List of OSSEC rules?

[thak]

What's the best way to get a list of the rules, ideally by rule # and short descriptive name (e.g., like the alerts..."Rule: 5403 fired (level 4) -> "First time user executed sudo."). I need a list to update some security and compliance documentation prior to an upcoming audit. 

[dan (ddp)]

On Feb 22, 2016 10:22 AM, "thak" <tha.k...@gmail.com> wrote:
>
> What's the best way to get a list of the rules, ideally by rule # and short descriptive name (e.g., like the alerts..."Rule: 5403 fired (level 4) -> "First time user executed sudo."). I need a list to update some security and compliance documentation prior to an upcoming audit. 
>

All of the rules are available in the /var/ossec/rules directory. I don't think it would be too difficult to write a script to grab the names and ids.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[thak]

Thanks!

[Pedro S]

Hi thak,

I made a quick Python script that can help you out. It lists all the rules on /var/ossec/rules. Output example:

mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple attempts of spam.

hordeimp_rules.xml - Rule 9300 - Level 0 -> Grouping for the Horde imp rules.

hordeimp_rules.xml - Rule 9301 - Level 0 -> Horde IMP informational message.

apache_rules.xml - Rule 30412 - Level 6 -> Shellshock attack attempt

roundcube_rules.xml - Rule 9400 - Level 0 -> Roundcube messages groupe.d

Working with Python 2.7.6

#!/usr/bin/python

# Rules list

# pe...@wazuh.com

import sys

import re

import os

rules_directory = "/var/ossec/rules/"

def GetRulesList(fulldir, filename):

    rule_detected = 0

    rule_description = 0

    level = ""

    sidid = ""

    description = ""

    pattern_idlevel = re.compile(r'<rule id="(.+?)".+level="(.+?)"')

    pattern_description = re.compile(r'<description>(.+?)</description>')

    pattern_endrule = re.compile(r'</rule>')

    try:

        with open(fulldir) as f:

            lines = f.readlines()

            for line in lines:

                if rule_detected == 0:

                    match = re.findall(pattern_idlevel, line)

                    if match:

                        rule_detected = 1

                        sidid = match[0][0]

                        level = match[0][1]

                else:

                    if rule_description == 0:

                        match = re.findall(pattern_description, line)

                        if match:

                            rule_description = 1

                            description = match[0]

                    if rule_description == 1:

                        match = re.findall(pattern_endrule, line)

                        if match:

                            print "%s - Rule %s - Level %s -> %s" % (filename,sidid,level,description)

                            rule_detected = 0

                            rule_description = 0

                            level = ""

                            sidid = ""

                            description = ""

    except EnvironmentError: 

           print ("Error: OSSEC rules directory does not appear to exist")

           

if __name__ == "__main__":

    print ("Reading rules from directory %s") % (rules_directory)

    for root, directories, filenames in os.walk(rules_directory):

        for filename in filenames:

            if filename[-4:] == ".xml":

                GetRulesList(os.path.join(root,filename), filename)

Hope it help, regards,

Pedro S.

[thak]

Whoa, that's awesome! Thanks sir. 

[Pedro Sanchez]

You are welcome! I'll upload it into some website or repository folder.

It is some simple but works, in the future I will extract too the PCI compliance requirement of every rule. If you need the rules with PCI requirements groups try out Wazuh Ruleset.

Regards,

Pedro S.

[dan (ddp)]

On Thu, Feb 25, 2016 at 1:53 PM, Pedro Sanchez <pe...@wazuh.com> wrote:
> You are welcome! I'll upload it into some website or repository folder.
>
> It is some simple but works, in the future I will extract too the PCI
> compliance requirement of every rule. If you need the rules with PCI
> requirements groups try out Wazuh Ruleset.
>

You can add it to the ossec repo in the contrib directory, then submit
a pull request.

[thak]

Interesting. We maintain a few compliance standards (not PCI) so I will look into it for sure. 

[Pedro S]

I'll sent a pull request as soon as posible to ossec-hids, I would like to include some few options before sending it.

[Rodrigo Montoro(Sp0oKeR)]

Great script =)!

Thanks

Rodrigo Montoro (Sp0oKeR)
http://spookerlabs.blogspot.com
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker

[dan (ddp)]

The pull request was submitted and accepted. :-)