Daniel, Thank you very much for your reply!! I have everything working properly now.
On Sep 16, 10:37 pm, "Daniel Cid" <[EMAIL PROTECTED]> wrote: > Hi, > > A few suggestions to make it work: > > 1- Simplify your match (taken from David's reply): If you are looking > for a word, just use "match" (much faster): > > <match>Duplicate TCP SYN from</match> > > 2- A better solution would be to use the pix ID that you want: > > <id>^4-419002</id> > > 3- Do not write ignore rules based on correlations. If you look at > rule "4383", it will alert on > multiple warning messages from the PIX (id 4313). Just ignoring the > 4313 instead of the > 4383 will be much cleaner... > > 4- This log is not being decoded by the pix decoder, so you can't use > the srcip/dstip > options. > > My suggestion would be: > > <rule id="100002" level="0"> > <if_sid>4313</if_sid> > <id>^4-419002</id> > <regex>from inside:xxx.xxx.xxx.xxx</regex> > <description>Rule that will ignore Duplicate</description> > </rule> > > Hope it helps. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On 9/14/07, mcamacho75 <[EMAIL PROTECTED]> wrote: > > > > > > > I appreciate greatly your suggestion but it doesnt appear to be > > working. I implemented the following rule: > > > <rule id="100002" level="0"> > > <if_sid>4383</if_sid> > > <srcip>xxx.xxx.xxx.xxx</srcip> > > <match>Duplicate TCP SYN</match> > > <description>Rule that will ignore Duplicate</description> > > <description>TCP SYN from IP xxx.xxx.xxx.xxx</description> > > </rule> > > > I purposely left out the srcport portion becuase the source port in > > this case is dynamic. I also tried to using a regex rule and couldnt > > get it to work that way either. I will keep working on it but in the > > meantime I welcome any additional suggestions. If I am able to come > > up with a working rule I will be sure to post it. > > > Thanks again!! > > > On Sep 14, 1:37 pm, David Williams <[EMAIL PROTECTED]> wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > I think you're on the right path but OSSEC has already parsed the > > > log entry (to extract source and destination IPs) so you may need > > > something more like this (of course, I'm not able to test this): > > > > <rule id="100002" level="0"> > > > <if_sid>4383</if_sid> > > > <srcip>xxx.xxx.xxx.xxx</srcip> > > > <srcport>9200</srcport> > > > <match>Duplicate TCP SYN</match> > > > <description>Rule that will ignore Duplicate</description> > > > <description>TCP SYN from IP xxx.xxx.xxx.xxx</description> > > > </rule> > > > > -David > > > > mcamacho75 wrote: > > > > I am trying to create a rule that will prevent email notifications for > > > > the following alert but cant seem to make it work. Below is an > > > > example of the email I would like to ignore: > > > > > Received From: ktwapp-8->172.16.230.10 > > > > Rule: 4383 fired (level 10) -> "Multiple PIX warning messages." > > > > Portion of the log(s): > > > > > %ASA-4-419002: Duplicate TCP SYN from inside:xxx.xxx.xxx.xxx/9200 to > > > > inside:xxx.xxx.xxx.xxx/1170 with different initial sequence number > > > > > I have created the following rule within the local_rules.xml file but > > > > it doesnt seem to have any effect: > > > > > <rule id="100002" level="0"> > > > > <if_sid>4383</if_sid> > > > > <regex>\.+Duplicate\sTCP\sSYN\sfrom\sinside\p:xxx\p.xxx\p.xxx\p.xxx > > > > \.+</regex> > > > > <description>Rule that will ignore Duplicate</description> > > > > <description>TCP SYN from IP xxx.xxx.xxx.xxx</description> > > > > </rule> > > > > > Any help in figuring out what I am doing wrong would be greatly > > > > appreicated. Thanks > > > > - -- > > > _______________________________________________ > > > GPG (http://www.gnupg.org/) key available > > > from:http://www.kayakero.net/per/david/ > > > -----BEGIN PGP SIGNATURE----- > > > Version: GnuPG v1.4.7 (GNU/Linux) > > > Comment: Using GnuPG with Fedora -http://enigmail.mozdev.org > > > > iD8DBQFG6sbwCzuSgviBh00RAqwMAJ457KEQzSb7ftBmvqOwqL9S01c/MwCeKwUu > > > vagr2zymjcDFGCsAZE7P8fU= > > > =oS2U > > > -----END PGP SIGNATURE------ Hide quoted text - > > > > - Show quoted text -- Hide quoted text - > > - Show quoted text -
