The ruleset is one of the most important parts of OSSEC. Thanks to the ruleset, OSSEC is able to detect attacks, intrusions, software misuse, configuration problems, application errors, malware, rootkits, etc.
At this time, there are two ways to update the ruleset: wait for a new OSSEC release or review the official repository for new rules, decoders and rootchecks. Wazuh is very aware of this, so we work every day to improve it by updating out-of-the-box rules provided by OSSEC and including new ones. All these changes are published in our repository of rules. I encourage you to visit both the repository and documentation.
Even with our repository, it remains a tedious task to update the ruleset. So we have developed a script that allows you to update it automatically. The script has a lot of options, but we are going to focus on updating the rules weekly and automatically.
Let’s create a directory to place the script. A good one could be
$ sudo mkdir -p /var/ossec/update/ruleset
Download the script:
$ sudo wget https://raw.githubusercontent.com/wazuh/ossec-rules/master/ossec_ruleset.py -O /var/ossec/update/ruleset/ossec_ruleset.py
Finally, assign it execution permission:
$ sudo chmod u+x /var/ossec/update/ruleset/ossec_ruleset.py
At this moment, you can run the script and update the ruleset, but we want to do this every week, so we will use crontab:
$ sudo crontab -e
Add the following line at the end of the file:
@weekly root cd /var/ossec/update/ruleset && ./ossec_ruleset.py -s
We use the option
-s to restart OSSEC (if it is required) in order to load the new ruleset. To prevent it from restarting use
-S (capitalized). In this case, remember that you must manually restart OSSEC to load the new ruleset.
This automatic process is well tested, but in case an error occurs, you can restore the previous configuration. Each time you run the script a backup of folders
/var/ossec/rules is created. To retrieve a backup run the following command and choose a backup from the list:
./ossec_ruleset.py -b list
And this way you have your OSSEC ruleset always updated.