Risto, that is exactly what i would like to do, so i could have one event
for each manufacturer once for cisco, one for net-snmp etc. I tried
something similar, I will try this and see if it works,
Thanks !
Robert
On Fri, May 2, 2014 at 4:49 AM, Risto Vaarandi <[email protected]>wrote:
> hi Robert,
> do I understand correctly that you would like to produce an alert when the
> first instance of some OID appears and suppress the following instances of
> the same OID for 900 seconds? In other words, when below OIDs appear within
> 900 seconds, would you like to produce alerts in the following way:
>
> .1.3.6.1.4.1.5528.100.10.2.8.0.1 --> alert
> .1.3.6.1.4.1.5528.100.10.2.8.0.2 --> alert
> .1.3.6.1.4.1.5528.100.10.2.8.0.1
> .1.3.6.1.4.1.5528.100.10.2.8.0.1
> .1.3.6.1.4.1.5528.100.10.2.8.0.2
> .1.3.6.1.4.1.5528.100.10.2.8.0.3 --> alert
> .1.3.6.1.4.1.5528.100.10.2.8.0.2
>
> If my understanding is correct, that would require a rule which starts a
> separate event correlation for each distinct OID. This can be configured
> with a 'desc' parameter of the rule (see
> http://simple-evcorr.sourceforge.net/man.html#lbAX for a detailed
> discussion).
>
> For your particular case, we would need to have a regular expression which
> would extract OID from an input event and assign OID to a match variable.
> Then, we need to use this variable in the 'desc' field:
>
> type=SingleWithSuppress
> continue=takenext
> ptype=RegExp
> pattern=(SNMPv2-SMI::enterprises\.5528\.100\.10\.2\.8\.0\.\d+)
> desc=Front Door Camera, OID $1
> action=pipe '"$0"' tr -d "\""|sed s/^/\"/g|sed s/$/\"/g|/root/sec-2.7.5/
> alerthours.pl
> window=900
>
> The regular expression in this rule would match OIDs which have the prefix
> '.1.3.6.1.4.1.5528.100.10.2.8.0.' . If you would like to widen the set of
> matching OIDs, the regular expression would need to be more generic. Also,
> if you would like to extract the hostname or IP of the involved device and
> run event correlation operations for each device separately, the expression
> would need additional enhancements.
>
> hope this helps,
> risto
>
>
> 2014-04-30 21:00 GMT+03:00 Robert Reilly <[email protected]>:
>
>> Hi, I am new to SEC, I am trying to have one rule that will apply to
>> multiple snmp traps, for instance
>> I would like the regex to match
>>
>> .1.3.6.1.4.1.5528.100.10.2.8.0.1
>> .1.3.6.1.4.1.5528.100.10.2.8.0.2
>> .1.3.6.1.4.1.5528.100.10.2.8.0.3
>> etc
>> but I want have an action for each oid and if matches one it alerts ans
>> waits and if it matches the second do the same thing. I am trying to not
>> have a massive configuration file with a rule for each OID. I have it
>> working with a single OID see my example below.
>>
>> type=SingleWithSuppress
>> continue=takenext
>> ptype=RegExp
>> pattern=SNMPv2-SMI::enterprises.5528.100.10.2.8.0.10
>> desc=Front Door Camera
>> action=pipe '"$0"' tr -d "\""|sed s/^/\"/g|sed s/$/\"/g|/root/sec-2.7.5/
>> alerthours.pl
>> window=900
>>
>>
>> Thanks!
>> --
>>
>> Robert Reilly
>>
>>
>>
>> ------------------------------------------------------------------------------
>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> Instantly run your Selenium tests across 300+ browser/OS combos. Get
>> unparalleled scalability from the best Selenium testing platform
>> available.
>> Simple to use. Nothing to install. Get started now for free."
>> http://p.sf.net/sfu/SauceLabs
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>>
>
--
Robert Reilly
203 297 3653
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
