What does the <group> tag do?
11 views
Skip to first unread message
Dominik Vogt
May 12, 2020, 8:57:44 AM5/12/20
to ossec...@googlegroups.com
I'm struggling to understand how to write custom rules.
Unfortunately the "<group>" tag seems to be completely
undocumented, and the book doesn't explain it either:
Each rule, or grouping of rules, must be defined within a
<group></group> element. Your attribute name must contain the
rules you want to be part of this group.
...
<group name="syslog,sshd,">
<rule id="100120" level ="5"> ... </rule>
...
</group>
The "name" of the group is a comma separated list of rules that
are "part of the group"? What does that mean?
--
Specifically, I want to try out the example from the chapter
"Increasing the Alert Severity for Important Files":
<rule id="100614" level="10">
<if_group>syscheck</if_group>
<match>for:'/etc/foobar</match>
</rule>
So, this needs to be enclosed in a <group> tag? What is the
supposed value of the "name" attribute?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
Unfortunately the "<group>" tag seems to be completely
undocumented, and the book doesn't explain it either:
Each rule, or grouping of rules, must be defined within a
<group></group> element. Your attribute name must contain the
rules you want to be part of this group.
...
<group name="syslog,sshd,">
<rule id="100120" level ="5"> ... </rule>
...
</group>
The "name" of the group is a comma separated list of rules that
are "part of the group"? What does that mean?
--
Specifically, I want to try out the example from the chapter
"Increasing the Alert Severity for Important Files":
<rule id="100614" level="10">
<if_group>syscheck</if_group>
<match>for:'/etc/foobar</match>
</rule>
So, this needs to be enclosed in a <group> tag? What is the
supposed value of the "name" attribute?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
dan (ddp)
May 20, 2020, 11:14:07 AM5/20/20
to ossec...@googlegroups.com
On Tue, May 12, 2020 at 8:57 AM Dominik Vogt <domini...@gmx.de> wrote:
>
> I'm struggling to understand how to write custom rules.
> Unfortunately the "<group>" tag seems to be completely
> undocumented, and the book doesn't explain it either:
>
> Each rule, or grouping of rules, must be defined within a
> <group></group> element. Your attribute name must contain the
> rules you want to be part of this group.
>
> ...
>
> <group name="syslog,sshd,">
> <rule id="100120" level ="5"> ... </rule>
> ...
> </group>
>
> The "name" of the group is a comma separated list of rules that
> are "part of the group"? What does that mean?
>
They're kind of like tags that help label the rules.
>
> I'm struggling to understand how to write custom rules.
> Unfortunately the "<group>" tag seems to be completely
> undocumented, and the book doesn't explain it either:
>
> Each rule, or grouping of rules, must be defined within a
> <group></group> element. Your attribute name must contain the
> rules you want to be part of this group.
>
> ...
>
> <group name="syslog,sshd,">
> <rule id="100120" level ="5"> ... </rule>
> ...
> </group>
>
> The "name" of the group is a comma separated list of rules that
> are "part of the group"? What does that mean?
>
> --
>
> Specifically, I want to try out the example from the chapter
> "Increasing the Alert Severity for Important Files":
>
> <rule id="100614" level="10">
> <if_group>syscheck</if_group>
> <match>for:'/etc/foobar</match>
> </rule>
>
> So, this needs to be enclosed in a <group> tag? What is the
> supposed value of the "name" attribute?
>
I want to be able to use them later.
> Ciao
>
> Dominik ^_^ ^_^
>
> --
>
> Dominik Vogt
>
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/20200512125638.wk4kklcfzi3eunp2%40gmx.de.
Reply all
Reply to author
Forward
0 new messages