Rules Syntax¶
Overview¶
Options¶
- rule¶
Defines a rule
Attributes:
level
- Specifies the level of the rule. Alerts and responses use this value.
- Allowed: Any number (0 to 16)
id
- Specifies the ID of the rule.
- Allowed: Any number from 100 to 99999
maxsize
- Specifies the maximum size of the event.
- Allowed: Any number from 1 to 99999
frequency
- Specifies the number of times the rule must have matched before firing. The number that triggers the rule is actually 2 more than this setting.
- Allowed: Any number from 1 to 999
- Example: frequency=”2” would mean the rule must be matched 4 times
Note
More information about how frequency is counted can be found in this thread.
timeframe
- The timeframe in seconds.
- This option is intended to be used with the frequency option.
- Allowed: Any number from 1 to 9999
ignore
- The time (in seconds) to ignore this rule after firing it (to avoid floods).
- Allowed: Any number from 1 to 9999
- overwrite
- Used to supercede an OSPatrol rule with local changes.
- This is useful to change the level or other options of rules included with OSPatrol.
- Allowed yes
- match¶
- Any string to match against the log event.
- Allowed: Any OS_Match/sregex Syntax
- regex¶
- Any regex to match against the log event.
- Allowed: Any OR_Regex/regex Syntax
- decoded_as¶
- Any decoder name (see Decoders Syntax)
- Allowed: Any decoder name
- category¶
- The decoded category to match (ids, syslog, firewall, web-log, squid or windows).
- Allowed: Any category categories
- srcip¶
- Any IP address or CIDR block to be compared to an IP decoded as srcip.
- Use ”!” to negate it.
- Allowed: Any srcip
- dstip¶
- Any IP address or CIDR block to be compared to an IP decoded as dstip.
- Use ”!” to negate it.
- Allowed: Any dstip
- user¶
- Any username (decoded as the username).
- Allowed: any OS_Match/sregex Syntax
- program_name¶
- Program name is decoded from syslog process name.
- Allowed: any OS_Match/sregex Syntax
- hostname¶
- Any hostname (decoded as the syslog hostname) or log file.
- Allowed: any OS_Match/sregex Syntax
- time¶
- Time that the event was generated.
- Allowed: Any time range (hh:mm-hh:mm)
- Example: <time>6 am - 6 pm</time>
- weekday¶
- Week day that the event was generated.
- Allowed: monday - sunday, weekday, weekend
- id¶
- Any ID (decoded as the ID).
- Allowed: any OS_Match/sregex Syntax
- url¶
- Any URL (decoded as the URL).
- Allowed: any OS_Match/sregex Syntax
- if_sid¶
- Matches if the ID has matched.
- Allowed: Any rule id
- if_group¶
- Matches if the group has matched before.
- Allowed: Any Group
- if_level¶
- Matches if the level has matched before.
- Allowed: Any level from 1 to 16
- if_matched_sid¶
- Matches if an alert of the defined ID has been triggered in a set number of seconds.
- This option is used in conjunction with frequency and timeframe.
Note
Rules at level 0 are discarded immediately and will not be used with the if_matched_ rules. The level must be at least 1, but the <no_log> option can be added to the rule to make sure it does not get logged.
- Allowed: Any rule id
- if_matched_group¶
- if_matched_level¶
- same_source_ip¶
- Specifies that the source ip must be the same.
- This option is used in conjunction with frequency and timeframe.
Example: <same_source_ip />
- same_source_port¶
- same_dst_port¶
- same_location¶
- description¶
- Rule description.
- Allowed: Any string
- list¶
Preform a CDB lookup using an OSPatrol list. This is a fast on disk database which will always find keys within two seeks of the file.
Attributes:
field
Field that is used as the key to look up in the CDB file:
- Value: srcip
- Value: srcport
- Value: dstip
- Value: dstport
- Value: user
- Value: url
- Value: id
- Value: hostname
- Value: program_name
- Value: status
- Value: action
lookup
This is the type of lookup that is preformed:
Value: match_key
- Positive key match: field is the key to search within the cdb and will match if they key is present.
- This is the default if no lookup is specified.
Value: not_match_key
- Negative key match: field is the key to search and will match if it IS NOT present in the database.
Value: match_key_value
- Key and Value Match: field is searched for in the cdb and if found the value will be compared with regex from attribute check_value.
Note
This feature is not yet complete.
Value: address_match_key
- Positive key match: field is an IP address and the key to search within the cdb and will match if they key is present.
Value: not_address_match_key
- Negative key match: field is an IP address the key to search and will match if it IS NOT present in the database.
Value: address_match_key_value
- Key and Value Match: field is an IP address searched for in the cdb and if found the value will be compared with regex from attribute check_value.
Note
This feature is not yet complete.
check_value
- regex pattern for matching on the value pulled out of the cdb when using lookup types: address_match_key_value, match_key_value
Allowed:
Path to the CDB file to be used for lookup from the OSPatrol directory. This file must also be included in the ospatrol.conf file.Example:
<rule id="100000" level="7"> <list lookup="match_key" field="srcip">path/to/list/file</list> <description>Checking srcip against cdb list file</description> </rule>
- info¶
Extra information may be added through the following attributes:
Attributes:
type
Value: text
This is the default when no type is selected. Just used for additional information about the alert/event.
Value: link
Link to more information about the alert/event.
Value: cve
The CVE Number related to this alert/event.
Value: ovsdb
The osvdb id related to this alert/event.
Allowed: String but content is dependent on the type attribute.
Example:
<rule id="502" level="3"> <if_sid>500</if_sid> <options>alert_by_email</options> <match>OSPatrol started</match> <description>OSPatrol server started.</description> <info type="link">http://ospatrol.com/go/rule:205</info> <info type="cve">2009-1002</info> <info type="osvdb"> 61509</info> <info type="text">Internal Why we are running this run in our company</info> <info>Type text is the default</info> </rule>
- options¶
Additional rule options
Allowed:
- alert_by_email
- Always alert by email.
- Example: <options>alert_by_email</options>
- no_email_alert
- Never alert by email.
- Example: <options>no_email_alert</options>
- no_log
- Do not log this alert.
- Example: <options>no_log</options>
- check_diff¶
Used to determine when the output of a command changes.
Usage: <check_diff />
Additional info: Daniel Cid has written a blog post about the feature.
- group¶
- Add additional groups to the alert. Groups are optional tags added to alerts. They can be used by other rules by using if_group or if_matched_group, or by alert parsing tools to categorize alerts.
Example: <group>group1, group2</group>