Trying to understand how rule precedence works. I have the four rules and
they work, but not how I want. Rule 100113 fires when there is the first
match in the "bad_ips.txt", but the second logon from a bad IP matches
against the frequency rule 100122. I'd rather have it always match against
the 100113 rule. Is there a way to force this behavior? I thought placing
rule 100113 at level 15 would accomplish this.
<rule id="100100" level="3">
<if_sid>4313</if_sid>
<id>^4-722051$</id>
<description>VPN Logon</description>
<!--<options>alert_by_email</options>-->
<group>vpn_logon</group>
</rule>
<rule id="100101" level="3">
<if_sid>4314</if_sid>
<id>^6-713228$</id>
<description>VPN Logon</description>
<!--<options>alert_by_email</options>-->
<group>vpn_logon</group>
</rule>
<rule id="100113" level="15">
<if_group>vpn_logon</if_group>
<list field="srcip" lookup="address_match_key">rules/bad_ips.txt</list>
<description>VPN logon from Bad IP!!!</description>
<group>vpn_logon_bad_ip</group>
<options>alert_by_email</options>
</rule>
<rule id="100122" frequency="0" timeframe="600" level="12">
<if_matched_group>vpn_logon</if_matched_group>
<same_source_ip />
<description>Multiple VPN logons from the same source IP</description>
<options>alert_by_email</options>
<group>vpn_logon</group>
</rule>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
