Hopefully this won't make the thread difficult to follow... On Thu, Jul 7, 2011 at 7:19 PM, BP9906 <[email protected]> wrote: > I have the same issue. I have a custom decoder, and 2 composite > (frequency/reoccurring) rules. > The first composite rule matches properly, even when testing with > ossec-logtest. > > I'm trying to match the same IP for a lower bound threshold and an > upper bound thresdhold. > > Example: > > 10 in 3 minutes > 20 in 10 minutes > > The 10 in 3 minutes flags properly (and I've considered the info you > provided about how the counting actually works... set it to 8, so on > the 10th time it actually alerts). If I test the event 20 times > quickly, I end up with the 2 3min alerts and not 1 3min and 1 10min. > > (http://marc.info/?l=ossec-list&m=129736702512080&w=2) > > With the above considered, I went as far as removing the 20 in 10 and > using a group. I labeled the "10 in 3 minutes" as <group>3min</group>. > Then created a rule that does <if_matched_group>3min</ > if_matched_group> (with <same_source_ip />) and that rule never flags > either. > > It seems as though OSSEC is very top down and once an event goes down > a different path, it never continues for composite rules (atomic rules > they do). > > I thought the group alerting would help or be an independent list, but > it appears to not be. I tried adding the <if_group> with the > <if_matched_group> because it seems there's a dependency there, but > that didnt help. (<if_group>syslog</if_group>) >
You tried if_group and if_matched_group at the same time? > Any light you can shed on composite rule functions and group alerts > would be beneficial to all. > > Thank you! > Decoders, rules, and log samples help. Otherwise I get to make it all up. > > On May 27, 6:45 am, Denis Gasparin <[email protected]> wrote: >> I tested with frequency=0. The alarm is triggered at the receival of the >> second line but the email with the alarms contains only the last row and not >> the first (that with the error)... :-( >> >> Denis >> >> ----- Messaggio originale ----- >> >> Da: "Denis Gasparin" <[email protected]> >> A: [email protected] >> Cc: [email protected] >> Inviato: Venerdì, 27 maggio 2011 15:33:44 >> Oggetto: Re: [ossec-list] Help on composite rules >> >> From what I read, I should set frequency to 0 in order to get the alarm >> every 2 events. I'll try and let you know.. >> >> The 1005001 fires. >> >> Thank you >> Denis >> >> Il giorno 27/mag/2011, alle ore 14:22, "dan (ddp)" <[email protected]> ha >> scritto: >> >> >> >> >> >> >> >> > Does 100501 fire? >> >> > It may be a "frequency" issue, take a look at the following thread, it >> > may be useful: >> >http://marc.info/?l=ossec-list&m=129736702512080&w=2 >> >> > On Thu, May 26, 2011 at 4:28 PM, Denis Gasparin >> > <[email protected]> wrote: >> >> >> Hi to all. >> >> >> We have a postgresql installation that writes two lines for every query >> >> error. For example after executing the query "select * from >> >> unexistant_table", the postgresql log file has the following two lines: >> >> >> May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-17] >> >> user@ossec([local]) SELECT ERROR: relation "unexistant_table" does not >> >> exist >> >> May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-18] >> >> user@ossec([local]) SELECT STATEMENT: select * from unexistant_table; >> >> >> We need to send an alert for every query error with attached the relative >> >> "STATEMENT". >> >> >> Because our postgres log format is different from that bundled with ossec, >> >> we wrote our decoder and our rules. >> >> >> The decoder (edistar_pgsql) works fine. The rules works ok for single >> >> events. >> >> For sending the previous two lines within the same alert we created a >> >> composite rule with a very restricted timeframe, so the two events will be >> >> grouped together. He are the relevant rules written so far: >> >> >> <group name="edistar_pgsql,"> >> >> <rule id="100500" level="0"> >> >> <decoded_as>edistar_postgresql</decoded_as> >> >> <description>Edistar PostgreSQL messages grouped.</description> >> >> </rule> >> >> >> <rule id="100501" level="4"> >> >> <if_sid>100500</if_sid> >> >> <status>ERROR|STATEMENT</status> >> >> <description>PostgreSQL error message and relative >> >> statement.</description> >> >> <group>pgsql_query_failures,</group> >> >> </rule> >> >> >> <rule id="100502" level="8" frequency="2" timeframe="1" ignore="0"> >> >> <if_matched_group>pgsql_query_failures</if_matched_group> >> >> <description>PostgreSQL error message. Query attached.</description> >> >> </rule >> >> </group> >> >> >> The composite rule does not work as expected. In order to trigger it, two >> >> query error must be generated in the timeframe, so the log would be: >> >> May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-17] >> >> user@ossec([local]) SELECT ERROR: relation "unexistant_table" does not >> >> exist >> >> May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-18] >> >> user@ossec([local]) SELECT STATEMENT: select * from unexistant_table; >> >> May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-17] >> >> user@ossec([local]) SELECT ERROR: relation "unexistant_table" does not >> >> exist >> >> May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-18] >> >> user@ossec([local]) SELECT STATEMENT: select * from unexistant_table; >> >> >> In this case OSSEC would generate an alert with only two lines (the second >> >> and the third). >> >> >> Can you help me? Is there another way to get the correct result? >> >> >> Thank you in advance for your help, >> >> Denis >> >> Inviato da iPad
