Thank you for taking the time to answer with examples Pedro! One last related question if ya don,t mind..? I am trying to wrap my head around a rule firing off after a simple bit of correlation. Is it possible? I know this is the job of the SIEM, but I am trying to get the SIEM to only correlate fired upon alerts that are qualified by a mechanism first. So, for example, I would like a rule to fire on event 4567 that was followed by 4523 then followed by 4625 between 1 and 50 times, then a 4624... (when all these things match the rule fires)
I see that rules have the ability of setting frequency and time frame, which would help me, though I am at a loss for the remainder of my needs. Seems an external script may be needed along with a sort of temporary repository. ( I may be over thinking this and mucking it up ) What could you suggest? V/R, Rob B. On Tuesday, March 29, 2016 at 7:41:21 AM UTC-4, Pedro S wrote: > > If you need to filter for one specific ID you need to use the *pipe |* > option, I don't think you can use "," inside *<id></id>* tags to > concatenate anything. > "," character will be treated like an string character not a regex one so > it will try to match for *"IDNumber,".* > > As you know, one example of this kind of rule is used on > *msauth_rules.xml:* > > <rule id="18106" level="5"> >> <if_sid>18105</if_sid> >> >> <id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id> >> <description>Windows Logon Failure.</description> >> >> <group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group> >> </rule> > > > This last one will work, and the following one WON'T work: > > <rule id="18106" level="5"> >> <if_sid>18105</if_sid> >> <id>^529$,^530$,^531$,^532$,^533$</id> >> <description>Windows Logon Failure.</description> >> >> <group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group> >> </rule> > > > > Regards, > > Pedro S. > > > > > On Monday, March 28, 2016 at 9:07:30 PM UTC+2, Rob B wrote: >> >> Heya Folks, >> >> I've been looking for the docs that explain the difference between the >> use of the '|" and the "," when specifying the id numbers within a rule. I >> cant find anything that explains the use. >> >> Could someone explain to me the differences by way of use? or provide a >> link that I may have missed? >> >> >> >> Two arbitrary use case EXAMPLES of what I am after is: >> >> A.) Within sid 18103, look for id 12345 followed by 12346, followed by >> 12347 >> B.) Within sid 18103, look for id 11234 and 11254 >> >> >> Thank you! >> >> R.B. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
