On Thu, Feb 25, 2016 at 1:53 PM, Pedro Sanchez <pe...@wazuh.com> wrote:
> You are welcome! I'll upload it into some website or repository folder.
>
> It is some simple but works, in the future I will extract too the PCI
> compliance requirement of every rule. If you need the rules with PCI
> requirements groups try out Wazuh Ruleset.
>
You can add it to the ossec repo in the contrib directory, then submit
a pull request.
> Regards,
>
> Pedro S.
>
> On Thu, Feb 25, 2016 at 7:42 PM, thak <tha.kel...@gmail.com> wrote:
>>
>> Whoa, that's awesome! Thanks sir.
>>
>> On Thursday, February 25, 2016 at 7:15:45 AM UTC-5, Pedro S wrote:
>>>
>>> Hi thak,
>>>
>>> I made a quick Python script that can help you out. It lists all the
>>> rules on /var/ossec/rules. Output example:
>>>
>>> mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple attempts of spam.
>>> hordeimp_rules.xml - Rule 9300 - Level 0 -> Grouping for the Horde imp
>>> rules.
>>> hordeimp_rules.xml - Rule 9301 - Level 0 -> Horde IMP informational
>>> message.
>>> apache_rules.xml - Rule 30412 - Level 6 -> Shellshock attack attempt
>>> roundcube_rules.xml - Rule 9400 - Level 0 -> Roundcube messages groupe.d
>>>
>>>
>>> Working with Python 2.7.6
>>>
>>> #!/usr/bin/python
>>> # Rules list
>>> # pe...@wazuh.com
>>>
>>> import sys
>>> import re
>>> import os
>>>
>>> rules_directory = "/var/ossec/rules/"
>>>
>>> def GetRulesList(fulldir, filename):
>>> rule_detected = 0
>>> rule_description = 0
>>> level = ""
>>> sidid = ""
>>> description = ""
>>> pattern_idlevel = re.compile(r'<rule id="(.+?)".+level="(.+?)"')
>>> pattern_description = re.compile(r'<description>(.+?)</description>')
>>> pattern_endrule = re.compile(r'</rule>')
>>> try:
>>> with open(fulldir) as f:
>>> lines = f.readlines()
>>> for line in lines:
>>> if rule_detected == 0:
>>> match = re.findall(pattern_idlevel, line)
>>> if match:
>>> rule_detected = 1
>>> sidid = match[0][0]
>>> level = match[0][1]
>>> else:
>>> if rule_description == 0:
>>> match = re.findall(pattern_description, line)
>>> if match:
>>> rule_description = 1
>>> description = match[0]
>>> if rule_description == 1:
>>> match = re.findall(pattern_endrule, line)
>>> if match:
>>> print "%s - Rule %s - Level %s -> %s" %
>>> (filename,sidid,level,description)
>>> rule_detected = 0
>>> rule_description = 0
>>> level = ""
>>> sidid = ""
>>> description = ""
>>> except EnvironmentError:
>>> print ("Error: OSSEC rules directory does not appear to
>>> exist")
>>>
>>> if __name__ == "__main__":
>>> print ("Reading rules from directory %s") % (rules_directory)
>>> for root, directories, filenames in os.walk(rules_directory):
>>> for filename in filenames:
>>> if filename[-4:] == ".xml":
>>> GetRulesList(os.path.join(root,filename), filename)
>>>
>>>
>>>
>>> Hope it help, regards,
>>>
>>> Pedro S.
>>>
>>> On Monday, February 22, 2016 at 4:38:43 PM UTC+1, thak wrote:
>>>>
>>>> Thanks!
>>>>
>>>> On Monday, February 22, 2016 at 10:27:21 AM UTC-5, dan (ddpbsd) wrote:
>>>>>
>>>>>
>>>>> On Feb 22, 2016 10:22 AM, "thak" <tha.k...@gmail.com> wrote:
>>>>> >
>>>>> > What's the best way to get a list of the rules, ideally by rule # and
>>>>> > short descriptive name (e.g., like the alerts..."Rule: 5403 fired
>>>>> > (level 4)
>>>>> > -> "First time user executed sudo."). I need a list to update some
>>>>> > security
>>>>> > and compliance documentation prior to an upcoming audit.
>>>>> >
>>>>>
>>>>> All of the rules are available in the /var/ossec/rules directory. I
>>>>> don't think it would be too difficult to write a script to grab the names
>>>>> and ids.
>>>>>
>>>>> > --
>>>>> >
>>>>> > ---
>>>>> > You received this message because you are subscribed to the Google
>>>>> > Groups "ossec-list" group.
>>>>> > To unsubscribe from this group and stop receiving emails from it,
>>>>> > send an email to ossec-list+...@googlegroups.com.
>>>>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
