File: //usr/share/ossec/contrib/compile_alerts.txt
ossec rules reordering Mini Howto
by Meir Michanie
Patching an Ossec installation
Reordering the rules
* Stop ossec
root@topgun:/var/ossec#/etc/init.d/ossec stop
* Backup the whole ossec directory
/root# tar -C /var -zcpvf ossec-orig.tar.gz ossec
* Move the contrib directory from the source package to the oseec installation
/var/ossec# cp -a /tmp/ossec/contrib .
* Create directories to host the rules
/var/ossec# mkdir signatures user_signatures repository
* Move the file rules_config.xml to the etc directory.
/var/ossec# mv rules/rules_config.xml etc/
* Move the rest of the rules to the repository directory
/var/ossec# mv rules/* repository/
* copy the rules tag portion to a file under /var/ossec. i.e. rules.txt
* delete the rules opening and closing tags
* remove all xml code leaving only the list of the files. i.e.
pam_rules.xml
sshd_rules.xml
telnetd_rules.xml
syslog_rules.xml
pix_rules.xml
named_rules.xml
smbd_rules.xml
vsftpd_rules.xml
pure-ftpd_rules.xml
proftpd_rules.xml
hordeimp_rules.xml
web_rules.xml
apache_rules.xml
ids_rules.xml
squid_rules.xml
firewall_rules.xml
netscreenfw_rules.xml
postfix_rules.xml
sendmail_rules.xml
imapd_rules.xml
spamd_rules.xml
msauth_rules.xml
policy_rules.xml
attack_rules.xml
* modify the rules tag to:
<rules>
<include>rules_ossec.xml</include>
</rules>
* list of repository directory.
/var/ossec# ls -1 repository/
apache_rules.xml
attack_rules.xml
firewall_rules.xml
ftpd_rules.xml
hordeimp_rules.xml
ids_rules.xml
imapd_rules.xml
msauth_rules.xml
named_rules.xml
netscreenfw_rules.xml
ossec_rules.xml
pam_rules.xml
pix_rules.xml
policy_rules.xml
postfix_rules.xml
proftpd_rules.xml
pure-ftpd_rules.xml
rules-backup
sendmail_rules.xml
smbd_rules.xml
spamd_rules.xml
squid_rules.xml
sshd_rules.xml
syslog_rules.xml
telnetd_rules.xml
vsftpd_rules.xml
web_rules.xml
* Viewing the content of file rules.txt
/var/ossec# cat rules.txt
pam_rules.xml
sshd_rules.xml
telnetd_rules.xml
syslog_rules.xml
pix_rules.xml
named_rules.xml
smbd_rules.xml
vsftpd_rules.xml
pure-ftpd_rules.xml
proftpd_rules.xml
hordeimp_rules.xml
web_rules.xml
apache_rules.xml
ids_rules.xml
squid_rules.xml
firewall_rules.xml
netscreenfw_rules.xml
postfix_rules.xml
sendmail_rules.xml
imapd_rules.xml
spamd_rules.xml
msauth_rules.xml
policy_rules.xml
attack_rules.xml
* Build links to the original rules files under the signatures directory
/var/ossec# COUNT=0; for i in `cat rules.txt`; do
(( COUNT = COUNT + 1)) ;
ln -s ../repository/$i `printf "signatures/%02d%s" $COUNT $i`;
done
* If you wish to alterate a rule you should remove the link of the file from signature where XX denotes the two digits number prefixing the name of the file.
/var/ossec# unlink signatures/XXattack_rules.xml
* Copy the file to be modified
/var/ossec# cp repository/attack_rules.xml signatures/XXattack_rules.xml
* Edit your file.
* write your own rules file under the directory user_signatures
/var/ossec# cat user_signatures/user_defined.xml
<group name="syslog,scans">
<rule id="9000" level="0">
<regex>Accepted publickey</regex>
<description>Accepted publickey bypass</description>
</rule>
</group>
* List the rules under signature
/var/ossec# ls -l signatures/
total 0
lrwxrwxrwx 1 root root 27 2006-07-24 23:37 01pam_rules.xml -> ../repository/pam_rules.xml
lrwxrwxrwx 1 root root 28 2006-07-24 23:37 02sshd_rules.xml -> ../repository/sshd_rules.xml
lrwxrwxrwx 1 root root 31 2006-07-24 23:37 03telnetd_rules.xml -> ../repository/telnetd_rules.xml
lrwxrwxrwx 1 root root 30 2006-07-24 23:37 04syslog_rules.xml -> ../repository/syslog_rules.xml
lrwxrwxrwx 1 root root 27 2006-07-24 23:37 05pix_rules.xml -> ../repository/pix_rules.xml
lrwxrwxrwx 1 root root 29 2006-07-24 23:37 06named_rules.xml -> ../repository/named_rules.xml
lrwxrwxrwx 1 root root 28 2006-07-24 23:37 07smbd_rules.xml -> ../repository/smbd_rules.xml
lrwxrwxrwx 1 root root 30 2006-07-24 23:37 08vsftpd_rules.xml -> ../repository/vsftpd_rules.xml
lrwxrwxrwx 1 root root 33 2006-07-24 23:37 09pure-ftpd_rules.xml -> ../repository/pure-ftpd_rules.xml
lrwxrwxrwx 1 root root 31 2006-07-24 23:37 10proftpd_rules.xml -> ../repository/proftpd_rules.xml
lrwxrwxrwx 1 root root 32 2006-07-24 23:37 11hordeimp_rules.xml -> ../repository/hordeimp_rules.xml
lrwxrwxrwx 1 root root 27 2006-07-24 23:37 12web_rules.xml -> ../repository/web_rules.xml
lrwxrwxrwx 1 root root 30 2006-07-24 23:37 13apache_rules.xml -> ../repository/apache_rules.xml
lrwxrwxrwx 1 root root 27 2006-07-24 23:37 14ids_rules.xml -> ../repository/ids_rules.xml
lrwxrwxrwx 1 root root 29 2006-07-24 23:37 15squid_rules.xml -> ../repository/squid_rules.xml
lrwxrwxrwx 1 root root 32 2006-07-24 23:37 16firewall_rules.xml -> ../repository/firewall_rules.xml
lrwxrwxrwx 1 root root 35 2006-07-24 23:37 17netscreenfw_rules.xml -> ../repository/netscreenfw_rules.xml
lrwxrwxrwx 1 root root 31 2006-07-24 23:37 18postfix_rules.xml -> ../repository/postfix_rules.xml
lrwxrwxrwx 1 root root 32 2006-07-24 23:37 19sendmail_rules.xml -> ../repository/sendmail_rules.xml
lrwxrwxrwx 1 root root 29 2006-07-24 23:37 20imapd_rules.xml -> ../repository/imapd_rules.xml
lrwxrwxrwx 1 root root 29 2006-07-24 23:37 21spamd_rules.xml -> ../repository/spamd_rules.xml
lrwxrwxrwx 1 root root 30 2006-07-24 23:37 22msauth_rules.xml -> ../repository/msauth_rules.xml
lrwxrwxrwx 1 root root 30 2006-07-24 23:37 23policy_rules.xml -> ../repository/policy_rules.xml
lrwxrwxrwx 1 root root 30 2006-07-24 23:37 24attack_rules.xml -> ../repository/attack_rules.xml
* Compile the alerts into a monolitic rule file.
/var/ossec# perl contrib/compile_alerts.pl --user-signatures /var/ossec/user_signatures --signatures \
/var/ossec/signatures --rules-config /var/ossec/etc/rules_config.xml > rules/rules_ossec.xml
Adding /var/ossec/etc/rules_config.xml
Adding /var/ossec/user_signatures/user_defined_rules.xml
Adding /var/ossec/signatures/01pam_rules.xml
Adding /var/ossec/signatures/02sshd_rules.xml
Adding /var/ossec/signatures/03telnetd_rules.xml
Adding /var/ossec/signatures/04syslog_rules.xml
Adding /var/ossec/signatures/05pix_rules.xml
Adding /var/ossec/signatures/06named_rules.xml
Adding /var/ossec/signatures/07smbd_rules.xml
Adding /var/ossec/signatures/08vsftpd_rules.xml
Adding /var/ossec/signatures/09pure-ftpd_rules.xml
Adding /var/ossec/signatures/10proftpd_rules.xml
Adding /var/ossec/signatures/11hordeimp_rules.xml
Adding /var/ossec/signatures/12web_rules.xml
Adding /var/ossec/signatures/13apache_rules.xml
Adding /var/ossec/signatures/14ids_rules.xml
Adding /var/ossec/signatures/15squid_rules.xml
Adding /var/ossec/signatures/16firewall_rules.xml
Adding /var/ossec/signatures/17netscreenfw_rules.xml
Adding /var/ossec/signatures/18postfix_rules.xml
Adding /var/ossec/signatures/19sendmail_rules.xml
Adding /var/ossec/signatures/20imapd_rules.xml
Adding /var/ossec/signatures/21spamd_rules.xml
Adding /var/ossec/signatures/22msauth_rules.xml
Adding /var/ossec/signatures/23policy_rules.xml
Adding /var/ossec/signatures/24attack_rules.xml
processing: /var/ossec/etc/rules_config.xml
processing: /var/ossec/user_signatures/user_defined_rules.xml
processing: /var/ossec/signatures/01pam_rules.xml
processing: /var/ossec/signatures/02sshd_rules.xml
processing: /var/ossec/signatures/03telnetd_rules.xml
processing: /var/ossec/signatures/04syslog_rules.xml
processing: /var/ossec/signatures/05pix_rules.xml
processing: /var/ossec/signatures/06named_rules.xml
processing: /var/ossec/signatures/07smbd_rules.xml
processing: /var/ossec/signatures/08vsftpd_rules.xml
processing: /var/ossec/signatures/09pure-ftpd_rules.xml
processing: /var/ossec/signatures/10proftpd_rules.xml
processing: /var/ossec/signatures/11hordeimp_rules.xml
processing: /var/ossec/signatures/12web_rules.xml
processing: /var/ossec/signatures/13apache_rules.xml
processing: /var/ossec/signatures/14ids_rules.xml
processing: /var/ossec/signatures/15squid_rules.xml
processing: /var/ossec/signatures/16firewall_rules.xml
processing: /var/ossec/signatures/17netscreenfw_rules.xml
processing: /var/ossec/signatures/18postfix_rules.xml
processing: /var/ossec/signatures/19sendmail_rules.xml
processing: /var/ossec/signatures/20imapd_rules.xml
processing: /var/ossec/signatures/21spamd_rules.xml
processing: /var/ossec/signatures/22msauth_rules.xml
processing: /var/ossec/signatures/23policy_rules.xml
processing: /var/ossec/signatures/24attack_rules.xml
* Now you can start again ossec
/var/ossec#/etc/init.d/ossec start
Starting OSSEC Starting OSSEC HIDS v0.9 (by Daniel B. Cid)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Completed.
Extract of ossec.conf with the modified rules tag
/var/ossec# cat etc/ossec.conf
...
<rules>
<include>rules_ossec.xml</include>
</rules>
...