Brian Candler
2018-11-26 10:51:01 UTC
Hi,
I'm looking for some clarification in the documentation for rules
<http://www.ossec.net/docs/syntax/head_rules.html>.
1. I've seen some examples
<https://github.com/ossec/ossec-rules/blob/master/rules.d/00-syslog_rules.xml#L71>
where a single rule has multiple <match> elements. Is the rule triggered
if only one matches, or do they all have to match?
2. There are srcip and dstip
<http://www.ossec.net/docs/syntax/head_rules.html#element-srcip> matches,
but is it possible to match on srcip "a.a.a.a/A or b.b.b.b/B or c.c.c.c/C"
without writing out the same rule multiple times? If I put multiple
<srcip> blocks, do they all have to match, or just one? What about
combining positive with negative, e.g.
<srcip>10.0.0.0/8<srcip>
<srcip>!10.10.10.0/24</srcip>
Application: I'm not interested in firewall deny logs for "outside to
inside" connection attempts - these are just script kiddies who are blocked
anyway - but I am very interested in firewall deny logs for "inside to
outside" connection attempts. And to do that, I need to have rules which
match on several address blocks (internal private IPv4, or public IPv4, or
IPv6).
Ideally I'd like to have a named set of IP blocks - which might be possible
using lists <http://www.ossec.net/docs/syntax/head_rules.html#element-list>
except I don't want to have to list every single IP address individually,
which isn't possible with IPv6 anyway. (Perhaps what I want would be
similar to exim's iplsearch
<https://www.exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html>
option)
3. When using the accumulate
<http://www.ossec.net/docs/syntax/head_decoders.html#element-decoder.accumulate>
option, what is it that triggers the end of the accumulated set of lines
and causes them to be further processed? Does it only join adjacent log
messages, or does it join related messages by ID?
For example, if I'm parsing Exim log messages which include the message ID,
is this feature intended to link together each of the log messages relating
to the delivery of a particular E-mail? Or is it just to join together log
messages which have been split over multiple lines at the source?
Thanks,
Brian.
I'm looking for some clarification in the documentation for rules
<http://www.ossec.net/docs/syntax/head_rules.html>.
1. I've seen some examples
<https://github.com/ossec/ossec-rules/blob/master/rules.d/00-syslog_rules.xml#L71>
where a single rule has multiple <match> elements. Is the rule triggered
if only one matches, or do they all have to match?
2. There are srcip and dstip
<http://www.ossec.net/docs/syntax/head_rules.html#element-srcip> matches,
but is it possible to match on srcip "a.a.a.a/A or b.b.b.b/B or c.c.c.c/C"
without writing out the same rule multiple times? If I put multiple
<srcip> blocks, do they all have to match, or just one? What about
combining positive with negative, e.g.
<srcip>10.0.0.0/8<srcip>
<srcip>!10.10.10.0/24</srcip>
Application: I'm not interested in firewall deny logs for "outside to
inside" connection attempts - these are just script kiddies who are blocked
anyway - but I am very interested in firewall deny logs for "inside to
outside" connection attempts. And to do that, I need to have rules which
match on several address blocks (internal private IPv4, or public IPv4, or
IPv6).
Ideally I'd like to have a named set of IP blocks - which might be possible
using lists <http://www.ossec.net/docs/syntax/head_rules.html#element-list>
except I don't want to have to list every single IP address individually,
which isn't possible with IPv6 anyway. (Perhaps what I want would be
similar to exim's iplsearch
<https://www.exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html>
option)
3. When using the accumulate
<http://www.ossec.net/docs/syntax/head_decoders.html#element-decoder.accumulate>
option, what is it that triggers the end of the accumulated set of lines
and causes them to be further processed? Does it only join adjacent log
messages, or does it join related messages by ID?
For example, if I'm parsing Exim log messages which include the message ID,
is this feature intended to link together each of the log messages relating
to the delivery of a particular E-mail? Or is it just to join together log
messages which have been split over multiple lines at the source?
Thanks,
Brian.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.