hi Robert,
do I understand correctly that you would like to produce an alert when the
first instance of some OID appears and suppress the following instances of
the same OID for 900 seconds? In other words, when below OIDs appear within
900 seconds, would you like to produce alerts in the following way:
.1.3.6.1.4.1.5528.100.10.2.8.0.1 --> alert
.1.3.6.1.4.1.5528.100.10.2.8.0.2 --> alert
.1.3.6.1.4.1.5528.100.10.2.8.0.1
.1.3.6.1.4.1.5528.100.10.2.8.0.1
.1.3.6.1.4.1.5528.100.10.2.8.0.2
.1.3.6.1.4.1.5528.100.10.2.8.0.3 --> alert
.1.3.6.1.4.1.5528.100.10.2.8.0.2
If my understanding is correct, that would require a rule which starts a
separate event correlation for each distinct OID. This can be configured
with a 'desc' parameter of the rule (see
http://simple-evcorr.sourceforge.net/man.html#lbAX for a detailed
discussion).
For your particular case, we would need to have a regular expression which
would extract OID from an input event and assign OID to a match variable.
Then, we need to use this variable in the 'desc' field:
type=SingleWithSuppress
continue=takenext
ptype=RegExp
pattern=(SNMPv2-SMI::enterprises\.5528\.100\.10\.2\.8\.0\.\d+)
desc=Front Door Camera, OID $1
action=pipe '"$0"' tr -d "\""|sed s/^/\"/g|sed s/$/\"/g|/root/sec-2.7.5/
alerthours.pl
window=900
The regular expression in this rule would match OIDs which have the prefix
'.1.3.6.1.4.1.5528.100.10.2.8.0.' . If you would like to widen the set of
matching OIDs, the regular expression would need to be more generic. Also,
if you would like to extract the hostname or IP of the involved device and
run event correlation operations for each device separately, the expression
would need additional enhancements.
hope this helps,
risto
2014-04-30 21:00 GMT+03:00 Robert Reilly <[email protected]>:
> Hi, I am new to SEC, I am trying to have one rule that will apply to
> multiple snmp traps, for instance
> I would like the regex to match
>
> .1.3.6.1.4.1.5528.100.10.2.8.0.1
> .1.3.6.1.4.1.5528.100.10.2.8.0.2
> .1.3.6.1.4.1.5528.100.10.2.8.0.3
> etc
> but I want have an action for each oid and if matches one it alerts ans
> waits and if it matches the second do the same thing. I am trying to not
> have a massive configuration file with a rule for each OID. I have it
> working with a single OID see my example below.
>
> type=SingleWithSuppress
> continue=takenext
> ptype=RegExp
> pattern=SNMPv2-SMI::enterprises.5528.100.10.2.8.0.10
> desc=Front Door Camera
> action=pipe '"$0"' tr -d "\""|sed s/^/\"/g|sed s/$/\"/g|/root/sec-2.7.5/
> alerthours.pl
> window=900
>
>
> Thanks!
> --
>
> Robert Reilly
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos. Get
> unparalleled scalability from the best Selenium testing platform available.
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
