Hi Dan, This is working. However, or a frequency of 6 the rule triggers after 8 events at the same second, using logtest.
The other requirement which I didn't anticipate is that the first rule (100100 below) must be level greater than 0 (I use "1" now) in order for the chain to trigger the second rule. This is unfortunate. I'll see what happens in real mode and sing out if I see anything else worth noting. Thanks, -Amos Daniel Cid wrote: > Hi Amos, > > Can you check if the srcip is being decoded properly? If it fails to > do so, the rule 101201 will never > match. Besides that, the rules are correct. If that's not the issue, > can you show us a few of the > log entries you are sending? > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Wed, Mar 11, 2009 at 2:47 AM, Amos <[email protected]> wrote: >> >> Two local rules (below). The first one is triggered, but not the second; >> and I've been unable to sort out why. My appreciation for any guidance. >> >> <group name="local,firewall,"> >> <rule id="101000" level="0"> >> <if_sid>4100</if_sid> >> <description>all entries</description> >> </rule> >> >> <rule id="101201" level="10" frequency="3" timeframe="10"> >> <if_matched_sid>101000</if_matched_sid> >> <same_source_ip /> >> <description>Multiple iptable DROPs 6:30</description> >> <group>attack,firewall_drop,</group> >> </rule> >> </group> <!-- firewall,local --> >> >> I had to append the following block to the iptables decoders for target >> -j >> LOG entries through syslog facility: >> >> <decoder name="iptables-log"> >> <parent>iptables</parent> >> <program_name>^kernel</program_name> >> <type>firewall</type> >> <prematch>^\.+ SRC=</prematch> >> <regex>^\.+ SRC=(\S+) DST=(\S+) \.+ </regex> >> <regex>DPT=(\w+) </regex> >> <order>srcip,dstip,dstport</order> >> </decoder> >> >> ossec-logtest reports success with decoding, and gets as far as: >> >> **Phase 3: Completed filtering (rules). >> Rule id: '110000' >> Level: '0' >> Description: 'all entries' >> >> for each of 5 log entries at 2 second intervals. >> (and without noting rule 4100 by the way) >> >> >> >> >
