OSSEC的rules语法

Rules的语法

http://www.ossec.net/doc/syntax/head_rules.html

rule Defines a rule
    level: 0-16
    id: 100-99999, 100000-109999 are assigned to user
    maxsize: 指定event的最大长度, 1-99999
    frequency: 指定触发该规则需要的匹配次数，1-9999，实际匹配次数还要多两次。比如：如果值为2，则该规则匹配4次后才会触发。
    timeframe: 单位为秒，需同frequence一同使用，1-9999
    ignore: 单位为秒，规则触发后的忽略时间（避免泛洪），1-9999
    overwrite: 用于重载ossec本来的rules，值：yes

match
Any string to match against the log event.
Allowed: Any OS_Match or sregex.

regex
Any regex to match against the log event.
Allowed: Any OR_Regex/regex Syntax.

decoded_as
Any decoder name

category
The decoded category to match(ids, syslog, firewall, web-log, squid or windows).

srcip
Any IP address or CIDR block to be compared to an IP decoded as srcip
可以用"!"取反

dstip
同srcip

user
Allowed: any OS_Match or sregex.

program_name
Allowed: any OS_Match or sregex.

hostname
Allowed: any OS_Match or sregex.

id
Allowed: any OS_Match or sregex.

url
Allowed: any OS_Match or sregex.

time
Time that the event was generated.
Allowed: Any time range (hh:mm-hh:mm)

weekday
Allowed: monday - sunday, weekday, weekend

if_sid
Matches if the ID has matched.

if_group
Matches if the group has matched before.

if_level
Matches if the level has matched before, 1-16

if_matched_sid
如果之前某条规则在一段时间内被触发多次则匹配, 同frequence和timeframe一起使用。
level 0的规则会被立即丢弃，所以不能用if_matched_sid。如果rule中加了<no_log>选项，也不被记录，也不能用。

if_matched_group
同上

if_matched_level
同上

same_source_ip
指定源ip必须相同，同frequence和timeframe一起使用。
例如: <same_source_ip />

same_source_port
同上

same_dst_port
同上

same_location
同上

description
规则描述，Any string.

list
Preform a CDB lookup using an ossec list.

info
以其他格式添加信息。Extra information may be added through the following attributes:
       value: text        默认值
       value: link        链接到更多信息
       value: cve        与alert/event相关的CVE号（Common Vulnerabilities & Exposures”公共漏洞和暴露）
       value: ovsdb    与之相关的ovsdb id（osvdb是一个极轻量级db）
       Example:

<rule id="502" level="3">    <if_sid>500</if_sid>    <options>alert_by_email</options>    <match>Ossec started</match>    <description>Ossec server started.</description>    <info type="link">http://ossec.net/wiki/Rule:205</info>    <info type="cve">2009-1002</info>    <info type="osvdb"> 61509</info>    <info type="text">Internal Why we are running this run in our company</info>    <info>Type text is the default</info></rule>

options
    额外的rule选项。
    alert_by_email:  Always alert by email.
    no_email_alert:  Never alert by email.
    no_log:               do not log this alert.

check_diff
    用于比较命令的输出是否有变化
    用法<check_diff />

group
   add additional groups to the alert.