Hi Gopal,
Once an alert is triggered, *analysisd* tries to match every existing rule.
Once one rule matches, (the level of this first rule matching is not
relevant), *analysisd* starts looking for this first rule children. If two
or more children match, the rule with the higher level will be selected. If
the level is the same for both rules, the rule that was first found will be
the one triggered. For example, if this is our file:
```
<!--
- OSSEC rules
- Author: Daniel Cid.
- Updated by Wazuh, Inc.
- Copyright (C) 2015, Wazuh Inc.
- Copyright (C) 2009 Trend Micro Inc.
- This program is a free software; you can redistribute it and/or modify
it under the terms of GPLv2.
-->
<group name="ossec,">
<rule id="500" level="0">
<category>ossec</category>
<decoded_as>ossec</decoded_as>
<description>Grouping of ossec rules.</description>
</rule>
<rule id="501" level="3">
<if_sid>500</if_sid>
<if_fts />
<match>Agent started</match>
<description>New ossec agent connected.</description>
<group>pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="502" level="3">
<if_sid>500</if_sid>
<match>Ossec started</match>
<description>Ossec server started.</description>
<group>pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<!-- other rules here -->
<rule id="504" level="3">
<if_sid>500</if_sid>
<match>Agent disconnected</match>
<description>Ossec agent disconnected.</description>
<mitre>
<id>T1562.001</id>
</mitre>
<group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,</group>
</rule>
</group>
```
And we have a log that matches both, 502 and 504, as they have the same
level, rule 502 will be triggered as it was found first.
I would like to leave here some links for further information about rules:
- Rules syntax
<https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html>
.
- Rule example
<https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html>
.
Hope this was helpful. Let me know if you need anything else.
Regards,
Yana.
On Tuesday, January 8, 2019 at 11:21:47 PM UTC+1 Gopal Gupta wrote:
> Hi,
> I am confused about what is the order in which ossec matches different
> rules.According to my understanding, it first tries to match rules with
> level 0 and then in decreasing order from highest to lowest.If it is
> correct, then what is the order between rules of same alert level.
>
> Can someone please clarify this????
>
> Thanks in advance.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/4e24a527-0ef2-43d9-9a7c-10d124d02581n%40googlegroups.com.
