<decoder name="pingserv">
<prematch>^PINGSERV PING </prematch>
</decoder>
<decoder name="pingserv-fail">
<parent>pingserv</parent>
<regex offset="after_parent">(\w+) (\d\d/\d\d/\d\d\d\d
\d:\d\d:\d\d.\d\d) (\w+)</regex>
<order>action,extra_data,dstip</order>
</decoder>
<group name="ping-servers">
<rule id="100010" level="0">
<decoded_as>pingserv</decoded_as>
<description>Grouping For Server Ping Group</description>
</rule>
<rule id="100011" level="5">
<if_sid>100010</if_sid>
<action>FAILURE</action>
<description>Server Ping Failure</description>
</rule>
<rule id="100012" level="10" frequency="1" timeframe="360">
<if_matched_sid>100011</if_matched_sid>
<description>Server Unreachable For Over 6 Minutes</description>
<group>attacks,</group>
</rule>
</group>
On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>
> Was wondering on the best route/option to accomplish this?
>
>
> (similar to the USB storage detection)
>
> Was thinking about a batch or bash that would ping servers from a list to
> a file. That every so many minute this
> file would be overwritten with the new results.
>
> If the results "differ" from the last log the alert would be triggered.
>
>
> (other option)
>
> Run script as scheduled task, write to log then monitor log like a syslog.
> Regex for the failed pings. Then alerts.
>
>
> Curious if any had tried and found either way better?
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
