On 11/01/2013 03:44 PM, Rolf Nufable wrote: > Well I have seen the dump file generated after sending a SIGUSR1 signal > to SEC , the problem is that I can't identify which one here is the key > for correlation.. > > is this the one > > Rule 1 Line 5 matched 2 events ($0)
no, it's rather an entry that begins like this: Key: test.sec | 0 | Repeated ssh probing of user adm2 from 10.1.1.1 Operation started at: Fri Nov 1 16:30:28 2013 Correlation window begins at: Fri Nov 1 16:30:28 2013 Correlation window ends at: Fri Nov 1 16:35:28 2013 Configuration file: test.sec Rule number: 1 Rule internal ID: 0 Type: SingleWithThreshold ... ... For each running event correlation operation, there is a similarly looking entry in the dump file. All the entries are coming after the line: List of event correlation operations: ============================================================ > > > is the $0 the key?? No, $0 is a match variable which corresponds to an entire matching line (as explained in the official documentation under the PATTERNS, PATTERN TYPES AND MATCH VARIABLES section http://simple-evcorr.sourceforge.net/man.html#lbAG) > > and another question what does %% and %u mean? i assume %s means the > string and %t means time These variables are predefined action list variables which are described in: http://simple-evcorr.sourceforge.net/man.html#lbAI This documentation section also explains the purpose of %% (it is used for masking). Also, I would definitely recommend to have look into the first couple of pages of the official documentation (http://simple-evcorr.sourceforge.net/man.html#lbAD). This introductory section provides couple of rule examples which provide an overview of basic concepts (rules vs event correlation operations, how the latter are identified, what is the value of the %s variable, etc.). After explaining basic concepts briefly, references to later parts of the documentation are provided where you can find in-depth explanation of each concept. kind regards, risto ------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
