Home | @unixist | unixist@freenode

>: OSSEC - Visualize your rules


If you are looking for a way to more easily view your rules and how they relate to one another, you can run the tool below on your rule file(s) in order to get a graphical view of their hierarchy.

The script associates rules with their parents by way of their if_sid and if_matched_sid elements within each <rule> element in each rule file.

Example graph file:

./ossec-graph-rules.rb -f graph -t png local_rules.xml sshd_rules.xml firewall_rules.xml

Dependencies:

Notes:

  1. Any node not connected to the tree has no <rule> element found in any of the rule files, but is only referenced therin.
  2. Nodes whose parent is zero (0) do not have any parent rules
  3. Some rule files have multiple top-level <group> XML elements. These are invalid XML documents and cannot be processed by REXML. I do not know a decent way to process them other than breaking each <group> stanza out into separate rule files. This is a good practice anyhow. UPDATE: See Update section in this post’s follow-up
  4. A file named “.dot” is created during each run. It is the file used by dot to create the image file. You can safely delete it.

Source:

File: ossec-graph-rules.rb

Repo: $git clone https://bitbucket.org/unixist/ossec-tools.git

Future

In the relatively near future I plan to do more work to make the OSSEC configuration more human understandable. Specifically, and at least, I’m working on producing English output that describes OSSEC rule configuration. I find this useful to place in project documentation. It also affords less technical readers the ability to grok the security posture of their intrusion detection system.