Seems like a neat idea but I see some problems with this: 1. If you're giving an alert that already tripped a rule as an input what's the point of a new rule. Is this just for creating ignore rules?
2. Your example rule additional options are flawed. <hostname>agentgentoo->/var/log/messages</hostname> your example log doesn't have the hostname in the log and what you're putting in there is actually the location of the agent that generated the alert <match>10.20.1.2 - - [04/Jun/2009:11:36:18 -0300] "GET /foo.php HTTP/1.0" 404 14 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)"</match> <regex>10.20.1.2 - - [04/Jun/2009:11:36:18 -0300] "GET /foo.php HTTP/1.0" 404 14 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)"</regex> Why specify a regex option if you're not using any regex functions? Are you using a custom decoder to get url, id, and srcip from that log? Testing here with version 2.0 and all OSSEC extracts is program_name "null" and log as the full event. Like I said this is definitely a neat idea and according to ossec.uservoice.com people do want a rule gui (what's wrong with XML rules?). -cnk On Thu, Jun 4, 2009 at 12:53 PM, <[email protected]> wrote: > > Following the "success" of the online logtest, I decided to write a > rule creator online. > You paste the alert (from alerts.log or the one you get by email) and > it will create > a rule for you. > > Link: http://sucuri.net/index.php?page=docs&title=ossecrules > > > Example: > > Pasting my last email alert: > > OSSEC HIDS Notification. > 2009 Jun 04 11:36:20 > > Received From: agentgentoo->/var/log/messages > Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes > from same source ip." > Portion of the log(s): > > 10.20.1.2 - - [04/Jun/2009:11:36:18 -0300] "GET /foo.php 33 HTTP/1.0" > 404 14 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)" > > > I get: > > " > > Suggested rule: > > <rule id="100301" level="0"> > <if_sid>31151</if_sid> > <description>OSSEC rule online. set your description and > severity.</description> > </rule> > > Additional options you can use: > > <hostname>agentgentoo->/var/log/messages</hostname> > <match>10.20.1.2 - - [04/Jun/2009:11:36:18 -0300] "GET /foo.php > HTTP/1.0" 404 14 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT > 5.1;1813)"</match> > <regex>10.20.1.2 - - [04/Jun/2009:11:36:18 -0300] "GET /foo.php > HTTP/1.0" 404 14 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT > 5.1;1813)"</regex> > <srcip>10.20.1.2</srcip> > <url>/foo.php</url> > <id>404</id> > " > > > --dd >
