Hi. There aren't any suitable unique fields, as the same AP might appear multiple times. But I can classify them in the Cisco controller, so I'm only alerting on unclassified rogues. I've also added ignore="60" to the rule to keep the noise down somewhat. This is what I've ended up with:
<rule id="108999" level="8"> > <description>Rogue Wireless Access Point discovered</description> > <decoded_as>snmptrap-wlc-rogue</decoded_as> > <regex>CISCO-LWAPP-AP-MIB::cLApRogueApMacAddress</regex> > <group>rogue,</group> > </rule> > <rule id="108998" level="10" ignore="60"> <!-- only fire once per minute > --> > <description>Unclassified Rogue Wireless Access Point > discovered</description> > <if_sid>108999</if_sid> > <match>cLApRogueClassType.0 = unclassified,</match> > <group>rogue,</group> > </rule> > My understanding is that when the level 10 rule is ignored, the level 8 rule should still fire; I'm only sending an email on the level 10. Thanks On Thursday, June 20, 2013 4:01:40 PM UTC+1, Chris H wrote: > > Thanks Michael, might be able to work something with regards to the unique > fts field. Can you match on date in OSSEC? Will have a test. > > Thanks. > > On Thursday, June 20, 2013 3:54:54 PM UTC+1, Michael Starks wrote: >> >> On 20.06.2013 03:10, Chris H wrote: >> > Hi. >> > >> > I am passing the logs from my Cisco Wireless Lan Controllers through >> > to OSSEC. One of the events that I am interested in is when rogue >> > wireless access points are detected. Unfortunately, the events are >> > issued for each wireless access point that detects the rogue, not >> > just >> > the controller. >> > >> > I tried using FTS, which works partially in that I can trigger an >> > alert just once. What I would like to be able to do is trigger an >> > alert just once per day, so if the same device appears the next day I >> > still get an alert. Is this possible? >> > >> > Thanks >> >> You can change the fts criteria so that it is matching on something >> that is decoded and unique each time (MAC address?), or you can try >> deleting the entry in queue/fts/fts-queue on a daily basis. Not sure if >> the manager needs a restart after that, though. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
