On Thu, Mar 26, 2015 at 1:38 PM, John S. <[email protected]> wrote: > Hello team, > > Im quite newbie with ossec and I have some questions about how fts works, > > As I know, <if_fts> fires any rule if some data is found for the first time, > isnt it? Actually I couldn't find so much info how if_fts works in rules :/
That's correct. It's probably not well documented because I haven't messed with it much. Feel free to contribute https://github.com/ossec/ossec-docs > What does exactly mean this line in a rule: > <if_fts /> > and what the differences with: > <if_fts></if_fts> > Those are 2 ways to write the same thing. Some decoders look for first time seen information in some fields. arpwatch for instance looks for: <fts>name, srcip, extra_data</fts> If the rule has <if_fts />, it takes the above line into consideration. > As I read, before to use fts in a rule you need to update your decoders with > the attributes between <fts></fts> > and why there is not need to specify the attributes fts in the rules? the > rule is fire when all of them are first time seen or just some of them? > > Is it possible to use fts with syscheck decoder? > > Is there any way to trigger a rule if some variable (for example when a > previous rule was fired already in two agents with the same IP) extracted > from decoders has seen twice or more times? (some kind of "second time > seen") > For IP addresses there is a same_source_ip option for the rules. Using a timeframe/frequency, you should be able to work something out. > Thank you a lot for your help and regards > John > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
