Re: [Simple-evcorr-users] PairWithWindow rule with misleading behaviour

Wed, 05 Sep 2012 16:39:05 -0700 

On Wed, 5 Sep 2012, mindman101 wrote:


Hello Sec users,

I've written two PairWithWindow rules that just differs on the order they match 
events.

The first rule waits for a first event like this:

     Link down on interface FastEthernet and ip 10.10.10.10

and waits for a second event unitl 10 seconds. For example:

     Ospf on device 10.10.10.10 has changed neighbor 11.11.11.11

On the other hand, the second rule is almost the first just on a switched 
order, I mean, it waits for a first event like this:

     Ospf on device 10.10.10.10 has changed neighbor 11.11.11.11

and a second one unitl 10 seconds like this one:

     Link down on interface FastEthernet and ip 10.10.10.10

Both rules works perfectly on separated config files but when I put together on 
the same config file, just the first one works as expected.

Do you have any idea of this misleading behavior?
My guess is that you are being tripped up by the fact that by default the first rule that matches ends processing of that log message. 

try adding

continue=takenext

to the first rule and see if that works.

David Lang
------------------------------------------------------------------------------

Live Security Virtual Conference

Exclusive live event will cover all the ways today's security and 

threat landscape has changed and how IT managers can respond. Discussions 

will include endpoint security, mobile security and the latest in malware 

threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________

Simple-evcorr-users mailing list

Simple-evcorr-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to