Re: [ossec-list] Regular expresions
Newer versions of ossec support pcre2. That should work.
On Fri, Dec 20, 2019 at 2:22 PM Diego S wrote:
> Hi all!
>
> I was wondering the best way to represent a digit between a range and if
> it is possible to indicate that a digit is going to be repeated a given
> number of times.
>
> For example a digit between 0 and 3, I mean 0, 1, 2 or 3 thats for the
> first question.
>
> For the second part, for example the digits between 0 and 3, repeated 14
> times. At the common regular expression it will be represented like
> (0-3){14}
>
> Thanks and Regards.
>
> Diego.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/d87e366a-a9ff-4c10-bd6c-592b744f7599%40googlegroups.com
>
> .
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrmDW5Vm8f_K%3Dr7Anzcg2QAKEJ%2B%2B_bFa8YZt4xEg1iqew%40mail.gmail.com.
[ossec-list] Regular expresions
Hi all!
I was wondering the best way to represent a digit between a range and if it
is possible to indicate that a digit is going to be repeated a given number
of times.
For example a digit between 0 and 3, I mean 0, 1, 2 or 3 thats for the
first question.
For the second part, for example the digits between 0 and 3, repeated 14
times. At the common regular expression it will be represented like
(0-3){14}
Thanks and Regards.
Diego.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/d87e366a-a9ff-4c10-bd6c-592b744f7599%40googlegroups.com.
[ossec-list] Composite Rule Not Firing
I'm having an issue getting a composite rule to trigger. What's really throwing me is that it works just fine when testing with ossec-logtest, but it doesn't work live. Here are the two rules in question: 18101 ^131$ Server accepted initial RDP session request sysadmin, 100554 ALERT: Potential RDP brute force attack sysadmin,recon,attacks, ...and here is a sample log entry: 2019 Dec 20 11:28:59 WinEvtLog: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational: INFORMATION(131): Microsoft-Windows-RemoteDesktopServices-RdpCoreTS: NETWORK SERVICE: NT AUTHORITY: server.domain: The server accepted a new TCP connection from client 10.104.248.199:57714. Using ossec-logtest I can enter this log entry and on the fifth time it fires off rule #100560 just as expected. But when I make those same five logon attempts to a live server, it only ever fires rule #100554. I've tried this up to 20 times in under 2 minutes, well within the rule timeframe, and it still never fires the composite rule alert, only 100554. I have quite a few other composite rules that I've written over the past few years and don't have this issue. I just don't see what the problem is with this one or why ossec-logtest shows it working but it never actually works in a live situation. I'm running OSSEC HIDS v2.9.3 on Linux, with the agents on Windows 2012+ servers. Any thoughts? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/db6d29a9-ec7d-4577-9ce6-d7ed445d8862%40googlegroups.com.
