-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I think you're on the right path but OSSEC has already parsed the
log entry (to extract source and destination IPs) so you may need
something more like this (of course, I'm not able to test this):
<rule id="100002" level="0">
<if_sid>4383</if_sid>
<srcip>xxx.xxx.xxx.xxx</srcip>
<srcport>9200</srcport>
<match>Duplicate TCP SYN</match>
<description>Rule that will ignore Duplicate</description>
<description>TCP SYN from IP xxx.xxx.xxx.xxx</description>
</rule>
-David
mcamacho75 wrote:
> I am trying to create a rule that will prevent email notifications for
> the following alert but cant seem to make it work. Below is an
> example of the email I would like to ignore:
>
> Received From: ktwapp-8->172.16.230.10
> Rule: 4383 fired (level 10) -> "Multiple PIX warning messages."
> Portion of the log(s):
>
> %ASA-4-419002: Duplicate TCP SYN from inside:xxx.xxx.xxx.xxx/9200 to
> inside:xxx.xxx.xxx.xxx/1170 with different initial sequence number
>
> I have created the following rule within the local_rules.xml file but
> it doesnt seem to have any effect:
>
> <rule id="100002" level="0">
> <if_sid>4383</if_sid>
> <regex>\.+Duplicate\sTCP\sSYN\sfrom\sinside\p:xxx\p.xxx\p.xxx\p.xxx
> \.+</regex>
> <description>Rule that will ignore Duplicate</description>
> <description>TCP SYN from IP xxx.xxx.xxx.xxx</description>
> </rule>
>
> Any help in figuring out what I am doing wrong would be greatly
> appreicated. Thanks
>
- --
_______________________________________________
GPG (http://www.gnupg.org/) key available from:
http://www.kayakero.net/per/david/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFG6sbwCzuSgviBh00RAqwMAJ457KEQzSb7ftBmvqOwqL9S01c/MwCeKwUu
vagr2zymjcDFGCsAZE7P8fU=
=oS2U
-----END PGP SIGNATURE-----
