OSSEC Series II-write your own DECODE (Elementary)

Previous:Http://www.bkjia.com/Article/201211/166547.html

OSSEC:OSSEC is an open-source multi-platform intrusion detection system that runs on Windows, Linux, OpenBSD/FreeBSD, MacOS, and other operating systems. Including log analysis, comprehensive detection, and rook-kit detection. As an HIDS, OSSEC should be installed in a system that implements monitoring.
The reason why OSSEC generates an alarm is that after the information is captured, the DECODE decodes the information and then matches the rule (rule) to generate an alarm for ALERTID.
Writing DECODE will be of great help to OSSEC. Here we will use OSSEC's test command ossec-logtest. Write a simple rule. When lion_00 occurs, an alarm message with the ALERTID severity of 8888 and 7 will be generated. First, create a rule and create a testrule. xml file under/var/ossec/rule as follows:
<Group name = "localtest, "> // each group of rule must have a group <rule id =" 8888 "level =" 7 "> <decoded_as> lion </decoded_as> // use a lion decode <description> testrule </description> // generated alarm information </rule> www.2cto.com </group>

DECODE must be written in/var/ossec/etc/decoder. xml (default installation directory) <decoder name = "lion"> // This is an nonstandard comment, decoder name the above mentioned lion <prematch> ^ lion_00 </prematch> // The Matching content. If it is an advanced DECODER, there will be many parameters </decoder>

It should be noted that it is best to place your decode in a slightly closer position to the file. At this time, enter "/var/ossec/bin/ossec-logtest" and you will see ** Phase 1: Completed pre-decoding. full event: 'lion _ 00' hostname: 'idc2103 'program_name:' (null) 'Log: 'lion _ 00' ** Phase 2: Completed decoding. decoder: 'lion' ** Phase 3: Completed filtering (rules ). rule id: '000000' Level: '7' Description: 'strule' ** Alert to be generated.


OK.