Hi Amos, Can you check if the srcip is being decoded properly? If it fails to do so, the rule 101201 will never match. Besides that, the rules are correct. If that's not the issue, can you show us a few of the log entries you are sending?
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Wed, Mar 11, 2009 at 2:47 AM, Amos <[email protected]> wrote: > > Two local rules (below). The first one is triggered, but not the second; > and I've been unable to sort out why. My appreciation for any guidance. > > <group name="local,firewall,"> > <rule id="101000" level="0"> > <if_sid>4100</if_sid> > <description>all entries</description> > </rule> > > <rule id="101201" level="10" frequency="3" timeframe="10"> > <if_matched_sid>101000</if_matched_sid> > <same_source_ip /> > <description>Multiple iptable DROPs 6:30</description> > <group>attack,firewall_drop,</group> > </rule> > </group> <!-- firewall,local --> > > I had to append the following block to the iptables decoders for target -j > LOG entries through syslog facility: > > <decoder name="iptables-log"> > <parent>iptables</parent> > <program_name>^kernel</program_name> > <type>firewall</type> > <prematch>^\.+ SRC=</prematch> > <regex>^\.+ SRC=(\S+) DST=(\S+) \.+ </regex> > <regex>DPT=(\w+) </regex> > <order>srcip,dstip,dstport</order> > </decoder> > > ossec-logtest reports success with decoding, and gets as far as: > > **Phase 3: Completed filtering (rules). > Rule id: '110000' > Level: '0' > Description: 'all entries' > > for each of 5 log entries at 2 second intervals. > (and without noting rule 4100 by the way) > > > >
