The pull request was submitted and accepted. :-) On Fri, Feb 26, 2016 at 6:12 AM, Pedro S <pe...@wazuh.com> wrote: > I'll sent a pull request as soon as posible to ossec-hids, I would like to > include some few options before sending it. > > > On Thursday, February 25, 2016 at 8:18:57 PM UTC+1, thak wrote: >> >> Interesting. We maintain a few compliance standards (not PCI) so I will >> look into it for sure. >> >> On Thursday, February 25, 2016 at 1:53:36 PM UTC-5, Pedro S wrote: >>> >>> You are welcome! I'll upload it into some website or repository folder. >>> >>> It is some simple but works, in the future I will extract too the PCI >>> compliance requirement of every rule. If you need the rules with PCI >>> requirements groups try out Wazuh Ruleset. >>> >>> Regards, >>> >>> Pedro S. >>> >>> On Thu, Feb 25, 2016 at 7:42 PM, thak <tha.k...@gmail.com> wrote: >>>> >>>> Whoa, that's awesome! Thanks sir. >>>> >>>> On Thursday, February 25, 2016 at 7:15:45 AM UTC-5, Pedro S wrote: >>>>> >>>>> Hi thak, >>>>> >>>>> I made a quick Python script that can help you out. It lists all the >>>>> rules on /var/ossec/rules. Output example: >>>>> >>>>> mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple attempts of >>>>> spam. >>>>> hordeimp_rules.xml - Rule 9300 - Level 0 -> Grouping for the Horde imp >>>>> rules. >>>>> hordeimp_rules.xml - Rule 9301 - Level 0 -> Horde IMP informational >>>>> message. >>>>> apache_rules.xml - Rule 30412 - Level 6 -> Shellshock attack attempt >>>>> roundcube_rules.xml - Rule 9400 - Level 0 -> Roundcube messages >>>>> groupe.d >>>>> >>>>> >>>>> Working with Python 2.7.6 >>>>> >>>>> #!/usr/bin/python >>>>> # Rules list >>>>> # pe...@wazuh.com >>>>> >>>>> import sys >>>>> import re >>>>> import os >>>>> >>>>> rules_directory = "/var/ossec/rules/" >>>>> >>>>> def GetRulesList(fulldir, filename): >>>>> rule_detected = 0 >>>>> rule_description = 0 >>>>> level = "" >>>>> sidid = "" >>>>> description = "" >>>>> pattern_idlevel = re.compile(r'<rule id="(.+?)".+level="(.+?)"') >>>>> pattern_description = >>>>> re.compile(r'<description>(.+?)</description>') >>>>> pattern_endrule = re.compile(r'</rule>') >>>>> try: >>>>> with open(fulldir) as f: >>>>> lines = f.readlines() >>>>> for line in lines: >>>>> if rule_detected == 0: >>>>> match = re.findall(pattern_idlevel, line) >>>>> if match: >>>>> rule_detected = 1 >>>>> sidid = match[0][0] >>>>> level = match[0][1] >>>>> else: >>>>> if rule_description == 0: >>>>> match = re.findall(pattern_description, line) >>>>> if match: >>>>> rule_description = 1 >>>>> description = match[0] >>>>> if rule_description == 1: >>>>> match = re.findall(pattern_endrule, line) >>>>> if match: >>>>> print "%s - Rule %s - Level %s -> %s" % >>>>> (filename,sidid,level,description) >>>>> rule_detected = 0 >>>>> rule_description = 0 >>>>> level = "" >>>>> sidid = "" >>>>> description = "" >>>>> except EnvironmentError: >>>>> print ("Error: OSSEC rules directory does not appear to >>>>> exist") >>>>> >>>>> if __name__ == "__main__": >>>>> print ("Reading rules from directory %s") % (rules_directory) >>>>> for root, directories, filenames in os.walk(rules_directory): >>>>> for filename in filenames: >>>>> if filename[-4:] == ".xml": >>>>> GetRulesList(os.path.join(root,filename), filename) >>>>> >>>>> >>>>> >>>>> Hope it help, regards, >>>>> >>>>> Pedro S. >>>>> >>>>> On Monday, February 22, 2016 at 4:38:43 PM UTC+1, thak wrote: >>>>>> >>>>>> Thanks! >>>>>> >>>>>> On Monday, February 22, 2016 at 10:27:21 AM UTC-5, dan (ddpbsd) wrote: >>>>>>> >>>>>>> >>>>>>> On Feb 22, 2016 10:22 AM, "thak" <tha.k...@gmail.com> wrote: >>>>>>> > >>>>>>> > What's the best way to get a list of the rules, ideally by rule # >>>>>>> > and short descriptive name (e.g., like the alerts..."Rule: 5403 fired >>>>>>> > (level >>>>>>> > 4) -> "First time user executed sudo."). I need a list to update some >>>>>>> > security and compliance documentation prior to an upcoming audit. >>>>>>> > >>>>>>> >>>>>>> All of the rules are available in the /var/ossec/rules directory. I >>>>>>> don't think it would be too difficult to write a script to grab the >>>>>>> names >>>>>>> and ids. >>>>>>> >>>>>>> > -- >>>>>>> > >>>>>>> > --- >>>>>>> > You received this message because you are subscribed to the Google >>>>>>> > Groups "ossec-list" group. >>>>>>> > To unsubscribe from this group and stop receiving emails from it, >>>>>>> > send an email to ossec-list+...@googlegroups.com. >>>>>>> > For more options, visit https://groups.google.com/d/optout. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout.
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.