[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: Problem with frequencies rule...
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: Problem with frequencies rule...
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Wed, 10 Oct 2007 19:33:55 -0300
- Authentication-results: mx.google.com; spf=pass (google.com: domain of daniel.cid@xxxxxxxxx designates 64.233.184.230 as permitted sender) smtp.mail=daniel.cid@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
- Cc: "Daniel Rubio" <drubio@xxxxxxxx>
- Content-transfer-encoding: quoted-printable
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=ukHAeiqUj0Z9X2uc5N101gW0dcl9P+4OSrtGUAeg+ek=; b=RscPA/Wp2Djel5vPxmwWJB9t54nvx1gbDh4tp51FmI0X7TKTtPzHmGbscNDZH5P0aALC7jTAOlzog3q6Is/YkOikVur7c40uZqN/OQDT4ZVQmxg3F1uaLpAMCNp11skjITsPPR7EMqjYrWyq4IblcalC2MA0UEtvRRN9Gb2ghIc=
Hi Daniel,
You got very closed with the second rule. Just change it to:
<rule id="81010" level="0">
<match>t_able_to_establish_an_SMTP_connection._(#4.4.1)</match>
</rule>
<rule id="81011" level="10" frequency="3" timeframe="60">
<if_matched_sid>81010</if_matched_sid>
<description>Qmail te problemes per enviar...</description>
</rule>
Whenever you want to look on multiple events, always use the if_matched_sid or
if_matched_group.
This document can be helpful to understand it:
http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/10/07, Daniel Rubio <drubio@xxxxxxxx> wrote:
>
> Hi
>
> First, congrats by OSSEC, it's a wonderful tool!!
> Now the question :D
>
> I'm trying to write a "simple" rule to detect if our mail server is
> having problems to send mails outside.
> We use qmail, which uses tai64 to register time, but I've done a simple
> script to transform the file values to human readable format:
>
> 2007-10-10 11:04:35.314480500 delivery 5263203: deferral:
> Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
>
> The rule is as follows:
>
> <rule id="81011" level="10" frequency="5" timeframe="120">
> <match>t_able_to_establish_an_SMTP_connection._(#4.4.1)</match>
> <description>Qmail te problemes per enviar...</description>
> </rule>
>
> But it does'nt fire (I've checked that it would have to do)...
>
> I've also tried with:
>
> <rule id="81010" level="0">
> <match>t_able_to_establish_an_SMTP_connection._(#4.4.1)</match>
> </rule>
> <rule id="81011" level="10" frequency="3" timeframe="60">
> <if_sid>81010</if_sid>
> <description>Qmail te problemes per enviar...</description>
> </rule>
>
> But nothing happens, I'he only been able to hit the simple rule (without
> timeframe)...
>
> It's necessary to put an if_matched_sid or if_sid int the
> frequency-timeframe rules or it could be only with a simple match
> sentence (like the first one)?
> In case it's necessary, I've to put other rule below this if? what if
> the thing I want to catch has been caught previously?
> Could be the problem the time format reurned by tai64nlocal (2007-10-10
> 11:49:33.204450500) ?
>
> Thanks in advance
>
>
>
> --
> ********************************************************
> Daniel Rubio Rodríguez
> OASI (Organisme Autònom Per la Societat de la Informació)
> c/ Assalt, 12
> 43003 - Tarragona
> Tef.: 977.244.007 - Fax: 977.224.517
> e-mail: drubio a oasi.org
> ********************************************************
>
>
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.