Hi, A few suggestions to make it work:
1- Simplify your match (taken from David's reply): If you are looking for a word, just use "match" (much faster): <match>Duplicate TCP SYN from</match> 2- A better solution would be to use the pix ID that you want: <id>^4-419002</id> 3- Do not write ignore rules based on correlations. If you look at rule "4383", it will alert on multiple warning messages from the PIX (id 4313). Just ignoring the 4313 instead of the 4383 will be much cleaner... 4- This log is not being decoded by the pix decoder, so you can't use the srcip/dstip options. My suggestion would be: <rule id="100002" level="0"> <if_sid>4313</if_sid> <id>^4-419002</id> <regex>from inside:xxx.xxx.xxx.xxx</regex> <description>Rule that will ignore Duplicate</description> </rule> Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/14/07, mcamacho75 <[EMAIL PROTECTED]> wrote: > > I appreciate greatly your suggestion but it doesnt appear to be > working. I implemented the following rule: > > <rule id="100002" level="0"> > <if_sid>4383</if_sid> > <srcip>xxx.xxx.xxx.xxx</srcip> > <match>Duplicate TCP SYN</match> > <description>Rule that will ignore Duplicate</description> > <description>TCP SYN from IP xxx.xxx.xxx.xxx</description> > </rule> > > I purposely left out the srcport portion becuase the source port in > this case is dynamic. I also tried to using a regex rule and couldnt > get it to work that way either. I will keep working on it but in the > meantime I welcome any additional suggestions. If I am able to come > up with a working rule I will be sure to post it. > > Thanks again!! > > > On Sep 14, 1:37 pm, David Williams <[EMAIL PROTECTED]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > I think you're on the right path but OSSEC has already parsed the > > log entry (to extract source and destination IPs) so you may need > > something more like this (of course, I'm not able to test this): > > > > <rule id="100002" level="0"> > > <if_sid>4383</if_sid> > > <srcip>xxx.xxx.xxx.xxx</srcip> > > <srcport>9200</srcport> > > <match>Duplicate TCP SYN</match> > > <description>Rule that will ignore Duplicate</description> > > <description>TCP SYN from IP xxx.xxx.xxx.xxx</description> > > </rule> > > > > -David > > > > > > > > > > > > mcamacho75 wrote: > > > I am trying to create a rule that will prevent email notifications for > > > the following alert but cant seem to make it work. Below is an > > > example of the email I would like to ignore: > > > > > Received From: ktwapp-8->172.16.230.10 > > > Rule: 4383 fired (level 10) -> "Multiple PIX warning messages." > > > Portion of the log(s): > > > > > %ASA-4-419002: Duplicate TCP SYN from inside:xxx.xxx.xxx.xxx/9200 to > > > inside:xxx.xxx.xxx.xxx/1170 with different initial sequence number > > > > > I have created the following rule within the local_rules.xml file but > > > it doesnt seem to have any effect: > > > > > <rule id="100002" level="0"> > > > <if_sid>4383</if_sid> > > > <regex>\.+Duplicate\sTCP\sSYN\sfrom\sinside\p:xxx\p.xxx\p.xxx\p.xxx > > > \.+</regex> > > > <description>Rule that will ignore Duplicate</description> > > > <description>TCP SYN from IP xxx.xxx.xxx.xxx</description> > > > </rule> > > > > > Any help in figuring out what I am doing wrong would be greatly > > > appreicated. Thanks > > > > - -- > > _______________________________________________ > > GPG (http://www.gnupg.org/) key available > > from:http://www.kayakero.net/per/david/ > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.7 (GNU/Linux) > > Comment: Using GnuPG with Fedora -http://enigmail.mozdev.org > > > > iD8DBQFG6sbwCzuSgviBh00RAqwMAJ457KEQzSb7ftBmvqOwqL9S01c/MwCeKwUu > > vagr2zymjcDFGCsAZE7P8fU= > > =oS2U > > -----END PGP SIGNATURE------ Hide quoted text - > > > > - Show quoted text - > >
