--- /dev/null
+#!/usr/bin/python
+# OSSEC Rules list
+# Simple script to get a short brief of every rule in OSSEC rules folder
+# Written Feb 25, 2016 and released under the GNU/GPLv2 license ##
+# By pedro@wazuh.com @ Wazuh, Inc.
+
+import sys
+import re
+import os
+
+rules_directory = "/var/ossec/rules/"
+
+def GetRulesList(fulldir, filename):
+ rule_detected = 0
+ rule_description = 0
+ level = ""
+ sidid = ""
+ description = ""
+ pattern_idlevel = re.compile(r'<rule id="(.+?)".+level="(.+?)"')
+ pattern_description = re.compile(r'<description>(.+?)</description>')
+ pattern_endrule = re.compile(r'</rule>')
+ try:
+ with open(fulldir) as f:
+ lines = f.readlines()
+ for line in lines:
+ if rule_detected == 0:
+ match = re.findall(pattern_idlevel, line)
+ if match:
+ rule_detected = 1
+ sidid = match[0][0]
+ level = match[0][1]
+ else:
+ if rule_description == 0:
+ match = re.findall(pattern_description, line)
+ if match:
+ rule_description = 1
+ description = match[0]
+ if rule_description == 1:
+ match = re.findall(pattern_endrule, line)
+ if match:
+ print "%s - Rule %s - Level %s -> %s" % (filename,sidid,level,description)
+ rule_detected = 0
+ rule_description = 0
+ level = ""
+ sidid = ""
+ description = ""
+ except EnvironmentError:
+ print ("Error: OSSEC rules directory does not appear to exist")
+
+if __name__ == "__main__":
+ print ("Reading rules from directory %s") % (rules_directory)
+ for root, directories, filenames in os.walk(rules_directory):
+ for filename in filenames:
+ if filename[-4:] == ".xml":
+ GetRulesList(os.path.join(root,filename), filename)