Home | @unixist | unixist@freenode

>: OSSEC - Textualize your rules


As a follow-up to my last post on graphically visualizing OSSEC rule hierarchy, this post shows you how to textually visualize OSSEC rules and their constraints. The idea is to output rule configuration in an easily-digestible fashion. It is suited for incorporation into project documentation and it affords less technical readers the ability to grok the security posture of their IDS at a glance. This code extends the code in the previous post.

Each rule is uniquely displayed on a line by itself. Below each rule is an indented stanza that shows which constraints a log message must satisfy in order to match that rule. Stanza lines prefixed with a parenthetical rule ID inherit constraints from that parent rule (via if_sid and if_matched_sid rule attributes). Stanza lines without a parenthetical prefix show constraints specified by that rule.

Example output snippet:

./ossec-graph-rules.rb -c firewall_rules.xml sshd_rules.xml

Rule: 4100
Rule: 4101
   action = DROP
Rule: 4151
   (4101) action = DROP
   frequency = 16
   timeframe = 45
   same_source_ip
Rule: 5700
   decoded_as = sshd
Rule: 5701
   (5700) decoded_as = sshd
   match = Bad protocol version identification
Rule: 5702
   (5700) decoded_as = sshd
   match = ^reverse mapping
   regex = failed - POSSIBLE BREAK
Rule: 5703
   (5702) match = ^reverse mapping
   (5702) regex = failed - POSSIBLE BREAK
   (5700) decoded_as = sshd
   frequency = 4
   timeframe = 360
Rule: 5704
   (5700) decoded_as = sshd
   match = fatal: Timeout before authentication for
Rule: 5705
   (5704) match = fatal: Timeout before authentication for
   (5700) decoded_as = sshd
   frequency = 4
   timeframe = 360
Rule: 5706
   (5700) decoded_as = sshd
   match = Did not receive identification string from
Rule: 5707
   (5700) decoded_as = sshd
   match = fatal: buffer_get_string: bad string

Source:

File: ossec-graph-rules.rb
Repo: git clone https://bitbucket.org/unixist/ossec-tools.git

Dependencies:

Extra

I had the need to post my OSSEC rules to a mediawiki page and wrote a small sed script to format the constraints output of the above tool in the proper format. You can execute it like this:

$sed -f sedscript constraints.txt > constraints.wiki.txt

/^Rule:[[:space:]*][[:digit:]\+]/ {
   s/^/*'''/
   s/$/'''/
}

s/^\t/**/

/^\*\*\w\+ =/ {
   s/=/'''='''/
}

s/^\*\*description '''=''' \(.*\)/**<pre>\1<\/pre>/

/^\*\*([[:digit:]\+]/ !{
   /^\*\*<pre>/ !{
      s/^\*\*/**<span style='color:#FF6600'>/
      s/^\(\*\*.*\)/\1<\/span>/
   }
}

Update:

I noticed that several default OSSEC rule files have malformed XML wherein there are multiple top-level <group> elements. This, of course, is not parseable by conforming XML libraries like REXML so I hacked up my script a bit to support that. It made me sad :( but it works. Code is updated.