On Fri, Sep 10, 2010 at 5:37 PM, Hac Phan <ha...@rescomp.berkeley.edu> wrote: > Hi, > > I have trouble wrapping my head around groups for rules in OSSEC. From my > understanding, which may be wrong, there are six general groups as specified > in > rules_config.xml: > syslog, firewall, ids, web-log, squid, windows, ossec > I realized that these "general groups" are actually called "categories." > > In other xml rules, it always starts with a <group> header but they are in > fact > categories), where I assume these rules therein are included within the > group(s). Each rule lists a "rule id," which is totally understand; however, > I don't really understand the concept of the <if_sid> marker. For example, in > msauth_rules.xml: > <if_sid>18100</if_sid> >
The <if_sid> designator means that if Rule 18100 fires, then check this rule to see if it also matches. It can help you make more specific rules for certain situations. For example, if you want rule 1234 (level 10) to be at level 3 for host 192.168.1.1, then you can use something like: <rule id="1235" level="3"> <if_sid>1234</if_sid> <srcip>192.168.1.1</srcip> <description>stuff</description> </rule> > Moreover, in some rules, I will see the occasional <id> marker. For example, > in > msauth_rules.xml: > <id>^63|^641|^664|^658|^659|^660|^662|^668|^4907</id> > I'm not really certain what this is for. Not to mention the documentation > explains <id> as a field to match any ID and <if_sid> as "Matches if the ID > has > matched." What? Why is <if_sid> necessary? > <id> is a field in Windows rules.Each eventlog entry has an id that corresponds to a specific type of event. > The rules seem to sometimes include the <group> marker as well. For example in > msauth_rules.xml: > <group>adduser,account_changed,</group> > I figured that these groups are different from the categories. The confusion > comes from the <email_alerts> configuration. There's an option called <group> > where the documentation describes allowed values as "Any group (category)." > Which one can I use? Groups or categories? > Both. Pretty much anything in the <group tag can be used. > In my attempts to organize alert reporting into two categories (Windows and > non-Windows agents), I have tried to organize them via categories, taking > advantage of the windows category. However, I realized the Windows servers > have > alerts outside of the windows category, so that plan failed miserably. > > I'm thinking, then: since the location of log files for Windows machines is > different from UNIX machines, is there a way to organize this somehow? That > is, > I want to exploit the fact the OSSEC agent checks for events in different log > files for each type of operating system. I also noticed (I don't know if this > is > entirely true) that Windows logging style is "eventlog" whereas for UNIX > machines it is generally "syslog" and "apache." Is there a way I can exploit > this fact and send email alerts based on this distinction? > > Sorry for the long, windy email. Thank you for your time. > > -- > Hac Phan > Unix System Administrator > Network & Infrastructure, RSSP-IT > UC Berkeley >
