Two local rules (below). The first one is triggered, but not the second;
and I've been unable to sort out why. My appreciation for any guidance.
<group name="local,firewall,">
<rule id="101000" level="0">
<if_sid>4100</if_sid>
<description>all entries</description>
</rule>
<rule id="101201" level="10" frequency="3" timeframe="10">
<if_matched_sid>101000</if_matched_sid>
<same_source_ip />
<description>Multiple iptable DROPs 6:30</description>
<group>attack,firewall_drop,</group>
</rule>
</group> <!-- firewall,local -->
I had to append the following block to the iptables decoders for target -j
LOG entries through syslog facility:
<decoder name="iptables-log">
<parent>iptables</parent>
<program_name>^kernel</program_name>
<type>firewall</type>
<prematch>^\.+ SRC=</prematch>
<regex>^\.+ SRC=(\S+) DST=(\S+) \.+ </regex>
<regex>DPT=(\w+) </regex>
<order>srcip,dstip,dstport</order>
</decoder>
ossec-logtest reports success with decoding, and gets as far as:
**Phase 3: Completed filtering (rules).
Rule id: '110000'
Level: '0'
Description: 'all entries'
for each of 5 log entries at 2 second intervals.
(and without noting rule 4100 by the way)
