Whoa, that's awesome! Thanks sir. On Thursday, February 25, 2016 at 7:15:45 AM UTC-5, Pedro S wrote: > > Hi thak, > > I made a quick Python script that can help you out. It lists all the rules > on */var/ossec/rules. *Output example: > > mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple attempts of spam. > hordeimp_rules.xml - Rule 9300 - Level 0 -> Grouping for the Horde imp > rules. > hordeimp_rules.xml - Rule 9301 - Level 0 -> Horde IMP informational > message. > apache_rules.xml - Rule 30412 - Level 6 -> Shellshock attack attempt > roundcube_rules.xml - Rule 9400 - Level 0 -> Roundcube messages groupe.d > > > Working with Python 2.7.6 > > #!/usr/bin/python > # Rules list > # [email protected] <javascript:> > > import sys > import re > import os > > *rules_directory = "/var/ossec/rules/"* > > def GetRulesList(fulldir, filename): > rule_detected = 0 > rule_description = 0 > level = "" > sidid = "" > description = "" > pattern_idlevel = re.compile(r'<rule id="(.+?)".+level="(.+?)"') > pattern_description = re.compile(r'<description>(.+?)</description>') > pattern_endrule = re.compile(r'</rule>') > try: > with open(fulldir) as f: > lines = f.readlines() > for line in lines: > if rule_detected == 0: > match = re.findall(pattern_idlevel, line) > if match: > rule_detected = 1 > sidid = match[0][0] > level = match[0][1] > else: > if rule_description == 0: > match = re.findall(pattern_description, line) > if match: > rule_description = 1 > description = match[0] > if rule_description == 1: > match = re.findall(pattern_endrule, line) > if match: > print "%s - Rule %s - Level %s -> %s" % > (filename,sidid,level,description) > rule_detected = 0 > rule_description = 0 > level = "" > sidid = "" > description = "" > except EnvironmentError: > print ("Error: OSSEC rules directory does not appear to exist") > > if __name__ == "__main__": > print ("Reading rules from directory %s") % (rules_directory) > for root, directories, filenames in os.walk(rules_directory): > for filename in filenames: > if filename[-4:] == ".xml": > GetRulesList(os.path.join(root,filename), filename) > > > > Hope it help, regards, > > Pedro S. > > On Monday, February 22, 2016 at 4:38:43 PM UTC+1, thak wrote: >> >> Thanks! >> >> On Monday, February 22, 2016 at 10:27:21 AM UTC-5, dan (ddpbsd) wrote: >>> >>> >>> On Feb 22, 2016 10:22 AM, "thak" <[email protected]> wrote: >>> > >>> > What's the best way to get a list of the rules, ideally by rule # and >>> short descriptive name (e.g., like the alerts..."Rule: 5403 fired (level 4) >>> -> "First time user executed sudo."). I need a list to update some security >>> and compliance documentation prior to an upcoming audit. >>> > >>> >>> All of the rules are available in the /var/ossec/rules directory. I >>> don't think it would be too difficult to write a script to grab the names >>> and ids. >>> >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. >>> >>
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
