The pull request was submitted and accepted. :-)
On Fri, Feb 26, 2016 at 6:12 AM, Pedro S <pe...@wazuh.com> wrote:
> I'll sent a pull request as soon as posible to ossec-hids, I would like to
> include some few options before sending it.
>
>
> On Thursday, February 25, 2016 at 8:18:57 PM UTC+1, thak wrote:
>>
>> Interesting. We maintain a few compliance standards (not PCI) so I will
>> look into it for sure.
>>
>> On Thursday, February 25, 2016 at 1:53:36 PM UTC-5, Pedro S wrote:
>>>
>>> You are welcome! I'll upload it into some website or repository folder.
>>>
>>> It is some simple but works, in the future I will extract too the PCI
>>> compliance requirement of every rule. If you need the rules with PCI
>>> requirements groups try out Wazuh Ruleset.
>>>
>>> Regards,
>>>
>>> Pedro S.
>>>
>>> On Thu, Feb 25, 2016 at 7:42 PM, thak <tha.k...@gmail.com> wrote:
>>>>
>>>> Whoa, that's awesome! Thanks sir.
>>>>
>>>> On Thursday, February 25, 2016 at 7:15:45 AM UTC-5, Pedro S wrote:
>>>>>
>>>>> Hi thak,
>>>>>
>>>>> I made a quick Python script that can help you out. It lists all the
>>>>> rules on /var/ossec/rules. Output example:
>>>>>
>>>>> mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple attempts of
>>>>> spam.
>>>>> hordeimp_rules.xml - Rule 9300 - Level 0 -> Grouping for the Horde imp
>>>>> rules.
>>>>> hordeimp_rules.xml - Rule 9301 - Level 0 -> Horde IMP informational
>>>>> message.
>>>>> apache_rules.xml - Rule 30412 - Level 6 -> Shellshock attack attempt
>>>>> roundcube_rules.xml - Rule 9400 - Level 0 -> Roundcube messages
>>>>> groupe.d
>>>>>
>>>>>
>>>>> Working with Python 2.7.6
>>>>>
>>>>> #!/usr/bin/python
>>>>> # Rules list
>>>>> # pe...@wazuh.com
>>>>>
>>>>> import sys
>>>>> import re
>>>>> import os
>>>>>
>>>>> rules_directory = "/var/ossec/rules/"
>>>>>
>>>>> def GetRulesList(fulldir, filename):
>>>>> rule_detected = 0
>>>>> rule_description = 0
>>>>> level = ""
>>>>> sidid = ""
>>>>> description = ""
>>>>> pattern_idlevel = re.compile(r'<rule id="(.+?)".+level="(.+?)"')
>>>>> pattern_description =
>>>>> re.compile(r'<description>(.+?)</description>')
>>>>> pattern_endrule = re.compile(r'</rule>')
>>>>> try:
>>>>> with open(fulldir) as f:
>>>>> lines = f.readlines()
>>>>> for line in lines:
>>>>> if rule_detected == 0:
>>>>> match = re.findall(pattern_idlevel, line)
>>>>> if match:
>>>>> rule_detected = 1
>>>>> sidid = match[0][0]
>>>>> level = match[0][1]
>>>>> else:
>>>>> if rule_description == 0:
>>>>> match = re.findall(pattern_description, line)
>>>>> if match:
>>>>> rule_description = 1
>>>>> description = match[0]
>>>>> if rule_description == 1:
>>>>> match = re.findall(pattern_endrule, line)
>>>>> if match:
>>>>> print "%s - Rule %s - Level %s -> %s" %
>>>>> (filename,sidid,level,description)
>>>>> rule_detected = 0
>>>>> rule_description = 0
>>>>> level = ""
>>>>> sidid = ""
>>>>> description = ""
>>>>> except EnvironmentError:
>>>>> print ("Error: OSSEC rules directory does not appear to
>>>>> exist")
>>>>>
>>>>> if __name__ == "__main__":
>>>>> print ("Reading rules from directory %s") % (rules_directory)
>>>>> for root, directories, filenames in os.walk(rules_directory):
>>>>> for filename in filenames:
>>>>> if filename[-4:] == ".xml":
>>>>> GetRulesList(os.path.join(root,filename), filename)
>>>>>
>>>>>
>>>>>
>>>>> Hope it help, regards,
>>>>>
>>>>> Pedro S.
>>>>>
>>>>> On Monday, February 22, 2016 at 4:38:43 PM UTC+1, thak wrote:
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> On Monday, February 22, 2016 at 10:27:21 AM UTC-5, dan (ddpbsd) wrote:
>>>>>>>
>>>>>>>
>>>>>>> On Feb 22, 2016 10:22 AM, "thak" <tha.k...@gmail.com> wrote:
>>>>>>> >
>>>>>>> > What's the best way to get a list of the rules, ideally by rule #
>>>>>>> > and short descriptive name (e.g., like the alerts..."Rule: 5403 fired
>>>>>>> > (level
>>>>>>> > 4) -> "First time user executed sudo."). I need a list to update some
>>>>>>> > security and compliance documentation prior to an upcoming audit.
>>>>>>> >
>>>>>>>
>>>>>>> All of the rules are available in the /var/ossec/rules directory. I
>>>>>>> don't think it would be too difficult to write a script to grab the
>>>>>>> names
>>>>>>> and ids.
>>>>>>>
>>>>>>> > --
>>>>>>> >
>>>>>>> > ---
>>>>>>> > You received this message because you are subscribed to the Google
>>>>>>> > Groups "ossec-list" group.
>>>>>>> > To unsubscribe from this group and stop receiving emails from it,
>>>>>>> > send an email to ossec-list+...@googlegroups.com.
>>>>>>> > For more options, visit https://groups.google.com/d/optout.
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to ossec-list+...@googlegroups.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
