Good point, I've stumbled over that before but I don't have any triggers myself that are set that low. I believe you are correct, which raises the question on how to match on only 2? I don't have the answer to that, unless setting it to zero actually works.
Maybe someone else understands that setting better than I and can speak up. On Monday, April 23, 2018 at 3:17:38 AM UTC-4, Chinmay Pandya wrote: > > Hi Bruce > > Thanks for the reply > > As per ossec documentations for the frequency option "Specifies the number > of times the rule must have matched before firing. The number that triggers > the rule is actually 2 more than this setting." > > So, in below overwrite, if i set frequency as 2 , will not it be 4th > instance which will trigger the alert ? Because I want that 2nd instance > must trigger the alert. > > > <rule id="5104" level="8" timeframe="86400" frequency="2" overwrite= > "yes"> > <if_matched_sid>5100</if_matched_sid> > <regex>Promiscuous mode enabled|</regex> > <regex>device \S+ entered promiscuous mode</regex> > <same_source_ip /> > <description>Interface entered in promiscuous(sniffing) 2x in 24 hrs. > </description> > <group>promisc,</group> > </rule> > > > > On Thursday, April 19, 2018 at 6:31:46 PM UTC+5:30, Bruce Westbrook wrote: >> >> First a comment. You can't drop a rule to a 0 to accomplish this as >> you'll lose all tracking for it and won't be able to use it for any sort of >> count. You have to at least set it at level 1. You can, however, choose >> not to actually log it if you prefer. >> >> Presuming you want this universally, you can overwrite that rule as a >> composite rule (using your local_rules.xml) that checks for two occurrences >> from the same host within a 24-hour period. I've not tested this but >> something like this: >> >> <rule id="5104" level="8" timeframe="86400" frequency="2" overwrite= >> "yes"> >> <if_matched_sid>5100</if_matched_sid> >> <regex>Promiscuous mode enabled|</regex> >> <regex>device \S+ entered promiscuous mode</regex> >> <same_source_ip /> >> <description>Interface entered in promiscuous(sniffing) 2x in 24 hrs. >> </description> >> <group>promisc,</group> >> </rule> >> >> >> If you still want to alert on single instances for other servers but two >> instances for this particular group of servers, then you'll instead want to >> create a set of custom rules. First match on the promisc rule and the >> servers you're focused on, log but don't send an email. I've found that I >> need to keep the level at the same or higher than the rule I'm matching on, >> else it won't trigger (I still don't have a great handle on how OSSEC >> determines the order it applies rules, as my real-world testing doesn't >> line up with what's documented, but I believe the levels are part of the >> logic). Then use a second rule that matches the first but only 2x in a >> 24-hour period. >> >> Again, untested but something like this: >> >> <rule id="100300" level="8"> >> <if_matched_sid>5104</if_matched_sid> >> <hostname>HOST01|HOST02|host03|host04</hostname> >> <options>no_email_alert</options> >> <description>Interface entered in promiscuous(sniffing) mode. >> </description> >> <group>promisc,</group> >> </rule> >> >> <rule id="100301" level="8" timeframe="86400" frequency="2"> >> <if_matched_sid>100300</if_matched_sid> >> <same_source_ip /> >> <description>Interface entered in promiscuous(sniffing) 2x in 24 hrs. >> </description> >> <group>promisc,</group> >> </rule> >> >> >> >> This is how I'd approach it. Others may have different / better ideas. >> >> - Bruce >> >> >> On Thursday, April 19, 2018 at 5:04:39 AM UTC-4, Chinmay Pandya wrote: >>> >>> Hi all >>> >>> I need to modify a rule "5104 - Interface entered in >>> promiscuous(sniffing) mode." >>> >>> Once a day , all of the boxes will go into promiscuous mode. Time when >>> they enter into this mode is random. >>> >>> I want to create a rule that in a day, if interface enters more then 1 >>> in promiscuous mode then create alert else reduce level to 0. >>> >>> Thanks in advance. >>> >>> _____________________________________________________________ >>> The information contained in this communication is intended solely for >>> the use of the individual or entity to whom it is addressed and others >>> authorized to receive it. It may contain confidential or legally privileged >>> information. If you are not the intended recipient you are hereby notified >>> that any disclosure, copying, distribution or taking any action in reliance >>> on the contents of this information is strictly prohibited and may be >>> unlawful. If you have received this communication in error, please notify >>> us immediately by responding to this email and then delete it from your >>> system. The firm is neither liable for the proper and complete transmission >>> of the information contained in this communication nor for any delay in its >>> receipt. >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
