[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: adsl rule

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: adsl rule
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Sun, 8 Apr 2007 23:34:53 -0300
Cc: "Martin West" <martin@xxxxxxxxxxxxxxxx>
Content-disposition: inline
Content-transfer-encoding: 7bit
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=jvOs9+FRYSK2U7SVWxKMboEkJ2TTg/XeTkzFLuzBWWLaB3BBtrADP910vHpfc8wupbV7YOqkZblpVQxlgamIOGFMq0mdDJKVsV2q/EHDX4N4K5OZbVgSbileiLoIvtN9BtSTbwrrr+m2Jv3j2RsFq5tdTq5y/zD5xw35UyBwffo=


Hi Martin,

Is the rule working or not working (I wasn't really sure from your
e-mail)? I see that you specified the "decoded_as" on rule 101000, but
did you create a decoder for it? The
decoded_as looks for a valid decoder name on decoders.xml....

If it is not working, try changing rule 101000 to:

<rule id="101000" level="0" noalert="1">
    <program_name>kernel</program_name>
    <description>Grouping for the adsl rules.</description>
</rule>


Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

On 4/7/07, Martin West <martin@xxxxxxxxxxxxxxxx> wrote:


I wrote a rule

<group name="local,syslog,">

  <rule id="101000" level="0" noalert="1">
      <decoded_as>adsl</decoded_as>
      <description>Grouping for the adsl rules.</description>
  </rule>

    <rule id="101001" level="8">
      <if_sid>101000</if_sid>
      <description>Monitor adsl line down</description>
      <match>ADSL line is down</match>
    </rule>

    <rule id="101002" level="8">
      <if_sid>101000</if_sid>
      <description>Monitor adsl line up</description>
      <match>ADSL line is up</match>
    </rule>

</group> <!-- SYSLOG,LOCAL -->

to check for log entries ...

Apr  7 16:57:02 thecla2 kernel: ATM dev 0: ADSL line is down
Apr  7 16:57:03 thecla2 kernel: ATM dev 0: ADSL line is synchronising
Apr  7 16:57:43 thecla2 kernel: ATM dev 0: ADSL line is up (2656 kb/s
down | 448 kb/s up)

However it does seem to trigger, well at least generate an email.

It gets loaded ...

2007/04/04 23:44:34 ossec-analysisd: Reading rules file:
'adsl_rules.xml'

Is it just me or is the documentation a bit sparse?

Thanks Martin West

Follow-Ups:
- [ossec-list] Re: adsl rule
  - From: Martin West

References:
- [ossec-list] SVN v. OSSEC
  - From: Steven Ourada
- [ossec-list] Re: SVN v. OSSEC
  - From: Martin West
- [ossec-list] adsl rule
  - From: Martin West

Prev by Date: [ossec-list] adsl rule
Next by Date: [ossec-list] Re: SVN v. OSSEC
Previous by thread: [ossec-list] adsl rule
Next by thread: [ossec-list] Re: adsl rule
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.