Rules
owLSM rules are sigma-like rules.
We are trying to support as many sigma rules features as possible, especially in the detection part. Actively aligning owLSM rules with sigma rules.
In order to fully understand the owLSM rules, we strongly advise to read sigma-rules-specification detection section first.
Rule Examples
id: 1
description: "Block curl from reading SSH keys"
min_version: "1.0.0"
max_version: "2.0.0"
action: "BLOCK_EVENT"
events:
- READ
detection:
selection:
target.file.path|contains: ".ssh"
process.file.filename: "curl"
condition: selectionid: 200
description: "Block suspicious outbound connections to known C2 patterns"
action: "BLOCK_KILL_PROCESS"
events:
- NETWORK
detection:
selection_outbound:
network.direction: "OUTGOING"
selection_suspicious_ports:
network.destination_port:
- 4444
- 5555
- 6666
selection_suspicious_process:
process.file.filename|endswith:
- ".sh"
- "python"
- "perl"
- "ruby"
selection_internal_ranges:
network.destination_ip|cidr:
- "212.0.0.0/8"
- "2607:f8b0:4000::/36"
- "2001:0db8:85a3:0000:0000:8a2e:0370:0000/112"
filter_known_good:
process.file.path|startswith:
- "/usr/bin/apt"
- "/usr/bin/dnf"
- "/usr/bin/yum"
process.euid: 0
condition: selection_outbound and (selection_suspicious_ports or selection_internal_ranges) and selection_suspicious_process and not filter_known_goodid: 50
description: "Block suspicious access to /etc/passwd from processes in /tmp"
action: "BLOCK_KILL_PROCESS"
events:
- CHMOD
- CHOWN
- READ
- WRITE
detection:
selection_target:
target.file.path: "/etc/passwd"
selection_process_in_tmp:
process.file.path|startswith: "/tmp"
selection_parent_in_tmp:
parent_process.file.path|startswith: "/tmp"
condition: selection_target and (selection_process_in_tmp or selection_parent_in_tmp)Rule Components
id
Unique identifier for the rule. Must be unique across all loaded rules.
The rule ID determines the evaluation order when matching rules against events. Rules with lower IDs are evaluated first (e.g., rule 1 is evaluated before rule 7).
Rule matching stops at the first match. If rule 1 matches an event, rule 2 and subsequent rules are not evaluated, and the event is handled according to rule 1's action.
This behavior differs from most Sigma engines, which process all rules and accumulate actions. However, this first-match approach is significantly more efficient, which is critical for inline syscall monitoring.
The rule ID determines the evaluation order when matching rules against events. Rules with lower IDs are evaluated first (e.g., rule 1 is evaluated before rule 7).
Rule matching stops at the first match. If rule 1 matches an event, rule 2 and subsequent rules are not evaluated, and the event is handled according to rule 1's action.
This behavior differs from most Sigma engines, which process all rules and accumulate actions. However, this first-match approach is significantly more efficient, which is critical for inline syscall monitoring.
description
Human-readable description of what the rule detects.
This is included in the event output when the rule matches.
This is included in the event output when the rule matches.
action
Action owLSM will take when the rule matches.
ALLOW_EVENT - Do nothing. Event is sent normally.
BLOCK_EVENT - Blocks syscall/operation.
BLOCK_KILL_PROCESS - Block the event and terminate the process that performed the action.
BLOCK_KILL_PROCESS_KILL_PARENT - Block the event and terminate the process that performed the action and its parent.
KILL_PROCESS - Don't blocked the event but terminate the process that performed the action.
EXCLUDE_EVENT - Don't send the event. Good for reducing unwanted noise.!
ALLOW_EVENT - Do nothing. Event is sent normally.
BLOCK_EVENT - Blocks syscall/operation.
BLOCK_KILL_PROCESS - Block the event and terminate the process that performed the action.
BLOCK_KILL_PROCESS_KILL_PARENT - Block the event and terminate the process that performed the action and its parent.
KILL_PROCESS - Don't blocked the event but terminate the process that performed the action.
EXCLUDE_EVENT - Don't send the event. Good for reducing unwanted noise.!
events
Event types this rule applies to.
A rule can be applied to one or more event types. See `Multi-Event Example` at the top.
EXEC - rules for exec events.
CHMOD - rules for chmod events.
CHOWN - rules for chown events.
READ - rules for read events. Only on regular files and symlinks.
WRITE - rules for write events. Only on regular files and symlinks.
UNLINK - rules for unlink events (file deletion).
FILE_CREATE - rules for file creation events.
MKDIR - rules for directory creation events.
RMDIR - rules for directory deletion events.
RENAME - rules for file renaming events (moving a file).
NETWORK - rules for network related events. Currently TCP connection only.
The fields that you use in a rule must correspond to the event types you specified.
If you specified both CHMOD and CHOWN, you can't use the field chmod.requested_mode as it corresponds only to CHMOD but not to CHOWN.
This will become more clear after you read the `Available Fields` part.
A rule can be applied to one or more event types. See `Multi-Event Example` at the top.
EXEC - rules for exec events.
CHMOD - rules for chmod events.
CHOWN - rules for chown events.
READ - rules for read events. Only on regular files and symlinks.
WRITE - rules for write events. Only on regular files and symlinks.
UNLINK - rules for unlink events (file deletion).
FILE_CREATE - rules for file creation events.
MKDIR - rules for directory creation events.
RMDIR - rules for directory deletion events.
RENAME - rules for file renaming events (moving a file).
NETWORK - rules for network related events. Currently TCP connection only.
The fields that you use in a rule must correspond to the event types you specified.
If you specified both CHMOD and CHOWN, you can't use the field chmod.requested_mode as it corresponds only to CHMOD but not to CHOWN.
This will become more clear after you read the `Available Fields` part.
min_version
Minimum owLSM version required for this rule to be loaded.
If the running owLSM version is below this value, the rule will be skipped during loading.
Format:
Leading zeros are not allowed (e.g.,
If the running owLSM version is below this value, the rule will be skipped during loading.
Format:
"MAJOR.MINOR.PATCH" (e.g., "1.0.0", "2.5.10")Leading zeros are not allowed (e.g.,
"01.0.0" is invalid).
max_version
Maximum owLSM version for this rule to be loaded.
If the running owLSM version is above this value, the rule will be skipped during loading.
Format:
Leading zeros are not allowed (e.g.,
If the running owLSM version is above this value, the rule will be skipped during loading.
Format:
"MAJOR.MINOR.PATCH" (e.g., "1.0.0", "2.5.10")Leading zeros are not allowed (e.g.,
"01.0.0" is invalid).
detection
Just like standard Sigma rules detection, the detection section defines the matching criteria for the rule.
It contains one or more named selections and a condition that combines them.
It contains one or more named selections and a condition that combines them.
selection
Just like standard Sigma rules selection, selections define matching criteria.
Each selection is a named group that organizes detections for readability and filtering.
AND / OR Logic:
Sigma uses YAML structure to represent logical operations:
• AND logic: Multiple fields within a selection (dictionary/object syntax)
• OR logic: Multiple values for a single field (list syntax)
Selection names can be any valid identifier (e.g.,
Example with multiple values (OR logic):
Keywords (field-less selection):
Keywords are a special type of search where you don't specify a field name.
Using keyword, we can search for a string across all the event string fields.
This is useful for broad searches when we don't want to target a specific field.
Keyword limitations:
• Keywords expand to all string fields, which impacts performance
• Same wildcard rules apply as string modifiers
• Cannot be used with field-specific modifiers like
Each selection is a named group that organizes detections for readability and filtering.
AND / OR Logic:
Sigma uses YAML structure to represent logical operations:
• AND logic: Multiple fields within a selection (dictionary/object syntax)
• OR logic: Multiple values for a single field (list syntax)
Selection names can be any valid identifier (e.g.,
selection, selection_files, filter_allowed).Example with multiple values (OR logic):
selection:
process.file.filename|endswith:
- ".sh"
- ".py"
- ".pl"Keywords (field-less selection):
Keywords are a special type of search where you don't specify a field name.
Using keyword, we can search for a string across all the event string fields.
This is useful for broad searches when we don't want to target a specific field.
# OR logic - match ANY keyword in ANY string field
keywords:
- "malware"
- "*.evil.com"
# AND logic - ALL keywords must match (can be in different fields)
keywords|all:
- "admin"
- "/etc/shadow"• Keywords expand to all string fields, which impacts performance
• Same wildcard rules apply as string modifiers
• Cannot be used with field-specific modifiers like
cidr
• Tule token max is reached very easily when using keywords.
condition
The condition combines selections using boolean operators.
This what actually determines the logic of the rule.
Operators:
•
•
•
• Parentheses
Special Conditions:
•
•
•
•
Limitations:
• Maximum 128 tokens per rule expression (
Examples:
This what actually determines the logic of the rule.
Operators:
•
and - Both must match•
or - Either must match•
not - Negation• Parentheses
() for groupingSpecial Conditions:
•
1 of selection_* - Match any one selection with that prefix•
all of selection_* - Match all selections with that prefix•
X of them - Match at least X of all defined selections•
X of selection_* - Match at least X selections with that prefix (e.g., 2 of selection_*)Limitations:
• Maximum 128 tokens per rule expression (
MAX_TOKENS_PER_RULE)Examples:
# Simple
condition: selection
# Multiple selections
condition: selection_files and selection_process
# With negation (whitelist filter)
condition: selection_target and not filter_allowed
# Complex grouping
condition: (selection_a or selection_b) and selection_c and not filter
# X of patterns
condition: 2 of them
condition: 1 of selection_*
condition: 3 of selection_suspicious_*Available Modifiers
Modifiers specify how field values are compared.
String Modifiers
| Modifier | Syntax | Description |
|---|---|---|
exactmatch |
field: "value" |
Exact string match (default) |
contains |
field|contains: "value" |
Substring match |
startswith |
field|startswith: "value" |
Prefix match |
endswith |
field|endswith: "value" |
Suffix match |
Limitation: Rule string values are capped at 32 characters.
Negation Modifier
| Modifier | Syntax | Description |
|---|---|---|
neq |
field|neq: "value" |
Not equal — true when the field does not equal the value |
neq only accepts a single scalar value (not a list) and cannot be combined with any other modifier or quantifier.
detection:
sel_not_target:
target.file.path|neq: "/etc/target.txt"
sel_not_root:
process.euid|neq: 0
condition: sel_not_target and sel_not_rootNumeric Modifiers
| Modifier | Syntax | Description |
|---|---|---|
equal |
field: value |
Exact numeric match (default) |
above / gt |
field|gt: value |
Greater than |
below / lt |
field|lt: value |
Less than |
equal_above / gte |
field|gte: value |
Greater than or equal |
equal_below / lte |
field|lte: value |
Less than or equal |
Network Modifiers
| Modifier | Syntax | Description |
|---|---|---|
cidr |
field|cidr: "10.0.0.0/8" |
CIDR network match for IP addresses |
Quantifier Modifier
| Modifier | Syntax | Description |
|---|---|---|
all |
field|all: [values] |
All values must match (AND logic instead of default OR) |
By default, when a field has multiple values (list), any one match is sufficient (OR logic). The all modifier changes this to require all values to match (AND logic).
Can be combined with string modifiers like contains, startswith, endswith.
detection:
sel:
process.cmd|contains|all:
- "sudo"
- "rm"
condition: selField Reference Modifier
| Modifier | Syntax | Description |
|---|---|---|
fieldref |
field|fieldref: "other_field" |
Compare one field against another field at runtime |
The fieldref modifier compares a field against the runtime value of another field, instead of a static value. The value must be a single valid field name.
Both fields must be the same type (both string, both numeric, or both enum).
Supported fieldref combinations:
• String fields: can be combined with startswith or endswith
• Numeric fields: can be combined with all numeric modifiers
• Enum fields: no additional modifiers supported (only exact match or neq)
• Cannot be combined with all, cidr, or IP fields
detection:
sel_filename:
target.file.path|fieldref|endswith: process.file.filename
sel_same_uid:
process.ruid|fieldref: process.euid
condition: sel_filename and sel_same_uidPlaceholder Expansion Modifier
| Modifier | Syntax | Description |
|---|---|---|
expand |
field|expand: "%placeholder%" |
Expand a placeholder to a list of values at rule generation time |
The expand modifier enables conversion-time placeholders. Values wrapped in %name% are replaced with a list of concrete values from a placeholder definitions file during rule generation.
This lets you maintain shared value lists (e.g., critical paths, admin users) in a single file and reference them across many rules.
Placeholder file format (YAML):
# placeholder_values.yml
critical_paths:
- "/etc/shadow"
- "/etc/passwd"
- "/etc/sudoers"
shells:
- "bash"
- "zsh"Rule using placeholders:
detection:
sel_path:
target.file.path|expand: "%critical_paths%"
sel_shell:
process.file.filename|contains|expand: "%shells%"
condition: sel_path and sel_shellCan be combined with string modifiers and the all quantifier.
Available Fields
Fields are the rule attributes that match against event attributes.
Each field has a type (string, numeric, ip, or enum) that determines which modifiers can be used.
Some fields are available for all events, while others are specific to certain event types.
Process Fields — The process that triggered the event
Available for events: ALL
| Field | Type | Description |
|---|---|---|
process.pid | numeric | Process ID |
process.ppid | numeric | Parent process ID |
process.ruid | numeric | Real user ID |
process.rgid | numeric | Real group ID |
process.euid | numeric | Effective user ID |
process.egid | numeric | Effective group ID |
process.suid | numeric | SUID |
process.ptrace_flags | numeric | Ptrace flags |
process.cmd | string | Command line arguments |
process.shell_command | string | (Beta) Shell command typed in an interactive session. See Shell Commands |
process.file.path | string | Executable full path |
process.file.filename | string | Executable filename |
process.file.owner.uid | numeric | Executable owner UID |
process.file.owner.gid | numeric | Executable owner GID |
process.file.mode | numeric | Executable permissions |
process.file.suid | numeric | Executable SUID bit |
process.file.sgid | numeric | Executable SGID bit |
process.file.nlink | numeric | Executable hard link count |
process.file.type | enum FILE_TYPE | Executable file type |
Parent Process Fields — The parent of the process that triggered the event
Available for events: ALL
| Field | Type | Description |
|---|---|---|
parent_process.pid | numeric | Parent process ID |
parent_process.ppid | numeric | Grandparent process ID |
parent_process.ruid | numeric | Real user ID |
parent_process.rgid | numeric | Real group ID |
parent_process.euid | numeric | Effective user ID |
parent_process.egid | numeric | Effective group ID |
parent_process.suid | numeric | SUID |
parent_process.ptrace_flags | numeric | Ptrace flags |
parent_process.cmd | string | Command line arguments |
parent_process.shell_command | string | (Beta) Shell command typed in an interactive session. See Shell Commands |
parent_process.file.path | string | Executable full path |
parent_process.file.filename | string | Executable filename |
parent_process.file.owner.uid | numeric | Executable owner UID |
parent_process.file.owner.gid | numeric | Executable owner GID |
parent_process.file.mode | numeric | Executable permissions |
parent_process.file.suid | numeric | Executable SUID bit |
parent_process.file.sgid | numeric | Executable SGID bit |
parent_process.file.nlink | numeric | Executable hard link count |
parent_process.file.type | enum FILE_TYPE | Executable file type |
Target File Fields — The file that the action is performed on
Available for events: CHMOD, CHOWN, READ, WRITE, UNLINK, FILE_CREATE, MKDIR, RMDIR
| Field | Type | Description |
|---|---|---|
target.file.path | string | Target file full path |
target.file.filename | string | Target filename |
target.file.owner.uid | numeric | Target file owner UID |
target.file.owner.gid | numeric | Target file owner GID |
target.file.mode | numeric | Target file permissions |
target.file.suid | numeric | Target file SUID bit |
target.file.sgid | numeric | Target file SGID bit |
target.file.nlink | numeric | Target file hard link count |
target.file.type | enum FILE_TYPE | Target file type |
Target Process Fields — The target process of the event
Available for events: EXEC
| Field | Type | Description |
|---|---|---|
target.process.pid | numeric | Target process ID |
target.process.ppid | numeric | Target parent process ID |
target.process.ruid | numeric | Real user ID |
target.process.rgid | numeric | Real group ID |
target.process.euid | numeric | Effective user ID |
target.process.egid | numeric | Effective group ID |
target.process.suid | numeric | SUID |
target.process.ptrace_flags | numeric | Ptrace flags |
target.process.cmd | string | Command line arguments |
target.process.shell_command | string | (Beta) Shell command typed in an interactive session. See Shell Commands |
target.process.file.path | string | Executable full path |
target.process.file.filename | string | Executable filename |
target.process.file.owner.uid | numeric | Executable owner UID |
target.process.file.owner.gid | numeric | Executable owner GID |
target.process.file.mode | numeric | Executable permissions |
target.process.file.suid | numeric | Executable SUID bit |
target.process.file.sgid | numeric | Executable SGID bit |
target.process.file.nlink | numeric | Executable hard link count |
target.process.file.type | enum FILE_TYPE | Executable file type |
Network Fields — Network connection fields
Available for events: NETWORK
| Field | Type | Description |
|---|---|---|
network.source_ip | string | Source IP address |
network.source_port | numeric | Source port number |
network.destination_ip | string | Destination IP address |
network.destination_port | numeric | Destination port number |
network.direction | enum CONNECTION_DIRECTION | Connection direction |
CHMOD Event Fields — chmod specific fields
Available for events: CHMOD
| Field | Type | Description |
|---|---|---|
chmod.requested_mode | numeric | Requested permission mode |
RENAME Event Fields — File rename source and destination fields
Available for events: RENAME
| Field | Type | Description |
|---|---|---|
rename.source_file.path | string | Source file full path |
rename.source_file.filename | string | Source filename |
rename.source_file.owner.uid | numeric | Source file owner UID |
rename.source_file.owner.gid | numeric | Source file owner GID |
rename.source_file.mode | numeric | Source file permissions |
rename.source_file.suid | numeric | Source file SUID bit |
rename.source_file.sgid | numeric | Source file SGID bit |
rename.source_file.nlink | numeric | Source file hard link count |
rename.source_file.type | enum FILE_TYPE | Source file type |
rename.destination_file.path | string | Destination file full path |
rename.destination_file.filename | string | Destination filename |
rename.destination_file.owner.uid | numeric | Destination file owner UID |
rename.destination_file.owner.gid | numeric | Destination file owner GID |
rename.destination_file.mode | numeric | Destination file permissions |
rename.destination_file.suid | numeric | Destination file SUID bit |
rename.destination_file.sgid | numeric | Destination file SGID bit |
rename.destination_file.nlink | numeric | Destination file hard link count |
rename.destination_file.type | enum FILE_TYPE | Destination file type |
Enums
FILE_TYPE
| Value | Description |
|---|---|
UNKNOWN_FILE_TYPE | Unknown or unrecognized file type |
REGULAR_FILE | Regular file |
DIRECTORY | Directory |
SYMLINK | Symbolic link |
BLOCK_DEVICE | Block device |
CHAR_DEVICE | Character device |
SOCKET | Socket |
FIFO | Named pipe (FIFO) |
NO_FILE | No file (e.g. anonymous fd) |
CONNECTION_DIRECTION
| Value | Description |
|---|---|
INCOMING | Inbound connection |
OUTGOING | Outbound connection |
Limitations
| Constant | Value | Description |
|---|---|---|
MAX_NEEDLE_LENGTH |
32 | Maximum rule string length |
MAX_TOKENS_PER_RULE |
128 | Maximum tokens in rule expression. Rules are converted to trees. token is equivalent to tree node (modifiable) |
MAX_RULES_PER_MAP |
100 | Maximum rules per event type (modifiable) |
Case Sensitivity — Everything in owLSM rules is case sensitive!
Other Sigma Keys — Standard Sigma keys such as
title,logsource, etc are allowed in owLSM rules but are ignored.