Rule file items
Supported rule items
| Configuration item | Remarks |
|---|---|
|
<var name="FREQ">8</var> |
Declares constants at the top of the file. |
| <group name="..."> <rule ...> … </rule> </group> |
<rule> items must be under a <group> item. The name attribute is mandatory and ends with a comma. Used in classifying rules found in the group. |
| <rule id="123456"> | The id attribute of a rule is mandatory, with a value between 1 and 999999 inclusive. |
| <rule overwrite="yes|no"> | Makes it possible to do away with a unique id attribute, replaces a rule that was defined earlier. |
| <rule level="0..15"> | Mandatory. Assigns a level of severity to the rule; level 0 rules are evaluated on a higher priority than others. |
| <rule accuracy="0"> | Gives rules containing this attribute lower priority than others. |
| <rule maxsize="0..9999"> | Makes it possible for the rule to apply only to logs with a message that is at least as long as the value of this attribute. |
| <rule timeframe="..." frequency="..."> | Declares a composite rule that is triggered if an event occurs several times within the defined time frame. |
| <rule noalert="..."> | Considers that a rule does not apply if no child rules apply. |
| <rule ignore="..."> | Inhibits the rule for a set number of seconds after it is triggered. |
| <rule id="..." level="..."> <decoded_as>...</decoded_as> </rule> |
Indicates the first-level decoder (or second-level using the use_own_name option) that must have been used for the message. SES Evolution supports decoder names from all levels and ignores the use_own_name option. |
| <rule id="..." level="..."> <if_sid>...</if_sid> </rule> |
Links a rule to a parent rule with a rule ID. |
| <rule id="..." level="..."> <if_group>...</if_group> </rule> |
Links a rule to parent rules with a group name. |
| <rule id="..." level="..."> <if_level>...</if_level> </rule> |
Links a rule to parent rules with a minimum level of severity. |
|
<rule id="..." level="..."> <rule id="..." level="..."> <rule id="..." level="..."> <rule id="..." level="..."> |
Simple/advanced OSSEC/PCRE2/PCRE2 regular expression targeting the log message to determine whether the rule matches. NOTE
|
|
<rule id="..." level="..."> <rule id="..." level="..."> |
Simple OSSEC/PCRE2 regular expression targeting the srcuser decoded field, or if there isn’t one, the dstuser decoded field, to determine whether the rule matches. |
|
<rule id="..." level="..."> <rule id="..." level="..."> |
IPv4 or IPv6 address specification (individual addresses, ranges, networks with mask length, etc.) compared to the srcip or dstip fields to determine whether the rule matches. The specification can be expressed as a negative by placing an exclamation mark in front of it. |
|
<rule id="..." level="..."> <rule id="..." level="..."> <rule id="..." level="..."> <rule id="..." level="..."> |
Simple OSSEC/PCRE2 regular expressions targeting the srcport and dstport decoded fields to determine whether the rule matches. |
|
<rule id="..." level="..."> <rule id="..." level="..."> |
Simple OSSECPCRE2 regular expression targeting the id decoded field to determine whether the rule matches. |
|
<rule id="..." level="..."> <rule id="..." level="..."> |
Simple OSSEC/PCRE2 regular expression targeting the status decoded field to determine whether the rule matches. |
|
<rule id="..." level="..."> <rule id="..." level="..."> |
Simple OSSEC/PCRE2 regular expression targeting the hostname pre-decoded field to determine whether the rule matches. |
|
<rule id="..." level="..."> <rule id="..." level="..."> |
Simple OSSEC/PCRE2 regular expression targeting data decoded field to determine whether the rule matches. |
|
<rule id="..." level="..."> <rule id="..." level="..."> |
Simple OSSEC/PCRE2 regular expression targeting the program_name pre-decoded field to determine whether the rule matches. |
|
<rule id="..." level="..."> <rule id="..." level="..."> |
Simple OSSEC/PCRE2 regular expression targeting the url decoded field to determine whether the rule matches. |
| <rule id="..." level="..."> <action>...</action> </rule> |
Exact value compared to the action decoded field to determine whether the rule matches. |
| <rule id="..." level="..."> <field name="...">...</field> </rule> |
Advanced OSSEC regular expression targeting the decoded field indicated, to determine whether the rule matches. |
| <rule id="..." level="..."> <time>...</time> </rule> |
Specifies the time slot during which the rule applies. Supports any format that OSSEC supports. EXAMPLE
SES Evolution uses the system time zone to evaluate local time. |
| <rule id="..." level="..."> <weekday>...</weekday> </rule> |
Specifies the days of the week when the rule is enabled. Supports any format that OSSEC supports. EXAMPLE
SES Evolution uses the system time zone to evaluate local time, and therefore the day. |
|
<rule id="..." level="..."> <rule id="..." level="..."> |
Describes the rule by associating it with a known vulnerability. |
|
<rule id="..." level="..."> <rule id="..." level="..."> <rule id="..." level="..."> |
Describes the rule using text, a link or an Open Source Vulnerability Database item. SES Evolution supports only a single item of each type in the same rule. |
| <rule id="..." level="..."> <group>...</group> </rule> |
Adds groups that the rule belongs to, in addition to those specified in the rule's parent <group> node. |
| <rule id="..." level="..."> <description>...</description> </rule> |
Mandatory description of the event to which the rule applies. SES Evolution uses this description in the log summary that appears in the agent and console. |
| <rule id="..." level="..."> <category>...</category> </rule> |
Links the rule to one of the decoder types. Option used for rules 1 to 7 in the file rules_config.xml. |
| <rule id="..." level="..."> <if_fts/> </rule> |
Makes the rule effective only if a decoder has detected (with the fts option) that a set of fields had values seen together for the first time. |
|
<rule id="..." level="..."> <rule id="..." level="..."> |
Makes it possible to cache sets of field values, and disable a rule later for the same value sets. |
| <rule id="..." level="..."> <check_diff/> </rule> |
Allows you to ignore two consecutive and identical logs. |
| <rule id="..." level="..." frequency="..." timeframe="..."> <if_matched_regex>...</if_matched_regex> </rule> |
Makes it possible to trigger a composite rule if several logs generated recently can be described with an advanced OSSEC regular expression. |
| <rule id="..." level="..." frequency="..." timeframe="..."> <if_matched_group>...</if_matched_group> </rule> |
Makes it possible to trigger a composite rule if several logs generated recently were described with a rule in a given group |
| <rule id="..." level="..." frequency="..." timeframe="..."> <if_matched_sid>...</if_matched_sid> </rule> |
Makes it possible to trigger a composite rule if several logs generated recently were described with a rule that has a given ID. |
|
<rule id="..." level="..." frequency="..." timeframe="..."> <rule id="..." level="..." frequency="..." timeframe="..."> <rule id="..." level="..." frequency="..." timeframe="..."> <rule id="..." level="..." frequency="..." timeframe="..."> <rule id="..." level="..." frequency="..." timeframe="..."> |
Makes it possible to trigger a composite rule if several logs sharing the same srcip, srcport, dstport, id or user field are found. |
|
<rule id="..." level="..." frequency="..." timeframe="..."> <rule id="..." level="..." frequency="..." timeframe="..."> |
Makes it possible to trigger a composite rule if several logs with separate vales are found for the same srcip or url field. |
Unsupported rule items
| Configuration item | Supported | Remarks |
|---|---|---|
|
<rule id="..." level="..."> <rule id="..." level="..."> <rule id="..." level="..."> <rule id="..." level="..."> |
No | SES Evolution does not use the libgeoip library. |
| <rule id="..." level="..."> <list lookup="..." field="...">...</list> </rule> |
No |
Quick search for a field in a CDB (container database). SES Evolution does not use the CDB library. |
| <rule id="..." level="..."> <compiled_rule>...</compiled_rule> </rule> |
Partial |
Allows users to compile their own rules for specific needs. SES Evolution supports the is_simple_http_request function, which serves as an example, but is used in standard rule sets. |
| <rule id="..." level="..."> <options>...</options> </rule> |
Partial | SES Evolution supports only the no_log option; e-mail alerts or active responses are not supported. |
|
<rule id="..." level="..." frequency="..." timeframe="...">
<rule id="..." level="..." frequency="..." timeframe="..."> <rule id="..." level="..." frequency="..." timeframe="..."> |
No | Unnecessary OSSEC options in a configuration with the sole purpose of canceling a <same_...> option written earlier in the same rule: you are advised to remove the previous option. |
|
<rule id="..." level="..." frequency="..." timeframe="..."> <rule id="..." level="..." frequency="..." timeframe="..."> |
No | SES Evolution analyzes and correlates logs at the agent level instead of the server level. As a result, multiple agent logs cannot be correlated; these options will therefore be ignored. |
| <rule id="..." level="..." frequency="..." timeframe="..."> <different_srcgeoip/> </rule> |
No | SES Evolution does not use the libgeoip library. |