[ Long read below. I don't mean to hijack Hari's thread. Please reply with
"Subject: SEC DB" or something similar if you are replying to this thread.]
Hi Hari,
I'm having this exact problem, though only with a couple of hundred SEC rules,
not thousands.
I'm even convinced that the problem extends earlier than matching. How do I
know
whether a new rule I'm about to implement isn't already matching some other
rule?
It's possible I'm duplicating earlier effort without realizing it, or perhaps
the rule
matches in a way I didn't intend when I wrote the regex.
I'd be interested to hear from others about a possible solution for a SEC
rules database generator. Something along the lines of:
- DB contains rules and meta data (device type, security category, etc.)
- DB provides a mechanism to search for a regex match
- DB provides the ability to automatically generate SEC rules file(s)
- DB provides an action meta tag that can be used to identify the match
Has anyone done any work in this area? I started a simple SQLite schema about
a month ago, but had to abandon it due to time pressures. My intention was to
load all my rules and create some simple SQL scripts to generate a SEC rules
file.
Anyway, your thoughts and suggestions are welcome...
Jim B.
Apologies to Hari!
________________________________
From: Hari Sekhon [mailto:hpsek...@googlemail.com]
Sent: Mon 4/27/2009 12:28 PM
To: 'simple-evcorr-users@lists.sourceforge.net'
Subject: [Simple-evcorr-users] Tracking down alert matching rules/Color/Bold
Hi,
I have an extensive monitoring and alerting infrastructure which uses
Sec for part of the alerting but I am getting some alerts and having
trouble tracking down which of the thousands of sec event correlation
rules I have written are responsible for this particular alert.
I am getting emails regarding this alert, so it would be nice if it were
possible to colorize the alert message in a similar way to how grep can
colorize the part of the string that the regex has matched. Bolding it
is also a possibility I am considering instead of using colour (perhaps
an even better idea).
Is this something we should have a function for or can I simply write
some Perl to mangle the message itself before outputting it for email?
I have also considered the security ramifications of the contents of the
string and I've already written defenses for anti-log-analysis type
attacks such that the string will never be handled in an unsafe manner
at any stage in it's journey, so I can output any arbitrary string
without worrying about it. I would have to make sure that any Perl I
write will itself not be susceptible to any mischief.
Does anyone have a view on the best way of doing this or if this should
be a feature request of some sort?
-h
--
Hari Sekhon
Always open to interesting opportunities
http://www.linkedin.com/in/harisekhon
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensign option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
Note: The information contained in this message may be privileged and
confidential and protected from disclosure. If the reader of this message is
not the intended recipient, or an employee or agent responsible for delivering
this message to the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Thank you. ThruPoint, Inc.
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensign option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
