On Mon, Jan 9, 2012 at 9:50 AM, murf <[email protected]> wrote: > > > On Jan 7, 8:42 am, "dan (ddp)" <[email protected]> wrote: >> On Fri, Jan 6, 2012 at 10:49 PM, murf <[email protected]> wrote: >> > Here I am again. I have a machine where the "big brother" stuff is >> >> People still use big brother? >> > > Apparently! > > Don't look at me-- I just secure the stuff! > > >> >> > How exactly (or even roughly) would this sort of thing be achieved? >> >> > murf >> >> What do you have so far? >> >> Untested: >> <rule id="STUFF" level="0"> >> <if_sid>5701</if_sid> >> <match>Bad protocol version identification 'quit' from UNKNOWN$</match> >> <description>Ignore from bb</description> >> </rule> >> >> <rule id="STUFF1" level="7" frequency="0" timeframe="300"> >> <if_sid>STUFF</if_sid> >> <description>More than 1 STUFF in 5 minutes</description> >> </rule> > > I'm flying blind here. I read the docs and they aren't being really > very helpful > in this regard. > > I see that if_sid, if_group, if_level, if_matched_sid gives me some > "conditionals" > on the activation of a rule, and that these can form a hierarchy. > > Do the rules ALL get tested and matched? Rule evaluation does not stop > with the > first match? >
Yes, kinda. If something matches, and there's no <if_sid> or anything to check then it's done. If there is a possible <if_sid> that needs to be checked, it will be checked. > The "if_xxxx"'s are the only way to stop conditionally stop a rule > evaluation? > > If the above is true, then maybe, just maybe, I could put something > together that > might work, but it would be nice if the above list (if_sid, etc) had > inverses, like > if_not_sid, if_not_group, etc. > We accept patches. ;) > Can a rule belong to more than one group? Can I define a group in a > group? There's Yes, rules can belong to more than 1 group. <group>group1, group2</group> I don't know what you mean by "define a group in a group." > no syntax definition for group in the www.ossec.net/doc/syntax stuff > on the ossec site. > Fixed in my repo. If the main site is still syncing it will probably have the addition tomorrow. Otherwise you can view it here: http://devio.us/~ddp/ossec/docs/syntax/head_rules.html#element-group (exciting!) > I see that a group option exists under <rule>. But beyond "Add > additional groupings to the alert", > there is nothing more said about it. > It's really simple and there are a bunch of examples. > As to your example, the docs do state that if you use level 0, then > the rule is tossed immediately, > and will not trigger a if_matched_sid, so, assuming the if_matched_sid > (as Chris noted), and > a level > 0, with perhaps an <options>no_log</options> added, then... > Then do that. I generally test the rules I write, and few of them are perfect on the first go. WARNING: You may have to think about your rules. > I'll form my best guess at an attack after some of the above questions > are answered.... > > murf > > > >
