[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Regex Help

To: ossec-list <ossec-list@xxxxxxxxxxxxxxxx>
Subject: [ossec-list] Re: Regex Help
From: mcamacho75 <mcamacho75@xxxxxxxxx>
Date: Tue, 18 Sep 2007 14:07:26 -0000

Daniel,

Thank you very much for your reply!!  I have everything working
properly now.

On Sep 16, 10:37 pm, "Daniel Cid" <daniel....@xxxxxxxxx> wrote:
> Hi,
>
> A few suggestions to make it work:
>
> 1- Simplify your match (taken from David's reply): If you are looking
> for a word, just use "match" (much faster):
>
> <match>Duplicate TCP SYN from</match>
>
> 2- A better solution would be to use the pix ID that you want:
>
> <id>^4-419002</id>
>
> 3- Do not write ignore rules based on correlations. If you look at
> rule "4383", it will alert on
> multiple warning messages from the PIX (id 4313). Just ignoring the
> 4313 instead of the
> 4383 will be much cleaner...
>
> 4- This log is not being decoded by the pix decoder, so you can't use
> the srcip/dstip
> options.
>
> My suggestion would be:
>
>  <rule id="100002" level="0">
>    <if_sid>4313</if_sid>
>    <id>^4-419002</id>
>    <regex>from inside:xxx.xxx.xxx.xxx</regex>
>    <description>Rule that will ignore Duplicate</description>
>  </rule>
>
> Hope it helps.
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 9/14/07, mcamacho75 <mcamach...@xxxxxxxxx> wrote:
>
>
>
>
>
> > I appreciate greatly your suggestion but it doesnt appear to be
> > working.  I implemented the following rule:
>
> >   <rule id="100002" level="0">
> >     <if_sid>4383</if_sid>
> >     <srcip>xxx.xxx.xxx.xxx</srcip>
> >     <match>Duplicate TCP SYN</match>
> >     <description>Rule that will ignore Duplicate</description>
> >     <description>TCP SYN from IP xxx.xxx.xxx.xxx</description>
> >   </rule>
>
> > I purposely left out the srcport portion becuase the source port in
> > this case is dynamic.  I also tried to using a regex rule and couldnt
> > get it to work that way either.  I will keep working on it but in the
> > meantime I welcome any additional suggestions.  If I am able to come
> > up with a working rule I will be sure to post it.
>
> > Thanks again!!
>
> > On Sep 14, 1:37 pm, David Williams <davew...@xxxxxxxxxxxx> wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
>
> > >         I think you're on the right path but OSSEC has already parsed the
> > > log entry (to extract source and destination IPs) so you may need
> > > something more like this (of course, I'm not able to test this):
>
> > >   <rule id="100002" level="0">
> > >     <if_sid>4383</if_sid>
> > >     <srcip>xxx.xxx.xxx.xxx</srcip>
> > >     <srcport>9200</srcport>
> > >     <match>Duplicate TCP SYN</match>
> > >     <description>Rule that will ignore Duplicate</description>
> > >     <description>TCP SYN from IP xxx.xxx.xxx.xxx</description>
> > >   </rule>
>
> > >         -David
>
> > > mcamacho75 wrote:
> > > > I am trying to create a rule that will prevent email notifications for
> > > > the following alert but cant seem to make it work.  Below is an
> > > > example of the email I would like to ignore:
>
> > > > Received From: ktwapp-8->172.16.230.10
> > > > Rule: 4383 fired (level 10) -> "Multiple PIX warning messages."
> > > > Portion of the log(s):
>
> > > > %ASA-4-419002: Duplicate TCP SYN from inside:xxx.xxx.xxx.xxx/9200 to
> > > > inside:xxx.xxx.xxx.xxx/1170 with different initial sequence number
>
> > > > I have created the following rule within the local_rules.xml file but
> > > > it doesnt seem to have any effect:
>
> > > >   <rule id="100002" level="0">
> > > >     <if_sid>4383</if_sid>
> > > >     <regex>\.+Duplicate\sTCP\sSYN\sfrom\sinside\p:xxx\p.xxx\p.xxx\p.xxx
> > > > \.+</regex>
> > > >     <description>Rule that will ignore Duplicate</description>
> > > >     <description>TCP SYN from IP xxx.xxx.xxx.xxx</description>
> > > >   </rule>
>
> > > > Any help in figuring out what I am doing wrong would be greatly
> > > > appreicated.  Thanks
>
> > > - --
> > > _______________________________________________
> > > GPG (http://www.gnupg.org/) key available from:http://www.kayakero.net/per/david/
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.4.7 (GNU/Linux)
> > > Comment: Using GnuPG with Fedora -http://enigmail.mozdev.org
>
> > > iD8DBQFG6sbwCzuSgviBh00RAqwMAJ457KEQzSb7ftBmvqOwqL9S01c/MwCeKwUu
> > > vagr2zymjcDFGCsAZE7P8fU=
> > > =oS2U
> > > -----END PGP SIGNATURE------ Hide quoted text -
>
> > > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -

References:
- [ossec-list] Regex Help
  - From: mcamacho75
- [ossec-list] Re: Regex Help
  - From: David Williams
- [ossec-list] Re: Regex Help
  - From: mcamacho75
- [ossec-list] Re: Regex Help
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: Problem on email notification
Next by Date: [ossec-list] My own rules
Previous by thread: [ossec-list] Re: Regex Help
Next by thread: [ossec-list] Granular Email Options
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.