All global options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.
XML excerpt to show location:
<ossec_config>
<rules>
<!--
Rules options here
-->
</rules>
</ossec_config>
include
¶Load a single rule file.
Allowed: Path and file name of rule to load example: rules/config.xml
rule
¶Load a single rule file.
Allowed: Path and file name of rule to load example: rules/config.xml
Note
This is the same as include, but created to keep the syntax constant with other sections of the rules config.
rule_dir
¶Load a directory of rules. The order of loaded files will be in alphebical order and will not load any files that have been loaded before.
Attributes:
pattern: is a regex match string use to determine if a file needs to be loaded.
- Defaults: regex “_rules.xml$” is used unless another one is specified.
Allowed: Path to a directory of rule files
Example:
Loading all rules in directory /var/ossec/rules ending ending with _rules.xml
<ossec_config> <rules> <rule_dir>rules</rule_dir> </rules> </ossec_config>
Loading all rules in directory /var/ossec/rules/plugins ending with .xml
<ossec_config> <rules> <rule_dir pattern=".xml$">rules</rule_dir> </rules> </ossec_config>
decoder
¶Load a single decoder file. The path should be relative to the install directory, typically /var/ossec
.
Note
If no decoders are specified in ossec.conf the legacy etc/decoder.xml
and
etc/local_decoder.xml
are loaded
Warning
If <decoder>
or <decoder_dir>
are used, the default decoder.xml will not be used. It must be specified explicitly.
Allowed: Path and file name of decoder to load example: rules/decoder/decoder.xml
decoder_dir
¶Load a directory of decoders. The order of loaded files will be in alphebics order
and will not load any files that have been loaded before.
The path should be relative to the install directory, typically /var/ossec
.
Attributes:
pattern: is a regex match string use to detemine if a file needs to be loaded.
- Defaults: regex ”.xml$” is used unless another one is specified.
Allowed: Path to a directoy of decoder files
Example:
Loading all decoders in directory /var/ossec/rules ending ending with _decoder.xml
<ossec_config> <rules> <decoder_dir>rules</decoder_dir> </rules> </ossec_config>
Loading all decoders in directory /var/ossec/rules/plugins/plugins/decoders ending with .xml
<ossec_config> <rules> <decoder_dir pattern=".xml$">rules/plugins/decoders</decoder_dir> </rules> </ossec_config>
Warning
If <decoder>
or <decoder_dir>
are used, the default decoder.xml will not be used. It must be specified explicitly.
list
¶Load a single cdb references for inclusion by other rules.
Note
Due to the way cdb files are compiled using tmp files by the ossec-makelists program the file extension should not be include in this directive. ossec’s tools will correctly append the correct .cdb or .txt extension as needed.
Allowed: Path to a list file to be loaded and compiled.
<rules>
<list>rules/lists/blocked_hosts</list>
</rules>