Risto, Aha, thank you so much, I forgot this. I read all the docs, official and not before starting with Sec but forgot about this bit, perhaps I read too much documentation...
Thanks again, I love Sec by the way... -h Risto Vaarandi wrote: > Hari, > > the problem you have can be tackled in a simple way -- an appropriate value > must be chosen for the 'desc' parameter of the SingleWithSuppress rule. Since > you mentioned the problem of changing timestamps, I suppose that right now > you probably have 'desc=$0' in your rule definition. > > Since the 'desc' parameter is evaluated for each matching event and forms the > event correlation key, *and* $0 equals to the entire matching line (including > the timestamp!), the event correlation key will be different for each > matching event. As a consequence, a new event correlation operation is > started for each matching event, and thus no event suppression is done. > > If you would like to suppress repeated invalid user events for the same user > name, use the following 'pattern' and 'desc': > > pattern=sshd\[\d+\]: Invalid user (\S+) from \S+ > desc=Failed login for user $1 > > If you would like to suppress such events for all user names for a certain > time frame, you could rewrite 'desc' as: > > desc=Failed logins for all users > > In that way, the event correlation key is constant for all "Invalid user" > events, and all such events will be correlated by one operation only. > > Finally, the following section of the SEC man page describes the role of the > 'desc' field in the event correlation process: > http://kodu.neti.ee/~risto/sec/sec.pl.html#lbAT. Have a look at this, because > it explains the relationship between rules and event correlation operations. > > hth, > risto > > > >> From: Hari Sekhon <[EMAIL PROTECTED]> >> Subject: [Simple-evcorr-users] Suppression doesn't work if event is slightly >> differently timestamped. >> To: [email protected] >> Date: Monday, July 7, 2008, 8:14 AM >> Hi, >> >> I'm using Sec for event correlation and alerting and >> am finding >> myself trying to figure out how to suppress similar but not >> identical >> events. >> >> I have used SingleWithSuppress to suppress an event but if >> the event >> text is slightly different I find that it does not really >> suppress it. >> >> eg. >> >> Jul 3 12:33:49 hostname sshd[4801]: Invalid user UserXYZ >> from x.x.x.x >> >> will be suppressed but then >> >> Jul 3 12:33:56 hostname sshd[4801]: Invalid user UserXYZ >> from x.x.x.x >> >> will not be because the prefix timestamp has changed and >> made the log >> event look different, so the action will apply to this, >> even if it is >> within the suppression period of the first event of the >> same type. >> >> I figure I can add them to a context to store them like >> that, which I've >> done, but I'd also like the ability to threshold or >> suppress for those >> contexts as well as I don't want that context to have >> too many entries >> of the same event. >> >> Anybody got any ideas on this? >> >> -h >> >> -- >> Hari Sekhon >> >> >> ------------------------------------------------------------------------- >> Sponsored by: SourceForge.net Community Choice Awards: VOTE >> NOW! >> Studies have shown that voting for your favorite open >> source project, >> along with a healthy diet, reduces your potential for >> chronic lameness >> and boredom. Vote Now at >> http://www.sourceforge.net/community/cca08 >> _______________________________________________ >> Simple-evcorr-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >> > > > > > -- Hari Sekhon ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
