[ossec-list] Re: rule chaining

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Josh,

Reply inline...

On 8/8/07, Josh Drummond <jdrummon@xxxxxxx> wrote:
>
>
> I've setup custom decoders and rules for a custom log format I would
> like to monitor.

Can you post them to us? Seeing the decoders/rules will make things easier.


>Everything seems to be working correctly except in
> the case where the custom log just happens to match one of the
> default rules as well (rule #2501, its matching on "login
> failed").
>So it looks like it is firing off the rule and not
> continuing.  I tried writing another local rule that ignores that
> 2501 rule if the <program_name> matches my custom decoded program,
> and this works as well.  However, although it now ignores rule #2501
> in that special case, it still doesn't fire off my custom local rule
> that matches it further down the chain.  It seems like the first rule
> it finds that matches (or ignores) the log, it stops right there, and
> I'm guessing since it starts with the low-numbered rules (the default
> ones) it will never get to my local rules.  Is there a way around this?

Yes, there is. Since you wrote a decoder for your rules, you can write a rule
like:

  <rule id="100100" level="0">
    <decoded_as>my_custom_decoder</decoded_as>
    <description>All the messages from my decoder.</description>
  </rule>

And in all your other rules, use "<if_sid>100100</if_sid>".

The way the rules are organized are not based on the id, but on the
severity (starting
with the level 0, followed by the highest ones). That's why on most of
our rules we
have a "grouped" entry with severity 0, just matching on the decoder,
to make sure
they are evaluated first... Does it make sense?


> Thanks,
> ~Josh


Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net