I think it is hard to simulate correlation on OSSEC, it has some tools as
you said like frecuency, timeframe, if_matched_sid, if_matched_group... I
think the best and simple approach is to create two rules matching the
ID's, but as far as I know It won't work as you desired.
For example:
<rule id="18500" level="3">
<if_sid>18103</if_sid>
<id>^4000$|^4001$</id>
<description>Match of Windows Event ID 4000 OR 4001</description>
<group>authentication_success,pci_dss_10.2.5,</group>
</rule>
<rule id="18501" level="3" timeframe="30">
<if_matched_sid>18500</if_matched_sid>
<id>^4001$</id>
<description>Match of Windows Event ID 4000 followed of 4001
</description>
<group>authentication_success,pci_dss_10.2.5,</group>
</rule>
The second rule will trigger only if there is a previous match of 4000 or
4001. I don't know any other approach to solve this.
Maybe we can use active response to execute an script which store the info
and at some point triggers an alert.
I hope someone can bring us some light here.
Regards,
Pedro S.
On Tuesday, March 29, 2016 at 4:21:36 PM UTC+2, Rob B wrote:
>
> Thank you for taking the time to answer with examples Pedro!
>
> One last related question if ya don,t mind..? I am trying to wrap
> my head around a rule firing off after a simple bit of correlation.
> Is it possible? I know this is the job of the SIEM, but I am trying
> to get the SIEM to only correlate fired upon alerts that are qualified
> by a mechanism first. So, for example, I would like a rule to fire on
> event 4567 that was followed by 4523 then followed by 4625 between 1
> and 50 times, then a 4624... (when all these things match the rule
> fires)
>
> I see that rules have the ability of setting frequency and time frame,
> which would help me, though I am at a loss for the remainder of my
> needs. Seems an external script may be needed along with a sort of
> temporary repository. ( I may be over thinking this and mucking it up
> )
>
>
> What could you suggest?
>
>
> V/R,
> Rob B.
>
> On Tuesday, March 29, 2016 at 7:41:21 AM UTC-4, Pedro S wrote:
>>
>> If you need to filter for one specific ID you need to use the *pipe |*
>> option, I don't think you can use "," inside *<id></id>* tags to
>> concatenate anything.
>> "," character will be treated like an string character not a regex one so
>> it will try to match for *"IDNumber,".*
>>
>> As you know, one example of this kind of rule is used on
>> *msauth_rules.xml:*
>>
>> <rule id="18106" level="5">
>>> <if_sid>18105</if_sid>
>>>
>>> <id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id>
>>> <description>Windows Logon Failure.</description>
>>>
>>> <group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
>>> </rule>
>>
>>
>> This last one will work, and the following one WON'T work:
>>
>> <rule id="18106" level="5">
>>> <if_sid>18105</if_sid>
>>> <id>^529$,^530$,^531$,^532$,^533$</id>
>>> <description>Windows Logon Failure.</description>
>>>
>>> <group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
>>> </rule>
>>
>>
>>
>> Regards,
>>
>> Pedro S.
>>
>>
>>
>>
>> On Monday, March 28, 2016 at 9:07:30 PM UTC+2, Rob B wrote:
>>>
>>> Heya Folks,
>>>
>>> I've been looking for the docs that explain the difference between the
>>> use of the '|" and the "," when specifying the id numbers within a rule. I
>>> cant find anything that explains the use.
>>>
>>> Could someone explain to me the differences by way of use? or provide a
>>> link that I may have missed?
>>>
>>>
>>>
>>> Two arbitrary use case EXAMPLES of what I am after is:
>>>
>>> A.) Within sid 18103, look for id 12345 followed by 12346, followed by
>>> 12347
>>> B.) Within sid 18103, look for id 11234 and 11254
>>>
>>>
>>> Thank you!
>>>
>>> R.B.
>>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
