Hi, I have trouble wrapping my head around groups for rules in OSSEC. From my understanding, which may be wrong, there are six general groups as specified in rules_config.xml: syslog, firewall, ids, web-log, squid, windows, ossec I realized that these "general groups" are actually called "categories."
In other xml rules, it always starts with a <group> header but they are in fact categories), where I assume these rules therein are included within the group(s). Each rule lists a "rule id," which is totally understand; however, I don't really understand the concept of the <if_sid> marker. For example, in msauth_rules.xml: <if_sid>18100</if_sid> Moreover, in some rules, I will see the occasional <id> marker. For example, in msauth_rules.xml: <id>^63|^641|^664|^658|^659|^660|^662|^668|^4907</id> I'm not really certain what this is for. Not to mention the documentation explains <id> as a field to match any ID and <if_sid> as "Matches if the ID has matched." What? Why is <if_sid> necessary? The rules seem to sometimes include the <group> marker as well. For example in msauth_rules.xml: <group>adduser,account_changed,</group> I figured that these groups are different from the categories. The confusion comes from the <email_alerts> configuration. There's an option called <group> where the documentation describes allowed values as "Any group (category)." Which one can I use? Groups or categories? In my attempts to organize alert reporting into two categories (Windows and non-Windows agents), I have tried to organize them via categories, taking advantage of the windows category. However, I realized the Windows servers have alerts outside of the windows category, so that plan failed miserably. I'm thinking, then: since the location of log files for Windows machines is different from UNIX machines, is there a way to organize this somehow? That is, I want to exploit the fact the OSSEC agent checks for events in different log files for each type of operating system. I also noticed (I don't know if this is entirely true) that Windows logging style is "eventlog" whereas for UNIX machines it is generally "syslog" and "apache." Is there a way I can exploit this fact and send email alerts based on this distinction? Sorry for the long, windy email. Thank you for your time. -- Hac Phan Unix System Administrator Network & Infrastructure, RSSP-IT UC Berkeley
