You are welcome! I'll upload it into some website or repository folder. It is some simple but works, in the future I will extract too the PCI compliance requirement of every rule. If you need the rules with PCI requirements groups try out Wazuh Ruleset.
Regards, Pedro S. On Thu, Feb 25, 2016 at 7:42 PM, thak <[email protected]> wrote: > Whoa, that's awesome! Thanks sir. > > On Thursday, February 25, 2016 at 7:15:45 AM UTC-5, Pedro S wrote: >> >> Hi thak, >> >> I made a quick Python script that can help you out. It lists all the >> rules on */var/ossec/rules. *Output example: >> >> mailscanner_rules.xml - Rule 3751 - Level 6 -> Multiple attempts of spam. >> hordeimp_rules.xml - Rule 9300 - Level 0 -> Grouping for the Horde imp >> rules. >> hordeimp_rules.xml - Rule 9301 - Level 0 -> Horde IMP informational >> message. >> apache_rules.xml - Rule 30412 - Level 6 -> Shellshock attack attempt >> roundcube_rules.xml - Rule 9400 - Level 0 -> Roundcube messages groupe.d >> >> >> Working with Python 2.7.6 >> >> #!/usr/bin/python >> # Rules list >> # [email protected] >> >> import sys >> import re >> import os >> >> *rules_directory = "/var/ossec/rules/"* >> >> def GetRulesList(fulldir, filename): >> rule_detected = 0 >> rule_description = 0 >> level = "" >> sidid = "" >> description = "" >> pattern_idlevel = re.compile(r'<rule id="(.+?)".+level="(.+?)"') >> pattern_description = re.compile(r'<description>(.+?)</description>') >> pattern_endrule = re.compile(r'</rule>') >> try: >> with open(fulldir) as f: >> lines = f.readlines() >> for line in lines: >> if rule_detected == 0: >> match = re.findall(pattern_idlevel, line) >> if match: >> rule_detected = 1 >> sidid = match[0][0] >> level = match[0][1] >> else: >> if rule_description == 0: >> match = re.findall(pattern_description, line) >> if match: >> rule_description = 1 >> description = match[0] >> if rule_description == 1: >> match = re.findall(pattern_endrule, line) >> if match: >> print "%s - Rule %s - Level %s -> %s" % >> (filename,sidid,level,description) >> rule_detected = 0 >> rule_description = 0 >> level = "" >> sidid = "" >> description = "" >> except EnvironmentError: >> print ("Error: OSSEC rules directory does not appear to exist") >> >> if __name__ == "__main__": >> print ("Reading rules from directory %s") % (rules_directory) >> for root, directories, filenames in os.walk(rules_directory): >> for filename in filenames: >> if filename[-4:] == ".xml": >> GetRulesList(os.path.join(root,filename), filename) >> >> >> >> Hope it help, regards, >> >> Pedro S. >> >> On Monday, February 22, 2016 at 4:38:43 PM UTC+1, thak wrote: >>> >>> Thanks! >>> >>> On Monday, February 22, 2016 at 10:27:21 AM UTC-5, dan (ddpbsd) wrote: >>>> >>>> >>>> On Feb 22, 2016 10:22 AM, "thak" <[email protected]> wrote: >>>> > >>>> > What's the best way to get a list of the rules, ideally by rule # and >>>> short descriptive name (e.g., like the alerts..."Rule: 5403 fired (level 4) >>>> -> "First time user executed sudo."). I need a list to update some security >>>> and compliance documentation prior to an upcoming audit. >>>> > >>>> >>>> All of the rules are available in the /var/ossec/rules directory. I >>>> don't think it would be too difficult to write a script to grab the names >>>> and ids. >>>> >>>> > -- >>>> > >>>> > --- >>>> > You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> > To unsubscribe from this group and stop receiving emails from it, >>>> send an email to [email protected]. >>>> > For more options, visit https://groups.google.com/d/optout. >>>> >>> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
