A number of the services and daemons I run on my OSSEC network don't have rules and decoders in the default OSSEC install. It's not uncommon for me to fire up mutt and see a number of 1002's in my mailbox from unsupported or less supported daemons. To deal with this I write rules and decoders for most of the daemons I use. I don't like to see log messages that don't have a corresponding OSSEC rule, even if they are benign.
Due to my sometimes odd choices in software I've had to write quite a few rules. They started out bad, really bad. I think I've gotten a bit better at writing rules though, mostly with the help of the OSSEC community. I even contribute decoders and rules back to the project. Of course Daniel Cid is a busy man, and doesn't always have time to look over my work. So I created an unofficial OSSEC rules repository. This repo contains rules and decoders that I'm working on.
The rules and decoders I've written are not part of the OSSEC project, this is something I've been doing on my own. You can't blame OSSEC for any of the (many) mistakes I've made with them. My plan is to make regular(-ish) releases of these rulesets, available for anyone to download and use. I'm slowly integrating my rule changes into the default OSSEC ruleset, and occassionally bugging dcid to pull my changes into the main tree.
I currently have 4 files ready for download. wip-ossec-rules-184.108.40.206.tar.gz is a tarball of the rule files and decoder (rules/*_rules.xml and etc/decoder.xml). It also contains a file (etc/rules.config) that contains the information you will need to put in ossec.conf to use the new rules. Untarring the tarball should be done in a temporary directory and the files copied over. You can use log-test to test the rules and decoders before deploying them.
wip-ossec-rules-220.127.116.11.tar.gz.sig will be the signature file to check with GNUPG or PGP. pubkey.txt is the gpg key, and wip-ossec-rules-18.104.22.168.cksum is the sha1/md5 checksum file.
I plan on numbering the releases for these WIP rules based on the version of OSSEC that's out at the time. For instance the number above, 22.214.171.124, is release 2 for version 2.5.1. The next release I do will be 126.96.36.199.
The first release included the local_rules.xml, which I thought was unnecessary. The second release also puts rule 5719 into the invalid_login group.
If you use these rules and decoders, please let me know if you have any issues. Open up a trouble ticket, send me an email, hit me up on twitter, I'm ddpbsd on freenode (in #ossec, of course!), whatever. Just let me know. I'll fix any issues as fast as I possibly can.
Contributions will also be accepted. If you look through the rulesets you'll see names other than my own. I currently take rules, decoders, and log messages off of various mailing lists or google searches (with some obfuscation) and use them for this little project. So don't be surprised if you see a log message you submitted to a mailing list at some point. I do try to credit the original source when possible.
I know I've got a lot of work ahead of me with this "little" project, but I'm looking forward to it. It's taught me a lot so far, and I know I still have a lot to learn.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.10 (OpenBSD)
-----END PGP PUBLIC KEY BLOCK-----