml
processing: /var/ossec/signatures/15squid_rules.xml
processing: /var/ossec/signatures/16firewall_rules.xml
processing: /var/ossec/signatures/17netscreenfw_rules.xml
processing: /var/ossec/signatures/18postfix_rules.xml
processing: /var/ossec/signatures/19sendmail_rules.xml
processing: /var/ossec/signatures/20imapd_rules.xml
processing: /var/ossec/signatures/21spamd_rules.xml
processing: /var/ossec/signatures/22msauth_rules.xml
processing: /var/ossec/signatures/23policy_rules.xml
processing: /var/ossec/signatures/24attack_rules.xml

Now you can start again ossec

/var/ossec#/etc/init.d/ossec start
Starting OSSECStarting OSSEC HIDS v0.9 (by Daniel B. Cid)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Completed.

Extract of ossec.conf with the modified rules tag

/var/ossec# cat etc/ossec.conf
...
 <rules>
   <include>rules_ossec.xml</include>
 </rules>
...

Retrieved from "http://ossec.net/wiki/index.php/Monolitic_rules_file"

From OSSEC Wiki

Reordering the rules

Views

Personal tools

Navigation

Documentation

Search