Order of Ossec rule matching engine
22 views
Skip to first unread message
Pragyat Gupta
Jan 8, 2019, 5:21:47 PM1/8/19
to ossec-list
Hi,
I am confused about what is the order in which ossec matches different rules.According to my understanding, it first tries to match rules with level 0 and then in decreasing order from highest to lowest.If it is correct, then what is the order between rules of same alert level.
Can someone please clarify this????
Thanks in advance.
Yana Zaeva
Feb 4, 2022, 3:44:58 AM2/4/22
to ossec-list
Hi Gopal,
Once an alert is triggered, analysisd tries to match every existing rule. Once one rule matches, (the level of this first rule matching is not relevant), analysisd starts looking for this first rule children. If two or more children match, the rule with the higher level will be selected. If the level is the same for both rules, the rule that was first found will be the one triggered. For example, if this is our file:
```
<!--
- OSSEC rules
- Author: Daniel Cid.
- Updated by Wazuh, Inc.
- Copyright (C) 2015, Wazuh Inc.
- Copyright (C) 2009 Trend Micro Inc.
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->
<group name="ossec,">
<rule id="500" level="0">
<category>ossec</category>
<decoded_as>ossec</decoded_as>
<description>Grouping of ossec rules.</description>
</rule>
<rule id="501" level="3">
<if_sid>500</if_sid>
<if_fts />
<match>Agent started</match>
<description>New ossec agent connected.</description>
<group>pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="502" level="3">
<if_sid>500</if_sid>
<match>Ossec started</match>
<description>Ossec server started.</description>
<group>pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
- OSSEC rules
- Author: Daniel Cid.
- Updated by Wazuh, Inc.
- Copyright (C) 2015, Wazuh Inc.
- Copyright (C) 2009 Trend Micro Inc.
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->
<group name="ossec,">
<rule id="500" level="0">
<category>ossec</category>
<decoded_as>ossec</decoded_as>
<description>Grouping of ossec rules.</description>
</rule>
<rule id="501" level="3">
<if_sid>500</if_sid>
<if_fts />
<match>Agent started</match>
<description>New ossec agent connected.</description>
<group>pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="502" level="3">
<if_sid>500</if_sid>
<match>Ossec started</match>
<description>Ossec server started.</description>
<group>pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<!-- other rules here -->
<rule id="504" level="3">
<if_sid>500</if_sid>
<match>Agent disconnected</match>
<description>Ossec agent disconnected.</description>
<mitre>
<id>T1562.001</id>
</mitre>
<group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,</group>
</rule>
</group>
<rule id="504" level="3">
<if_sid>500</if_sid>
<match>Agent disconnected</match>
<description>Ossec agent disconnected.</description>
<mitre>
<id>T1562.001</id>
</mitre>
<group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,</group>
</rule>
</group>
```
And we have a log that matches both, 502 and 504, as they have the same level, rule 502 will be triggered as it was found first.
I would like to leave here some links for further information about rules:
- Rules syntax.
- Rule example.
Hope this was helpful. Let me know if you need anything else.
Regards,
Yana.
Reply all
Reply to author
Forward
0 new messages