Hi Risto
Greetings..!! I would like to get your suggestions on event correlation upon aggregation. Below rule aggregate events with whitelisting criteria. --------------------------------------------------------------------------- type=Single ptype=RegExp pattern=(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART) desc=load blacklist action=logonly; delete WL; create WL; \ lcall %events -> (sub{scalar `cat /usr/local/bin/sec-rules/whitelist.txt`}); \ cevent Whitelist 0 %events type=Single ptype=RegExp pattern=. context=Whitelist desc=create a whitelist entry action=logonly; alias WL WL_$0 type=SingleWithSuppress ptype=regexp context=!WL_$2 pattern=IDS.*dst=([\d\.]+).*attack_name=([\w\:\-\/\.\()\s]+) desc=Suppressed $2 Security Alert towards $1 action= pipe '<5>$0' | nc syslog01 514 window=300 --------------------------------------------------------------------------- Now will "pairwithwindow" rule on top this helps me to achieve correlation based on Dst. IP($1) field from IDS logs with Threat Intel IP(which is stored in a file). Conditions to meet are, Condition 1: Need to forward Aggregated + Correlated log to external syslog server. Condition 2: If Correlation is not matching, Just Aggregated log should be forwarded to external syslog server. Please suggest me with best practices. Regards, Santhosh S
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users