Has anyone any tips or tricks they would care to share on creating User
Defined OS event signatures for monitoring for certain regular
expressions in syslog and web server logs .
I have tried all reasonable things, read all the PDFs I can get my
hands on and still the events dont trigger.
Can anybody see anything obviously wrong?
For example I have in my policy:
[\Advanced\userdefinedsignatures\SysLog Rules\Connection_Reset\];
Enabled =B 1;
Priority =L 1;
Regular Expression =S Error 232 (Connection reset by peer)
reading data from host;
Logs =S Syslog;
CheckDescription =S reset a socket connection, possibly
related to an invalid access attempt;
[\Advanced\userdefinedsignatures\SysLog
Rules\Connection_Reset\Response\];
[\Advanced\userdefinedsignatures\SysLog
Rules\Connection_Reset\Response\LOGDB\];
Enabled =B 1;
Choice =S LogWithoutRaw;
[\Advanced\userdefinedsignatures\SysLog
Rules\Connection_Reset\Response\BANNER\];
Enabled =B 0;
Choice =S ;
[\Advanced\userdefinedsignatures\SysLog
Rules\Connection_Reset\Response\DISABLE\];
Enabled =B 0;
Choice =S ;
[\Advanced\userdefinedsignatures\SysLog
Rules\Connection_Reset\Response\SUSPEND\];
Enabled =B 0;
Choice =S ;
[\Advanced\userdefinedsignatures\SysLog
Rules\Connection_Reset\Response\RSKILL\];
Enabled =B 0;
Choice =S ;
[\Advanced\userdefinedsignatures\SysLog
Rules\Connection_Reset\Response\BLOCK\];
Enabled =B 0;
Choice =S ;
[\Advanced\userdefinedsignatures\SysLog
Rules\Connection_Reset\Response\DISPLAY\];
Enabled =B 1;
Choice =S Default;
[\Advanced\userdefinedsignatures\SysLog
Rules\Connection_Reset\Response\EMAIL\];
Enabled =B 1;
Choice =S ;
[\Advanced\userdefinedsignatures\SysLog
Rules\Connection_Reset\Response\SNMP\];
Enabled =B 1;
Choice =S Default;
[\Advanced\userdefinedsignatures\SysLog
Rules\Connection_Reset\Response\USER SPECIFIED\];
Enabled =B 1;
Choice =S Syslog;
[\Advanced\userdefinedsignatures\SysLog
Rules\Connection_Reset\Response\SECURELOGIC\];
Enabled =B 1;
Choice =S ;
[\Advanced\userdefinedsignatures\SysLog Rules\Connection_Reset\Info\];
Data causing error: =S from host {!} Socket error;
ETDirect Error1 =S @Field4;
ETDirect Error2 =S @Field5;
Source IP: =S Socket error from {!};
and
[\Advanced\Logs\Syslog\];
Path =S /var/adm/syslog/syslog.log;
Disclaimer
This e-mail message shall not be construed as legally binding on the Bank for
International Settlements (BIS). As internet communications are not secure, the BIS
does not accept responsibility for the content of this message.
This message is intended only for the recipient(s) named above. Any unauthorized
disclosure, use or dissemination, either in whole or in part, of this message is
prohibited. If you have received this message in error, please inform the sender
immediately by return e-mail and delete this message and any attachments thereto from
your system.
Thank you for your co-operation.
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to [EMAIL PROTECTED]
The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303
Barfield Road, Atlanta, Georgia, USA 30328.
