On Tue, Oct 16, 2012 at 11:18 AM, cgzones <[email protected]> wrote: > Hi list, > i have a request on the rule philosophy, how and when rules handle unknown > events. > At this time there is the weighty rule 1002, to catch many error messages, > but then the rules are looking for something they know. > For example the ssh rules: > All of the ssh rules are matched by rule 5700. After this match all child > rules are tested. > But when a new attack appears or a new version of ssh outputs a new kind of > log or we forget to create a rule for a rare event, we would not recognize > it, because rule 5700 has level 0 and the option noalert. > So i use a edited version for ssh, where rule 5700 has level 5. > At the beginning there might be many alerts to ignore (writing rules with > level 0), but after a time you can get sure not to miss a unknown event. > > Best regards > Christian Göttsche > > p.s.: my sshd_rules.xml is attached >
What's the request?
