On Mon, Nov 26, 2018 at 6:14 AM Brian Candler <b.cand...@pobox.com> wrote: > > Hi, > > I'm looking for some clarification in the documentation for rules. > > 1. I've seen some examples where a single rule has multiple <match> elements. > Is the rule triggered if only one matches, or do they all have to match? >
In this case it's an OR. <match>terminated without error|can't verify hostname: getaddrinfo|</match> <match>PPM exceeds tolerance</match> The "|" at the end of the first <match> makes it an OR. I think if there is no "|" in there, it's an AND. > 2. There are srcip and dstip matches, but is it possible to match on srcip > "a.a.a.a/A or b.b.b.b/B or c.c.c.c/C" without writing out the same rule > multiple times? If I put multiple <srcip> blocks, do they all have to match, > or just one? What about combining positive with negative, e.g. > > <srcip>10.0.0.0/8<srcip> > <srcip>!10.10.10.0/24</srcip> > I believe it's a literal match. You'd have to get into CDB checks to match on an IP within a CIDR. > Application: I'm not interested in firewall deny logs for "outside to inside" > connection attempts - these are just script kiddies who are blocked anyway - > but I am very interested in firewall deny logs for "inside to outside" > connection attempts. And to do that, I need to have rules which match on > several address blocks (internal private IPv4, or public IPv4, or IPv6). > > Ideally I'd like to have a named set of IP blocks - which might be possible > using lists except I don't want to have to list every single IP address > individually, which isn't possible with IPv6 anyway. (Perhaps what I want > would be similar to exim's iplsearch option) > > 3. When using the accumulate option, what is it that triggers the end of the > accumulated set of lines and causes them to be further processed? Does it > only join adjacent log messages, or does it join related messages by ID? > > For example, if I'm parsing Exim log messages which include the message ID, > is this feature intended to link together each of the log messages relating > to the delivery of a particular E-mail? Or is it just to join together log > messages which have been split over multiple lines at the source? > I think it combines log messages with matching IDs, but I haven't messed with it. > Thanks, > > Brian. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
