I'll sent a pull request as soon as posible to ossec-hids, I would like to
include some few options before sending it.
On Thursday, February 25, 2016 at 8:18:57 PM UTC+1, thak wrote:
>
> Interesting. We maintain a few compliance standards (not PCI) so I will
> look into it for sure.
>
> On Thursday, February 25, 2016 at 1:53:36 PM UTC-5, Pedro S wrote:
>>
>> You are welcome! I'll upload it into some website or repository folder.
>>
>> It is some simple but works, in the future I will extract too the PCI
>> compliance requirement of every rule. If you need the rules with PCI
>> requirements groups try out Wazuh Ruleset.
>>
>> Regards,
>>
>> Pedro S.
>>
>> On Thu, Feb 25, 2016 at 7:42 PM, thak <tha.k...@gmail.com> wrote:
>>
>>> Whoa, that's awesome! Thanks sir.
>>>
>>> On Thursday, February 25, 2016 at 7:15:45 AM UTC-5, Pedro S wrote:
>>>>
>>>> Hi thak,
>>>>
>>>> I made a quick Python script that can help you out. It lists all the
>>>> rules on */var/ossec/rules. *Output example:
>>>>
>>>> mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple attempts of
>>>> spam.
>>>> hordeimp_rules.xml - Rule 9300 - Level 0 -> Grouping for the Horde imp
>>>> rules.
>>>> hordeimp_rules.xml - Rule 9301 - Level 0 -> Horde IMP informational
>>>> message.
>>>> apache_rules.xml - Rule 30412 - Level 6 -> Shellshock attack attempt
>>>> roundcube_rules.xml - Rule 9400 - Level 0 -> Roundcube messages groupe.d
>>>>
>>>>
>>>> Working with Python 2.7.6
>>>>
>>>> #!/usr/bin/python
>>>> # Rules list
>>>> # pe...@wazuh.com
>>>>
>>>> import sys
>>>> import re
>>>> import os
>>>>
>>>> *rules_directory = "/var/ossec/rules/"*
>>>>
>>>> def GetRulesList(fulldir, filename):
>>>> rule_detected = 0
>>>> rule_description = 0
>>>> level = ""
>>>> sidid = ""
>>>> description = ""
>>>> pattern_idlevel = re.compile(r'<rule id="(.+?)".+level="(.+?)"')
>>>> pattern_description =
>>>> re.compile(r'<description>(.+?)</description>')
>>>> pattern_endrule = re.compile(r'</rule>')
>>>> try:
>>>> with open(fulldir) as f:
>>>> lines = f.readlines()
>>>> for line in lines:
>>>> if rule_detected == 0:
>>>> match = re.findall(pattern_idlevel, line)
>>>> if match:
>>>> rule_detected = 1
>>>> sidid = match[0][0]
>>>> level = match[0][1]
>>>> else:
>>>> if rule_description == 0:
>>>> match = re.findall(pattern_description, line)
>>>> if match:
>>>> rule_description = 1
>>>> description = match[0]
>>>> if rule_description == 1:
>>>> match = re.findall(pattern_endrule, line)
>>>> if match:
>>>> print "%s - Rule %s - Level %s -> %s" %
>>>> (filename,sidid,level,description)
>>>> rule_detected = 0
>>>> rule_description = 0
>>>> level = ""
>>>> sidid = ""
>>>> description = ""
>>>> except EnvironmentError:
>>>> print ("Error: OSSEC rules directory does not appear to
>>>> exist")
>>>>
>>>> if __name__ == "__main__":
>>>> print ("Reading rules from directory %s") % (rules_directory)
>>>> for root, directories, filenames in os.walk(rules_directory):
>>>> for filename in filenames:
>>>> if filename[-4:] == ".xml":
>>>> GetRulesList(os.path.join(root,filename), filename)
>>>>
>>>>
>>>>
>>>> Hope it help, regards,
>>>>
>>>> Pedro S.
>>>>
>>>> On Monday, February 22, 2016 at 4:38:43 PM UTC+1, thak wrote:
>>>>>
>>>>> Thanks!
>>>>>
>>>>> On Monday, February 22, 2016 at 10:27:21 AM UTC-5, dan (ddpbsd) wrote:
>>>>>>
>>>>>>
>>>>>> On Feb 22, 2016 10:22 AM, "thak" <tha.k...@gmail.com> wrote:
>>>>>> >
>>>>>> > What's the best way to get a list of the rules, ideally by rule #
>>>>>> and short descriptive name (e.g., like the alerts..."Rule: 5403 fired
>>>>>> (level 4) -> "First time user executed sudo."). I need a list to update
>>>>>> some security and compliance documentation prior to an upcoming audit.
>>>>>> >
>>>>>>
>>>>>> All of the rules are available in the /var/ossec/rules directory. I
>>>>>> don't think it would be too difficult to write a script to grab the
>>>>>> names
>>>>>> and ids.
>>>>>>
>>>>>> > --
>>>>>> >
>>>>>> > ---
>>>>>> > You received this message because you are subscribed to the Google
>>>>>> Groups "ossec-list" group.
>>>>>> > To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to ossec-list+...@googlegroups.com.
>>>>>> > For more options, visit https://groups.google.com/d/optout.
>>>>>>
>>>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
