Re: [Simple-evcorr-users] Duplicate pattern's in configuration file

Mon, 30 Jun 2014 08:57:08 -0700 

In message
<CABYmqbrtSDP1Zbdok=B-VzmssO3pHeQNHhKs=X486Gk7=cb...@mail.gmail.com> ,
kirankumar veluri writes:

>I am new to SEC tool . I have a configuration file with below listed rule set.
>
>#Failed ssh logins for the same user from different IP addresses
>within a time period
>type=SingleWithThreshold
>ptype=RegExp
>pattern=sshd\[\d+\]: error:\sPAM: Authentication failure for (\w+) from (\S+
>)
>desc=$1
>action=logonly
>window=60
>thresh=3
>
>#Failed XS logins for the same user from different IP addresses within
>a time period
>type=SingleWithThreshold
>ptype=RegExp
>pattern=XSSYSLOG:(\S+).*:LOGON.*FAILURE\s+BY\s+(\S+)
>desc=Three XS login failures within 1m for user $2 from different source hos
>ts
>action=logonly
>window=60
>thresh=3
>
>#Failed SSH, XS logins for same user on different IP addresses within
>a time period
>type=PairWithWindow
>ptype=RegExp
>pattern=sshd\[\d+\]: error:\sPAM: Authentication failure for (\w+) from (\S+
>)
>desc=$1
>continue=TakeNext
>action=write -  XS Failed login event didn't follow SSH failed event
>within window
>ptype2=RegExp
>pattern2=XSSYSLOG:(\S+).*:LOGON.*FAILURE\s+BY\s+(\S+)
>desc2=$2
>action2=write - Failed SSH, ES logins for user $2 within 2 min window  ;
>window=120
>
>The problem I am facing is even though there are matched events in the
>input file, SEC is never throwing actions specified in
>"PairWithWindow" rule type.
>
>If I keep the same single rule in a separate  configuration file and
>execute SEC I could see the output on my console. My question is can
>we have the same(duplicate) pattern's in the configuration file.

Look at the man page for the continue keyword. By default processing
for an event stops (for that file) as soon as a rule is matched.

Setting:

   continue=takenext

in your rule says to apply the same event to the next rule in the file.

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to