Rules Syntax¶
In this section, xml labels used to configure rules are listed.
Available options¶
- rule
- match
- regex
- decoded_as
- category
- field
- srcip
- dstip
- extra_data
- user
- program_name
- hostname
- time
- weekday
- id
- url
- action
- if_sid
- if_group
- if_level
- if_matched_sid
- if_matched_group
- if_fts
- same_id
- same_source_ip
- same_src_port
- same_dst_port
- same_location
- same_user
- same_field
- not_same_field
- different_url
- different_srcgeoip
- description
- list
- info
- options
- check_diff
- group
- status
- location
- var
rule¶
<rule> is the label that starts the block that defines a rule. In this section the different options to this label are explained.
| level | Definition | Specifies the level of the rule. Alerts and responses use this value. |
| Allowed values | 0 to 16 | |
| id | Definition | Specifies the ID of the rule. |
| Allowed values | Any number from 1 to 999999 | |
| maxsize | Definition | Specifies the maximum size of the event. |
| Allowed values | Any number from 1 to 9999 | |
| frequency | Definition | Number of times the rule must have matched before firing. |
| Allowed values | Any number from 2 to 9999 | |
| timeframe | Definition | The timeframe in seconds. This option is intended to be used with the frequency option. |
| Allowed values | Any number from 1 to 99999 | |
| ignore | Definition | The time (in seconds) to ignore this rule after firing it (to avoid floods). |
| Allowed values | Any number from 1 to 999999 | |
| overwrite | Definition | Used to supersede an OSSEC rule with local changes. |
| Allowed values | yes, no | |
| noalert | Definition | Not trigger any alert if the rule matches. |
| Allowed values | Attribute with no value |
Example:
<!--- Rule definition --> <rule id="100001" maxsize="300" level="3"> ... </rule>
In this example, the rule is assigned with the ID 100001, a maximum size of each event of 300 characters and the rule level in 3.
match¶
Any string to match against the log event.
| Default Value | n/a |
| Allowed values | Any sregex expression |
Example:
<rule id="100001" maxsize="300" level="3"> <if_sid>100200</if_sid> <match>Queue flood!</match> <description> Flooded events queue.</description> </rule>
If the rule matches the id 100200 that contains the Queue flood! phrase in it, rule activates and sends an event.
regex¶
Any regex to match against the log event.
| Default Value | n/a |
| Allowed values | Any regex expression |
Example:
regexis used to find a variety of strings in a rule. For example, if we want to match any valid IP:<rule id="100001" level="3"> <if_sid>10050</if_sid> <regex>^(\d+.\d+.\d+.\d+)$</regex> <description>Matches any valid IP</description> </rule>
decoded_as¶
| Default Value | n/a |
| Allowed values | Any decoder name |
category¶
Selects in which rule decoding category the rule should be included: ids, syslog, firewall, web-log, squid or windows.
| Default Value | n/a |
| Allowed values | Any category |
field¶
Any OS_Regex to be compared to a field extracted by the decoder.
| name | Specifies the name of the field extracted by the decoder. |
srcip¶
Any IP address or CIDR block to be compared to an IP decoded as srcip. Use “!” to negate it.
| Default Value | n/a |
| Allowed values | Any srcip |
dstip¶
Any IP address or CIDR block to be compared to an IP decoded as dstip. Use “!” to negate it.
| Default Value | n/a |
| Allowed values | Any dstip |
extra_data¶
Any string that is decoded into the extra_data field.
| Default Value | n/a |
| Allowed values | Any string. |
user¶
Any username (decoded as the username).
| Default Value | n/a |
| Allowed values | Any sregex expression |
program_name¶
Program name is decoded from syslog process name.
| Default Value | n/a |
| Allowed values | Any sregex expression |
hostname¶
Any hostname (decoded as the syslog hostname) or log file.
| Default Value | n/a |
| Allowed values | Any sregex expression |
time¶
Time that the event was generated.
| Default Value | n/a |
| Allowed values | Any time range (hh:mm-hh:mm, hh:mm am-hh:mm pm, hh-hh, hh am-hh pm) |
weekday¶
Week day that the event was generated.
| Default Value | n/a |
| Allowed values | monday - sunday, weekdays, weekends |
location¶
New in version 3.5.0.
The event extended location of the incoming event.
| Default Value | n/a |
| Allowed values | Any sregex expression |
The location identifies the origin of the input. If the event comes from an agent, its name and registered IP (as it was added) is appended to the location.
Example of a location for a log pulled from “/var/log/syslog” in an agent with name “dbserver” and registered with IP “any”:
(dbserver) any->/var/log/syslog
The following components use a static location:
| Component | Location |
| Windows Eventchannel | EventChannel |
| Windows Eventlog | WinEvtLog |
| FIM (Syscheck) | syscheck |
| Rootcheck | rootcheck |
| Syscollector | syscollector |
| Vuln Detector | vulnerability-detector |
| Azure Logs | azure-logs |
| AWS S3 integration | aws-s3 |
| Docker integration | Wazuh-Docker |
| Osquery integration | osquery |
| OpenSCAP integration | open-scap |
| CIS-CAT integration | wodle_cis-cat |
if_level¶
Matches if the level has matched before.
| Default Value | n/a |
| Allowed values | Any level from 1 to 16 |
if_matched_sid¶
Matches if an alert of the defined ID has been triggered in a set number of seconds.
This option is used in conjunction with frequency and timeframe.
| Default Value | n/a |
| Allowed values | Any rule id |
Note
Rules at level 0 are discarded immediately and will not be used with the if_matched_rules. The level must be at least 1, but the <no_log> option can be added to the rule to make sure it does not get logged.
if_matched_group¶
Matches if an alert of the defined group has been triggered in a set number of seconds.
This option is used in conjunction with frequency and timeframe.
| Default Value | n/a |
| Allowed values | Any Group |
if_fts¶
Makes the decoder that processed the event to take the fts line into consideration.
| Example of use | <if_fts /> |
same_id¶
Specifies that the decoded id must be the same. This option is used in conjunction with frequency and timeframe.
| Example of use | <same_id /> |
same_source_ip¶
Specifies that the decoded source ip must be the same. This option is used in conjunction with frequency and timeframe.
| Example of use | <same_source_ip /> |
same_src_port¶
Specifies that the decoded source port must be the same. This option is used in conjunction with frequency and timeframe.
| Example of use | <same_src_port /> |
same_dst_port¶
Specifies that the decoded destination port must be the same. This option is used in conjunction with frequency and timeframe.
| Example of use | <same_dst_port /> |
same_location¶
Specifies that the location must be the same. This option is used in conjunction with frequency and timeframe.
| Example of use | <same_location /> |
same_user¶
Specifies that the decoded user must be the same. This option is used in conjunction with frequency and timeframe.
| Example of use | <same_user /> |
same_field¶
New in version 3.9.0.
Specifies that the decoded field must be the same as the previous one. This option is used in conjunction with frequency and timeframe.
| Example of use | <same_field /> |
As an example of this option, check this rule:
<rule id="100001" level="3">
<if_sid>221</if_sid>
<field name="netinfo.iface.name">ens33</field>
<description>Testing interface alert</description>
</rule>
<rule id="100002" level="7" frequency="3" timeframe="300">
<if_matched_sid>100001</if_matched_sid>
<same_field>netinfo.iface.mac</same_field>
<description>Testing options for correlating repeated fields</description>
</rule>
Note
Rule 100002 will trigger when the last three events had the same netinfo.iface.mac address.
not_same_field¶
New in version 3.9.0.
Specifies that the decoded field must be different than the previous one. This option is used in conjunction with frequency and timeframe.
| Example of use | <not_same_field /> |
As an example of this option, check this rule:
<rule id="100001" level="3">
<if_sid>221</if_sid>
<field name="netinfo.iface.name">ens33</field>
<description>Testing interface alert</description>
</rule>
<rule id="100002" level="7" frequency="3" timeframe="300">
<if_matched_sid>100001</if_matched_sid>
<not_same_field>netinfo.iface.mac</not_same_field>
<description>Testing options for correlating repeated fields</description>
</rule>
Note
Rule 100002 will trigger when the last three events do not have the same netinfo.iface.mac address.
different_url¶
Specifies that the decoded url must be different. This option is used in conjunction with frequency and timeframe.
| Example of use | <different_url /> |
different_srcgeoip¶
Specifies that the source geoip location must be different. This option is used in conjunction with frequency and timeframe.
| Example of use | <different_srcgeoip /> |
Example:
As an example to this last options, check this rule:
<rule id=100005 level="0"> <match> Could not open /home </match> <same_user /> <different_srcgeoip /> <same_dst_port /> </rule>That rule filters when the same
usertries to open file/homebut returns an error, on a differentipand using sameport.
description¶
Specifies a human readable description to the rule in order to provide context to each alert regarding the nature of the events matched by it. This field is required.
| Default Value | n/a |
| Allowed values | Any string |
Examples:
<rule id="100015" level="2"> ... <description> A timeout occurred. </description> </rule> <rule id="100035" level="4"> ... <description> File missing. Root acces unrestricted. </description> </rule>
Since Wazuh version 3.3 it is possible to include any decoded field (static or dynamic) to the description message. You can use the following syntax: $(field_name) to add a field to the description.
Example:
<rule id="100005" level="8"> <match>illegal user|invalid user</match> <description>sshd: Attempt to login using a non-existent user from IP $(attempt_ip)</description> <options>no_log</options> </rule>
list¶
Perform a CDB lookup using an ossec list. This is a fast on disk database which will always find keys within two seeks of the file.
| Default Value | n/a |
| Allowed values | Path to the CDB file to be used for lookup from the OSSEC directory.Must also be included in the ossec.conf file. |
| Attribute | Description | |
| field | key in the CDB: srcip, srcport, dstip, dstport, extra_data, user, url, id, hostname, program_name, status, action, dynamic field. | |
| lookup | match_key | key to search within the cdb and will match if they key is present. Default. |
| not_match_key | key to search and will match if it is not present in the database. | |
| match_key_value | searched for in the cdb. It will be compared with regex from attribute check_value. | |
| address_match_key | IP and the key to search within the cdb and will match if they key is present. | |
| not_address_match_key | IP the key to search and will match if it IS NOT present in the database | |
| address_match_key_value | IP to search in the cdb. It will be compared with regex from attribute check_value. | |
| check_value | regex for matching on the value pulled out of the cdb when using types: address_match_key_value, match_key_value | |
info¶
Extra information may be added through the following attributes:
| Default Value | n/a |
| Allowed values | Any string |
| Attribute | Allowed values | Description |
| type | text | This is the default when no type is selected. Additional,information about the alert/event. |
| link | Link to more information about the alert/event. | |
| cve | The CVE Number related to this alert/event. | |
| ovsdb | The osvdb id related to this alert/event. |
options¶
Additional rule options.
| Attribute | Description |
|---|---|
| alert_by_email | Always alert by email. |
| no_email_alert | Never alert by email. |
| no_log | Do not log this alert. |
| no_full_log | Do not include the full_log field in the alert. |
| no_counter | Omit field rule.firedtimes in the JSON alert. |
Example:
<rule id="9800" level="8"> <match>illegal user|invalid user</match> <description>sshd: Attempt to login using a non-existent user</description> <options>no_log</options> </rule>
Note
Use one <options> tag for each option you want to add.
group¶
Add additional groups to the alert. Groups are optional tags added to alerts.
They can be used by other rules by using if_group or if_matched_group, or by alert parsing tools to categorize alerts.
Groups are variables that define a behavior. When an alert includes that group label, this behavior will occur.
Example:
<rule id="3801" level="4"> <description>Group for rules related with spam.</description> <group>spam,</group> </rule>
Now, every rule with the line <group>spam,</group> will be included in that group.
It’s a very useful label to keep the rules ordered.
| Default Value | n/a |
| Allowed values | Any String |
status¶
Declares the actual status of a rule.
| Default Value | n/a |
| Allowed values | started, aborted, succeded, failed, lost… |
var¶
Defines a variable that may be used in any place of the same file.
| Attribute | Value |
|---|---|
| name | Name for the variable. |
Example:
<var name="joe_folder">/home/joe/</var> <group name="local,"> <rule id="100001" level="5"> <if_sid>550</if_sid> <field name="file">^$joe_folder</field> <description>A Joe's file was modified.</description> <group>ossec,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,</group> </rule> </group>
BAD_WORDS¶
<var name=”BAD_WORDS”>error|warning|failure</var>
BAD_WORDS is a very used use case of <var> option.
Is used to include many words in the same variable. Later, this variable can be matched into the decoders to check if any of those words are in a caught event.
Example:
<var name="BAD_WORDS">error|warning|failure</var> <group name="syslog,errors,"> <rule id="XXXX" level="2"> <match>$BAD_WORDS</match> <description>Error found.</description> </rule> </group>