-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Randy Bradley wrote: > > On Aug 21, 2006, at 11:47 PM, gentuxx wrote: > >> Obviously, I'm trying to understand how the hierarchy works here (in >> >> addition to monitoring my systems). >> > > > I, too, would like to understand the rules better. I am collecting > my router logs to my Mac server. I have set up my local rules.xml file > and used the syslog log format option. > > I made the assumption that the rules would be tested in a top down > fashion but experimentation leads me to believe that the rule with the > highest "level" will be the one matched. Is this true or am I all wet here? >
This is true. Rules with the highest level are matched first. It' still a bit sparse at the moment, but take a look at http://www.ossec.net/wiki/index.php/Know_How:Rules_Severity for more info. > Other questions: > > Are there more details of the regex library used? In particular, the > "(" and ")" characters. "\(80\)" seems to find the (80) string in my > log files, however, "\(\d+\)" doesn't seem to match anything. I see > some of the rules shipped put the \d+ inside brackets, ex [\d+]. Are > the brackets required? The "()" characters are "grouping and capture" characters. So, given something like the following: <regex>^\d+ (\d+.\d+.\d+.\d+) (\w+)/(\d+) \d+ \w+ (\S+) </regex> ...the first parentheses would capture four groups of digits separated by dots (or an IP address). Check out http://www.ossec.net/wiki/index.php/Know_How:Regex_Readme for more details on the regular expressions used. > > What is "accuracy"? The descriptions simply says 0 or 1. What is it > used for? Not really sure about this one. But I read somewhere (source or manual) that it indicates whether a rule is accurate or not. The part I'm not sure about is how the program responds if it's specified as accurate or inaccurate. > > What is a Monolithic rules file? Meir has great instructions on how > to create one. Is it simply a compiled file made from all of the rule > files? Seems like a good idea for a production system but a lot of > bother for a system used for rule development. > I believe this is just a way to have all of your rules in one file. It's still XML/text, but is all contained in one file ass opposed to being split up. Being a long time snort user, I, personally, am accustomed to having the rules split up and don't see the value in having one file. > > Thanks Daniel and everyone else for > all of your hard work on this project. > > > Randy - -- gentux echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2 18D3 4A9E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE6zZ6TPA54hjTSp4RAmt5AKCyf0mj1lngWKnf9Am/UaH/S1/5OwCeJzrj emq0J0dVeHGB8CSAbCXKcAs= =2sxE -----END PGP SIGNATURE-----
