O'Reilly logo

Instant OSSEC Host-based Intrusion Detection by Brad Lhotsky

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Writing your own rules (Simple)

So we have a running OSSEC server. It's configured to send us e-mails with alerts and we're getting a lot of e-mails. Not every alert is actionable or interesting in our environment. We can fine-tune alerts by overriding, supplementing, and enhancing the base rule set with our rules/local_rules.xml file.

By leveraging OSSEC's rules, we can tune rules based on the username, IP address, source hostname, URL, filename, time of the day, day of the week, rules matched, frequency, and time since last alert. The rules provide a powerful way to tweak the alerts we receive and are a great starting point for customization as no coding is required.

Getting ready

Before we start writing rules, we should be aware of some rules ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required