Hi thak, I made a quick Python script that can help you out. It lists all the rules on */var/ossec/rules. *Output example:
mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple attempts of spam. hordeimp_rules.xml - Rule 9300 - Level 0 -> Grouping for the Horde imp rules. hordeimp_rules.xml - Rule 9301 - Level 0 -> Horde IMP informational message. apache_rules.xml - Rule 30412 - Level 6 -> Shellshock attack attempt roundcube_rules.xml - Rule 9400 - Level 0 -> Roundcube messages groupe.d Working with Python 2.7.6 #!/usr/bin/python # Rules list # pe...@wazuh.com import sys import re import os *rules_directory = "/var/ossec/rules/"* def GetRulesList(fulldir, filename): rule_detected = 0 rule_description = 0 level = "" sidid = "" description = "" pattern_idlevel = re.compile(r'<rule id="(.+?)".+level="(.+?)"') pattern_description = re.compile(r'<description>(.+?)</description>') pattern_endrule = re.compile(r'</rule>') try: with open(fulldir) as f: lines = f.readlines() for line in lines: if rule_detected == 0: match = re.findall(pattern_idlevel, line) if match: rule_detected = 1 sidid = match[0][0] level = match[0][1] else: if rule_description == 0: match = re.findall(pattern_description, line) if match: rule_description = 1 description = match[0] if rule_description == 1: match = re.findall(pattern_endrule, line) if match: print "%s - Rule %s - Level %s -> %s" % (filename,sidid,level,description) rule_detected = 0 rule_description = 0 level = "" sidid = "" description = "" except EnvironmentError: print ("Error: OSSEC rules directory does not appear to exist") if __name__ == "__main__": print ("Reading rules from directory %s") % (rules_directory) for root, directories, filenames in os.walk(rules_directory): for filename in filenames: if filename[-4:] == ".xml": GetRulesList(os.path.join(root,filename), filename) Hope it help, regards, Pedro S. On Monday, February 22, 2016 at 4:38:43 PM UTC+1, thak wrote: > > Thanks! > > On Monday, February 22, 2016 at 10:27:21 AM UTC-5, dan (ddpbsd) wrote: >> >> >> On Feb 22, 2016 10:22 AM, "thak" <tha.k...@gmail.com> wrote: >> > >> > What's the best way to get a list of the rules, ideally by rule # and >> short descriptive name (e.g., like the alerts..."Rule: 5403 fired (level 4) >> -> "First time user executed sudo."). I need a list to update some security >> and compliance documentation prior to an upcoming audit. >> > >> >> All of the rules are available in the /var/ossec/rules directory. I don't >> think it would be too difficult to write a script to grab the names and ids. >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.