{"id":144,"date":"2008-11-03T21:54:00","date_gmt":"2008-11-03T21:54:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=144"},"modified":"2020-07-02T21:55:33","modified_gmt":"2020-07-02T21:55:33","slug":"compiled-rules","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2008\/11\/compiled-rules\/","title":{"rendered":"Compiled rules"},"content":{"rendered":"\n

If you ever wanted a bit more flexibility from the OSSEC rules, you can have it now with the C compiled rules.<\/p>\n\n\n\n

Compiled rules are an extension to the normal<\/em> (default) XML rules and should only be used when you need additional functionality not present in there.<\/p>\n\n\n\n

**Note that you need at least the snapshot ossec-hids-081030.tar.gz<\/a> or v1.7 (not yet available) for it to work.<\/em><\/p>\n\n\n\n

How the compiled rules work?<\/h3>\n\n\n\n

Inside the OSSEC package you will find the directory src\/analysisd\/compiled_rules\/<\/strong> , with the default compiled rules.
To see a list of rules, run the command (inside that directory):<\/p>\n\n\n\n

  $ pwd<\/strong>\n  ..\/src\/analysisd\/compiled_rules\n  $ .\/register_rule.sh list<\/strong>\n  *Available functions:\n  check_id_size\n  comp_mswin_targetuser_calleruser_diff\n  comp_srcuser_dstuser<\/pre>\n\n\n\n
To use any of them inside a rule, just add the <compiled_rule> tag with the function you want to use. Ex:<\/p>\n\n\n\n
 <rule id=\"100155\" level=\"10\">\n   <if_sid>18111<\/if_sid>\n   <compiled_rule>comp_mswin_targetuser_calleruser_diff<\/compiled_rule><\/strong>\n   <description>User changed someone else password.<\/description>\n <\/rule><\/pre>\n\n\n\n
NOTE: To know what each function does you have to look at the source code.<\/strong><\/p>\n\n\n\n
How to write my own rule<\/h3>\n\n\n\n
To create your own rule, first open a new .c<\/em> file (don\u2019t use the generic one, since it is modified during upgrades).<\/p>\n\n\n\n
  $ touch myownrules.c<\/strong><\/pre>\n\n\n\n
And create your function inside of it. In this example here we added a function to check if the url field is longer than 1024:<\/p>\n\n\n\n
void *myosrule_check_url_size1024(Eventinfo *lf)\n{\n    if(!lf->url)\n    {\n        return(NULL);\n    }\n\n    if(strlen(lf->url) >= 1024)\n    {\n        return(lf);\n    }\n    return(NULL);\n}<\/pre>\n\n\n\n
Note 1: You must return \u2018lf\u2019 (the eventinfo structure) if the function matches or NULL otherwise.<\/strong>
Note 2: Give a good name to your function in a way to make sure it is not used anywhere else (eg: put your company name in it).<\/strong>
After that, register your function:<\/p>\n\n\n\n
  $ .\/register_rule.sh add myosrule_check_url_size1024<\/strong><\/pre>\n\n\n\n
You can also save it (if you have ossec installed) so that during the next upgrade it will reuse them:<\/p>\n\n\n\n
  $ .\/register_rule.sh save<\/strong>\n  *Save completed at \/var\/ossec\/compiled_rules\/<\/pre>\n","protected":false},"excerpt":{"rendered":"
If you ever wanted a bit more flexibility from the OSSEC rules, you can have it now with the C compiled rules. Compiled rules are an extension to the normal (default) XML rules and should only be used when you need additional functionality not present in there. **Note that you need at least the snapshot ossec-hids-081030.tar.gz or v1.7 (not […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/144"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=144"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/144\/revisions"}],"predecessor-version":[{"id":145,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/144\/revisions\/145"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}