Re: [Simple-evcorr-users] [SEC.PL] Using singleWithThreshold

Mon, 25 Jan 2010 08:59:06 -0800 

In message <[email protected]>,
antonin mora writes:
>when i receive an alert, i would like to write in a log file
>
>_ OK the first time i reach the threshold during window time
>_ NOK other times
>
>My rules looks like :
>
>type=SingleWithThreshold
>continue=TakeNext
>ptype=regexp
>pattern=.*
>desc=FREQUENCY
>action=write output.txt "OK";\
>        create downContextFrequency;
>window=30
>thresh=3
>
>type=Single
>continue=TakeNext
>ptype=regexp
>pattern=.*
>context=!downContextFrequency
>desc=FREQUENCY
>action=write output.txt "NOK";
>
>type=Single
>continue=TakeNext
>ptype=regexp
>pattern=.*
>context=downContextFrequency
>desc=FREQUENCY
>action=delete downContextFrequency
>
>
>It works, but , do you have any other/better ideas to do that (with
>less than three rules) ?

No, that's how I would do it. One thing I would suggest is changing
the desc field and making it unique for each of the three rules. It
makes looking at the event count info in a SEC dump much easier.

>I tried to use the parameter continue="Goto x" but with the rule
>SingleWithThreshold, goto is used each time pattern match (and not
>when threshold is reached).

That's what I would expect it to do. Goto is a directive that always
applies if the pattern (and context) matches (i.e. the rule fires to
update any correlations). I may be able to see a case for a continue2
that applies only after the threshold has been reached and the
event arrives during the active window, but....

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to