Dear Risto,
If i use SingleWithSuppress rule, can i count how many logs has been
suppressed in the time window?
Thanks
On Fri, Dec 27, 2013 at 11:48 PM, Risto Vaarandi risto.vaara...@seb.eewrote:
hi,
from your log sample it appears that you have pfsense version which
generates multiline
On 01/06/2014 04:43 PM, termvrl term wrote:
Dear Risto,
If i use SingleWithSuppress rule, can i count how many logs has been
suppressed in the time window?
Thanks
In order to configure this behavior, you can take advantage of the
EventGroup rule which allows for executing an action at each
hi,
from your log sample it appears that you have pfsense version which
generates multiline messages, and relevant messages span over 2
consecutive lines. For matching such events, you would need RegExp2
pattern type. Also, are you interested in matching *all* pfsense
messages or just those
HI Thanks for your reply...
I have another question, i am wondering what is the best rules type for
this situation,
This is firewall logs form pfsense,
Dec 17 23:25:05 192.168.0.120 pf: 00:00:13.146869 rule 62/0(match): block
in on em0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP
I had a look into your logs and to me the EventGroup2 rule is working
exactly it is supposed to. First, the rule will match the following
event:
Dec 16 23:04:53 ubuntu apache-errors: [Mon Dec 16 23:04:50 2013]
[error] [client 192.168.0.119] ModSecurity: Warning. Pattern match
Dear Risto,
Thanks for your reply,
i have a few question. im doing some testing by receive firewall deny logs,
web logs, and modsecurity logs.
Here my config,
root@ubuntu:/home/rsyslog/sec-2.7.2# perl sec -conf=sec.conf
2013, termvrl term wrote:
Date: Tue, 17 Dec 2013 14:57:36 +0800
From: termvrl term term...@gmail.com
To: Risto Vaarandi risto.vaara...@seb.ee
Cc: simple-evcorr-users@lists.sourceforge.net
Subject: Re: [Simple-evcorr-users] Correlate multiple modsecurity alert.
Dear Risto,
Thanks for your reply
On 12/10/2013 05:40 PM, termvrl term wrote:
Hi Risto,
Thanks for your helps,
I have tried with your suggestion with a bit changes to the sec rule.
type=SingleWithSuppress
ptype=RegExp
pattern=\[client ([\d.]+)\].+\[msg (.*?)\].+\[unique_id (.+?)\]
desc=client $1 unique_id $2
action=
hi,
yes, SEC is using the Perl dialect of the regular expression language.
Also, from your letter it seems that you would like to lessen the number of
alerts, and somehow aggregate several alerts into one alert which could be
reported to the SIEM.
SEC allows to implement many different
Hi all,
i have working on correlate the alert from modsecurity.
when i simulate XSS attacks, modsec will generate alert and it will match
with SQL rule and XSS rule. So, i want to use SEC to correlate if detect
both signature then, use write action to log a new message. Here is conf
file.
# Rule
10 matches
Mail list logo
