OSSEC is one of the Imunify360 components. It performs logs monitoring, provides alerts about non-web attacks, and includes an Active Response feature that blocks users by ports based on the triggered rule without greylisting (for FTP, SSH, and SMTP).
Being an intrusion detection system, OSSEC has its own ruleset and also provides its users with the opportunity to create custom rules. Users must keep in mind, however, that while they’re writing custom rules, they should never modify the existing rule files in the /var/ossec/etc/rules.d directory. Changes to those rules may modify the behavior of entire chains of rules and complicate troubleshooting.
The customized rules should be placed into the /var/ossec/etc/rules_local.d/ directory (you can find an example file below) and have certain parameters configured for the custom rules.
Here is an example of an OSSEC rule:
<rule id="13002" level="10" frequency="10" timeframe="240">
<if_matched_sid>13001</if_matched_sid>
<same_source_ip />
<description>Exim brute force attack (multiple auth failures).</description>
<group>authentication_failures,</group>
</rule>
You can find an explanation of the rule parameters at https://ossec-documentation.readthedocs.io/en/latest/manual/lids/rules.html
When creating a new rule or customizing an already existing one, you can employ the following options.
| Option | Description |
| level |
This parameter defines the log level. You can find more details at https://docs.imunify360.com/dashboard/#incidents-logging |
|
noalert (set ‘1’ to enable) |
Prevent the rule from triggering an alert. Further rule checks will not happen, except for rules specifically using this rule in the <if_sid> configuration. |
| frequency | The number of failed attempts; allowed – a user is to be blocked in case it’s exceeded. |
| timeframe | The amount of time during which the exceeded frequency will lead to blocking (in seconds). |
| ignore | The time (in seconds) to ignore a rule after triggering it (to avoid floods). |
| overwrite | Used to supersede an OSSEC rule with local changes. This is useful to change the level or other options of rules included with OSSEC. |
Options for syscheck are also described here. It enables you to check and see if any file has changed: https://www.ossec.net/docs/manual/syscheck/index.html
Rules also require the description field to explain what the rule does. This description will be used as the event identifier in the e-mails and log messages that OSSEC generates.
More information about OSSEC rules syntax and custom rules creation can be found here: https://www.ossec.net/docs/manual/rules-decoders/create-custom.html
Comments
0 comments
Please sign in to leave a comment.