Hi Bruce
Thanks for the reply
As per ossec documentations for the frequency option "Specifies the number
of times the rule must have matched before firing. The number that triggers
the rule is actually 2 more than this setting."
So, in below overwrite, if i set frequency as 2 , will not it be 4th
instance which will trigger the alert ? Because I want that 2nd instance
must trigger the alert.
<rule id="5104" level="8" timeframe="86400" frequency="2" overwrite="yes">
<if_matched_sid>5100</if_matched_sid>
<regex>Promiscuous mode enabled|</regex>
<regex>device \S+ entered promiscuous mode</regex>
<same_source_ip />
<description>Interface entered in promiscuous(sniffing) 2x in 24 hrs.
</description>
<group>promisc,</group>
</rule>
On Thursday, April 19, 2018 at 6:31:46 PM UTC+5:30, Bruce Westbrook wrote:
>
> First a comment. You can't drop a rule to a 0 to accomplish this as
> you'll lose all tracking for it and won't be able to use it for any sort of
> count. You have to at least set it at level 1. You can, however, choose
> not to actually log it if you prefer.
>
> Presuming you want this universally, you can overwrite that rule as a
> composite rule (using your local_rules.xml) that checks for two occurrences
> from the same host within a 24-hour period. I've not tested this but
> something like this:
>
> <rule id="5104" level="8" timeframe="86400" frequency="2" overwrite=
> "yes">
> <if_matched_sid>5100</if_matched_sid>
> <regex>Promiscuous mode enabled|</regex>
> <regex>device \S+ entered promiscuous mode</regex>
> <same_source_ip />
> <description>Interface entered in promiscuous(sniffing) 2x in 24 hrs.
> </description>
> <group>promisc,</group>
> </rule>
>
>
> If you still want to alert on single instances for other servers but two
> instances for this particular group of servers, then you'll instead want to
> create a set of custom rules. First match on the promisc rule and the
> servers you're focused on, log but don't send an email. I've found that I
> need to keep the level at the same or higher than the rule I'm matching on,
> else it won't trigger (I still don't have a great handle on how OSSEC
> determines the order it applies rules, as my real-world testing doesn't
> line up with what's documented, but I believe the levels are part of the
> logic). Then use a second rule that matches the first but only 2x in a
> 24-hour period.
>
> Again, untested but something like this:
>
> <rule id="100300" level="8">
> <if_matched_sid>5104</if_matched_sid>
> <hostname>HOST01|HOST02|host03|host04</hostname>
> <options>no_email_alert</options>
> <description>Interface entered in promiscuous(sniffing) mode.
> </description>
> <group>promisc,</group>
> </rule>
>
> <rule id="100301" level="8" timeframe="86400" frequency="2">
> <if_matched_sid>100300</if_matched_sid>
> <same_source_ip />
> <description>Interface entered in promiscuous(sniffing) 2x in 24 hrs.
> </description>
> <group>promisc,</group>
> </rule>
>
>
>
> This is how I'd approach it. Others may have different / better ideas.
>
> - Bruce
>
>
> On Thursday, April 19, 2018 at 5:04:39 AM UTC-4, Chinmay Pandya wrote:
>>
>> Hi all
>>
>> I need to modify a rule "5104 - Interface entered in
>> promiscuous(sniffing) mode."
>>
>> Once a day , all of the boxes will go into promiscuous mode. Time when
>> they enter into this mode is random.
>>
>> I want to create a rule that in a day, if interface enters more then 1 in
>> promiscuous mode then create alert else reduce level to 0.
>>
>> Thanks in advance.
>>
>> _____________________________________________________________
>> The information contained in this communication is intended solely for
>> the use of the individual or entity to whom it is addressed and others
>> authorized to receive it. It may contain confidential or legally privileged
>> information. If you are not the intended recipient you are hereby notified
>> that any disclosure, copying, distribution or taking any action in reliance
>> on the contents of this information is strictly prohibited and may be
>> unlawful. If you have received this communication in error, please notify
>> us immediately by responding to this email and then delete it from your
>> system. The firm is neither liable for the proper and complete transmission
>> of the information contained in this communication nor for any delay in its
>> receipt.
>
>
--
_____________________________________________________________
The
information contained in this communication is intended solely for the use
of the individual or entity to whom it is addressed and others authorized
to receive it. It may contain confidential or legally privileged
information. If you are not the intended recipient you are hereby notified
that any disclosure, copying, distribution or taking any action in reliance
on the contents of this information is strictly prohibited and may be
unlawful. If you have received this communication in error, please notify
us immediately by responding to this email and then delete it from your
system. The firm is neither liable for the proper and complete transmission
of the information contained in this communication nor for any delay in its
receipt.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
