OSSEC Rule Converter

Having just written my first OSSEC rules (OSSEC Kismet Alert Rules) I decided it was too hard to see what was going on with them when editing them in an XML file so wrote this little app which takes a CSV file and converts it into a rules file.

To use the app you need to create a CSV laid out in the following way:

  • Line 1: Column headings, this line is expected but ignored
  • Line 2: The name attribute of the opening group tag
  • Lines 3 onwards: These follow the column headings. Make sure you define a unique rule ID for each rule in column 1.

My rules are only interested in matching the action field so if column F contains a value then it will go into an match tag in the rule. If you want to match a different field, or extra ones, then it is a simple case of adding them in around line 73 then adding a new check and output similar to lines 82 to 84. If anyone needs help with this let me know and I'll see what I can do.

Usage is fairly simple, just pass in the input CSV filename and, optionally, the output XML filename. If the XML filename isn't given then the output will be sent to stdout. I've included the CSV file used to create my Kismet rules and the XML file they output.

Download OSSEC Rule Converter.

Project Categories

Support The Site

I don't get paid for any of the projects on this site so if you'd like to support my work please use the link below when buying from Amazon and I will receive a small commission on all purchases.