On Thu, Feb 25, 2016 at 1:53 PM, Pedro Sanchez <pe...@wazuh.com> wrote: > You are welcome! I'll upload it into some website or repository folder. > > It is some simple but works, in the future I will extract too the PCI > compliance requirement of every rule. If you need the rules with PCI > requirements groups try out Wazuh Ruleset. >
You can add it to the ossec repo in the contrib directory, then submit a pull request. > Regards, > > Pedro S. > > On Thu, Feb 25, 2016 at 7:42 PM, thak <tha.kel...@gmail.com> wrote: >> >> Whoa, that's awesome! Thanks sir. >> >> On Thursday, February 25, 2016 at 7:15:45 AM UTC-5, Pedro S wrote: >>> >>> Hi thak, >>> >>> I made a quick Python script that can help you out. It lists all the >>> rules on /var/ossec/rules. Output example: >>> >>> mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple attempts of spam. >>> hordeimp_rules.xml - Rule 9300 - Level 0 -> Grouping for the Horde imp >>> rules. >>> hordeimp_rules.xml - Rule 9301 - Level 0 -> Horde IMP informational >>> message. >>> apache_rules.xml - Rule 30412 - Level 6 -> Shellshock attack attempt >>> roundcube_rules.xml - Rule 9400 - Level 0 -> Roundcube messages groupe.d >>> >>> >>> Working with Python 2.7.6 >>> >>> #!/usr/bin/python >>> # Rules list >>> # pe...@wazuh.com >>> >>> import sys >>> import re >>> import os >>> >>> rules_directory = "/var/ossec/rules/" >>> >>> def GetRulesList(fulldir, filename): >>> rule_detected = 0 >>> rule_description = 0 >>> level = "" >>> sidid = "" >>> description = "" >>> pattern_idlevel = re.compile(r'<rule id="(.+?)".+level="(.+?)"') >>> pattern_description = re.compile(r'<description>(.+?)</description>') >>> pattern_endrule = re.compile(r'</rule>') >>> try: >>> with open(fulldir) as f: >>> lines = f.readlines() >>> for line in lines: >>> if rule_detected == 0: >>> match = re.findall(pattern_idlevel, line) >>> if match: >>> rule_detected = 1 >>> sidid = match[0][0] >>> level = match[0][1] >>> else: >>> if rule_description == 0: >>> match = re.findall(pattern_description, line) >>> if match: >>> rule_description = 1 >>> description = match[0] >>> if rule_description == 1: >>> match = re.findall(pattern_endrule, line) >>> if match: >>> print "%s - Rule %s - Level %s -> %s" % >>> (filename,sidid,level,description) >>> rule_detected = 0 >>> rule_description = 0 >>> level = "" >>> sidid = "" >>> description = "" >>> except EnvironmentError: >>> print ("Error: OSSEC rules directory does not appear to >>> exist") >>> >>> if __name__ == "__main__": >>> print ("Reading rules from directory %s") % (rules_directory) >>> for root, directories, filenames in os.walk(rules_directory): >>> for filename in filenames: >>> if filename[-4:] == ".xml": >>> GetRulesList(os.path.join(root,filename), filename) >>> >>> >>> >>> Hope it help, regards, >>> >>> Pedro S. >>> >>> On Monday, February 22, 2016 at 4:38:43 PM UTC+1, thak wrote: >>>> >>>> Thanks! >>>> >>>> On Monday, February 22, 2016 at 10:27:21 AM UTC-5, dan (ddpbsd) wrote: >>>>> >>>>> >>>>> On Feb 22, 2016 10:22 AM, "thak" <tha.k...@gmail.com> wrote: >>>>> > >>>>> > What's the best way to get a list of the rules, ideally by rule # and >>>>> > short descriptive name (e.g., like the alerts..."Rule: 5403 fired >>>>> > (level 4) >>>>> > -> "First time user executed sudo."). I need a list to update some >>>>> > security >>>>> > and compliance documentation prior to an upcoming audit. >>>>> > >>>>> >>>>> All of the rules are available in the /var/ossec/rules directory. I >>>>> don't think it would be too difficult to write a script to grab the names >>>>> and ids. >>>>> >>>>> > -- >>>>> > >>>>> > --- >>>>> > You received this message because you are subscribed to the Google >>>>> > Groups "ossec-list" group. >>>>> > To unsubscribe from this group and stop receiving emails from it, >>>>> > send an email to ossec-list+...@googlegroups.com. >>>>> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.