I appreciate greatly your suggestion but it doesnt appear to be
working. I implemented the following rule:
<rule id="100002" level="0">
<if_sid>4383</if_sid>
<srcip>xxx.xxx.xxx.xxx</srcip>
<match>Duplicate TCP SYN</match>
<description>Rule that will ignore Duplicate</description>
<description>TCP SYN from IP xxx.xxx.xxx.xxx</description>
</rule>
I purposely left out the srcport portion becuase the source port in
this case is dynamic. I also tried to using a regex rule and couldnt
get it to work that way either. I will keep working on it but in the
meantime I welcome any additional suggestions. If I am able to come
up with a working rule I will be sure to post it.
Thanks again!!
On Sep 14, 1:37 pm, David Williams <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I think you're on the right path but OSSEC has already parsed the
> log entry (to extract source and destination IPs) so you may need
> something more like this (of course, I'm not able to test this):
>
> <rule id="100002" level="0">
> <if_sid>4383</if_sid>
> <srcip>xxx.xxx.xxx.xxx</srcip>
> <srcport>9200</srcport>
> <match>Duplicate TCP SYN</match>
> <description>Rule that will ignore Duplicate</description>
> <description>TCP SYN from IP xxx.xxx.xxx.xxx</description>
> </rule>
>
> -David
>
>
>
>
>
> mcamacho75 wrote:
> > I am trying to create a rule that will prevent email notifications for
> > the following alert but cant seem to make it work. Below is an
> > example of the email I would like to ignore:
>
> > Received From: ktwapp-8->172.16.230.10
> > Rule: 4383 fired (level 10) -> "Multiple PIX warning messages."
> > Portion of the log(s):
>
> > %ASA-4-419002: Duplicate TCP SYN from inside:xxx.xxx.xxx.xxx/9200 to
> > inside:xxx.xxx.xxx.xxx/1170 with different initial sequence number
>
> > I have created the following rule within the local_rules.xml file but
> > it doesnt seem to have any effect:
>
> > <rule id="100002" level="0">
> > <if_sid>4383</if_sid>
> > <regex>\.+Duplicate\sTCP\sSYN\sfrom\sinside\p:xxx\p.xxx\p.xxx\p.xxx
> > \.+</regex>
> > <description>Rule that will ignore Duplicate</description>
> > <description>TCP SYN from IP xxx.xxx.xxx.xxx</description>
> > </rule>
>
> > Any help in figuring out what I am doing wrong would be greatly
> > appreicated. Thanks
>
> - --
> _______________________________________________
> GPG (http://www.gnupg.org/) key available
> from:http://www.kayakero.net/per/david/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora -http://enigmail.mozdev.org
>
> iD8DBQFG6sbwCzuSgviBh00RAqwMAJ457KEQzSb7ftBmvqOwqL9S01c/MwCeKwUu
> vagr2zymjcDFGCsAZE7P8fU=
> =oS2U
> -----END PGP SIGNATURE------ Hide quoted text -
>
> - Show quoted text -
