On Jan 7, 8:42 am, "dan (ddp)" <[email protected]> wrote: > On Fri, Jan 6, 2012 at 10:49 PM, murf <[email protected]> wrote: > > Here I am again. I have a machine where the "big brother" stuff is > > People still use big brother? >
Apparently! Don't look at me-- I just secure the stuff! > > > How exactly (or even roughly) would this sort of thing be achieved? > > > murf > > What do you have so far? > > Untested: > <rule id="STUFF" level="0"> > <if_sid>5701</if_sid> > <match>Bad protocol version identification 'quit' from UNKNOWN$</match> > <description>Ignore from bb</description> > </rule> > > <rule id="STUFF1" level="7" frequency="0" timeframe="300"> > <if_sid>STUFF</if_sid> > <description>More than 1 STUFF in 5 minutes</description> > </rule> I'm flying blind here. I read the docs and they aren't being really very helpful in this regard. I see that if_sid, if_group, if_level, if_matched_sid gives me some "conditionals" on the activation of a rule, and that these can form a hierarchy. Do the rules ALL get tested and matched? Rule evaluation does not stop with the first match? The "if_xxxx"'s are the only way to stop conditionally stop a rule evaluation? If the above is true, then maybe, just maybe, I could put something together that might work, but it would be nice if the above list (if_sid, etc) had inverses, like if_not_sid, if_not_group, etc. Can a rule belong to more than one group? Can I define a group in a group? There's no syntax definition for group in the www.ossec.net/doc/syntax stuff on the ossec site. I see that a group option exists under <rule>. But beyond "Add additional groupings to the alert", there is nothing more said about it. As to your example, the docs do state that if you use level 0, then the rule is tossed immediately, and will not trigger a if_matched_sid, so, assuming the if_matched_sid (as Chris noted), and a level > 0, with perhaps an <options>no_log</options> added, then... I'll form my best guess at an attack after some of the above questions are answered.... murf
