Hi thak,
I made a quick Python script that can help you out. It lists all the rules
on */var/ossec/rules. *Output example:
mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple attempts of spam.
hordeimp_rules.xml - Rule 9300 - Level 0 -> Grouping for the Horde imp
rules.
hordeimp_rules.xml - Rule 9301 - Level 0 -> Horde IMP informational message.
apache_rules.xml - Rule 30412 - Level 6 -> Shellshock attack attempt
roundcube_rules.xml - Rule 9400 - Level 0 -> Roundcube messages groupe.d
Working with Python 2.7.6
#!/usr/bin/python
# Rules list
# pe...@wazuh.com
import sys
import re
import os
*rules_directory = "/var/ossec/rules/"*
def GetRulesList(fulldir, filename):
rule_detected = 0
rule_description = 0
level = ""
sidid = ""
description = ""
pattern_idlevel = re.compile(r'<rule id="(.+?)".+level="(.+?)"')
pattern_description = re.compile(r'<description>(.+?)</description>')
pattern_endrule = re.compile(r'</rule>')
try:
with open(fulldir) as f:
lines = f.readlines()
for line in lines:
if rule_detected == 0:
match = re.findall(pattern_idlevel, line)
if match:
rule_detected = 1
sidid = match[0][0]
level = match[0][1]
else:
if rule_description == 0:
match = re.findall(pattern_description, line)
if match:
rule_description = 1
description = match[0]
if rule_description == 1:
match = re.findall(pattern_endrule, line)
if match:
print "%s - Rule %s - Level %s -> %s" %
(filename,sidid,level,description)
rule_detected = 0
rule_description = 0
level = ""
sidid = ""
description = ""
except EnvironmentError:
print ("Error: OSSEC rules directory does not appear to exist")
if __name__ == "__main__":
print ("Reading rules from directory %s") % (rules_directory)
for root, directories, filenames in os.walk(rules_directory):
for filename in filenames:
if filename[-4:] == ".xml":
GetRulesList(os.path.join(root,filename), filename)
Hope it help, regards,
Pedro S.
On Monday, February 22, 2016 at 4:38:43 PM UTC+1, thak wrote:
>
> Thanks!
>
> On Monday, February 22, 2016 at 10:27:21 AM UTC-5, dan (ddpbsd) wrote:
>>
>>
>> On Feb 22, 2016 10:22 AM, "thak" <tha.k...@gmail.com> wrote:
>> >
>> > What's the best way to get a list of the rules, ideally by rule # and
>> short descriptive name (e.g., like the alerts..."Rule: 5403 fired (level 4)
>> -> "First time user executed sudo."). I need a list to update some security
>> and compliance documentation prior to an upcoming audit.
>> >
>>
>> All of the rules are available in the /var/ossec/rules directory. I don't
>> think it would be too difficult to write a script to grab the names and ids.
>>
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
