I'll sent a pull request as soon as posible to ossec-hids, I would like to include some few options before sending it.
On Thursday, February 25, 2016 at 8:18:57 PM UTC+1, thak wrote: > > Interesting. We maintain a few compliance standards (not PCI) so I will > look into it for sure. > > On Thursday, February 25, 2016 at 1:53:36 PM UTC-5, Pedro S wrote: >> >> You are welcome! I'll upload it into some website or repository folder. >> >> It is some simple but works, in the future I will extract too the PCI >> compliance requirement of every rule. If you need the rules with PCI >> requirements groups try out Wazuh Ruleset. >> >> Regards, >> >> Pedro S. >> >> On Thu, Feb 25, 2016 at 7:42 PM, thak <tha.k...@gmail.com> wrote: >> >>> Whoa, that's awesome! Thanks sir. >>> >>> On Thursday, February 25, 2016 at 7:15:45 AM UTC-5, Pedro S wrote: >>>> >>>> Hi thak, >>>> >>>> I made a quick Python script that can help you out. It lists all the >>>> rules on */var/ossec/rules. *Output example: >>>> >>>> mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple attempts of >>>> spam. >>>> hordeimp_rules.xml - Rule 9300 - Level 0 -> Grouping for the Horde imp >>>> rules. >>>> hordeimp_rules.xml - Rule 9301 - Level 0 -> Horde IMP informational >>>> message. >>>> apache_rules.xml - Rule 30412 - Level 6 -> Shellshock attack attempt >>>> roundcube_rules.xml - Rule 9400 - Level 0 -> Roundcube messages groupe.d >>>> >>>> >>>> Working with Python 2.7.6 >>>> >>>> #!/usr/bin/python >>>> # Rules list >>>> # pe...@wazuh.com >>>> >>>> import sys >>>> import re >>>> import os >>>> >>>> *rules_directory = "/var/ossec/rules/"* >>>> >>>> def GetRulesList(fulldir, filename): >>>> rule_detected = 0 >>>> rule_description = 0 >>>> level = "" >>>> sidid = "" >>>> description = "" >>>> pattern_idlevel = re.compile(r'<rule id="(.+?)".+level="(.+?)"') >>>> pattern_description = >>>> re.compile(r'<description>(.+?)</description>') >>>> pattern_endrule = re.compile(r'</rule>') >>>> try: >>>> with open(fulldir) as f: >>>> lines = f.readlines() >>>> for line in lines: >>>> if rule_detected == 0: >>>> match = re.findall(pattern_idlevel, line) >>>> if match: >>>> rule_detected = 1 >>>> sidid = match[0][0] >>>> level = match[0][1] >>>> else: >>>> if rule_description == 0: >>>> match = re.findall(pattern_description, line) >>>> if match: >>>> rule_description = 1 >>>> description = match[0] >>>> if rule_description == 1: >>>> match = re.findall(pattern_endrule, line) >>>> if match: >>>> print "%s - Rule %s - Level %s -> %s" % >>>> (filename,sidid,level,description) >>>> rule_detected = 0 >>>> rule_description = 0 >>>> level = "" >>>> sidid = "" >>>> description = "" >>>> except EnvironmentError: >>>> print ("Error: OSSEC rules directory does not appear to >>>> exist") >>>> >>>> if __name__ == "__main__": >>>> print ("Reading rules from directory %s") % (rules_directory) >>>> for root, directories, filenames in os.walk(rules_directory): >>>> for filename in filenames: >>>> if filename[-4:] == ".xml": >>>> GetRulesList(os.path.join(root,filename), filename) >>>> >>>> >>>> >>>> Hope it help, regards, >>>> >>>> Pedro S. >>>> >>>> On Monday, February 22, 2016 at 4:38:43 PM UTC+1, thak wrote: >>>>> >>>>> Thanks! >>>>> >>>>> On Monday, February 22, 2016 at 10:27:21 AM UTC-5, dan (ddpbsd) wrote: >>>>>> >>>>>> >>>>>> On Feb 22, 2016 10:22 AM, "thak" <tha.k...@gmail.com> wrote: >>>>>> > >>>>>> > What's the best way to get a list of the rules, ideally by rule # >>>>>> and short descriptive name (e.g., like the alerts..."Rule: 5403 fired >>>>>> (level 4) -> "First time user executed sudo."). I need a list to update >>>>>> some security and compliance documentation prior to an upcoming audit. >>>>>> > >>>>>> >>>>>> All of the rules are available in the /var/ossec/rules directory. I >>>>>> don't think it would be too difficult to write a script to grab the >>>>>> names >>>>>> and ids. >>>>>> >>>>>> > -- >>>>>> > >>>>>> > --- >>>>>> > You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> > To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to ossec-list+...@googlegroups.com. >>>>>> > For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.