That only slightly fixes the problem. It will match the other patterns this time, but it's still a little screwy
So I can match the first rule first or the other rules first, but after that first match, if the second rule is ever matched, then any of the rules fail to match after that point, including the first again and even the one it just matched. TakeNext seems to be the right direction, but I think I may be missing a couple more things? I tried adding the takenext to the other commands, and I tried a continue2 with takenext but still not working the way I was hoping it would. Rules are listed below. I'm reading the auditd log type=pair ptype=regexp1 pattern=audit\(\d+\.\d+\:(\d+)\).*success\=yes\s[0-9a-zA-Z= ]+\suid\=(?!12653 |98 |201 ) desc="Successful command execution 1" action=none ptype2=regexp1 pattern2=audit\(\d+\.\d+\:($1)\)\:.*filterkey\=backend\-script desc2=$0 action2=shellcmd /sbin/ausearch -a $1 | /opt/sec/bin/resolve-ids-in-alert.py | /bin/mail -s "SEC Alert: Something twiddled the backend script" [EMAIL PROTECTED] continue=TakeNext type=pair ptype=regexp1 pattern=audit\(\d+\.\d+\:(\d+)\).*success\=yes\s[0-9a-zA-Z= ]+\suid\=(?!12653 |98 |201 ) desc="Successful command execution 2" action=none ptype2=regexp1 pattern2=audit\(\d+\.\d+\:($1)\)\:.*filterkey\=adkadmin desc2=$0 action2=shellcmd /sbin/ausearch -a $1 | /opt/sec/bin/resolve-ids-in-alert.py | /bin/mail -s "SEC Alert: Something twiddled the adkadmin command" [EMAIL PROTECTED] type=pair ptype=regexp1 pattern=audit\(\d+\.\d+\:(\d+)\).*success\=yes\s[0-9a-zA-Z= ]+\suid\=(?!12653 |98 |201 ) desc="Successful command execution 3" action=none ptype2=regexp1 pattern2=audit\(\d+\.\d+\:($1)\)\:.*filterkey\=pilot\-keytab desc2=$0 action2=shellcmd /sbin/ausearch -a $1 | /opt/sec/bin/resolve-ids-in-alert.py | /bin/mail -s "SEC Alert: Something twiddled the Pilot Realms's keytab" [EMAIL PROTECTED] Thanks, Tim Risto Vaarandi wrote: > Tim, > since the 'pattern' fields of both rule definitions are identical, and you > haven't set 'continue' field to "TakeNext" in the first definition, a > "audit...success=yes" event will never match the second rule. Consequently, > no event correlation operations are started by the second rule, and > "filter-key=my-second-key" events won't produce any effect. > Please add "continue=TakeNext" to the first rule and check whether this fixes > the problem. > hth, > risto > > > --- On Fri, 8/1/08, Tim Rupp <[EMAIL PROTECTED]> wrote: > >> From: Tim Rupp <[EMAIL PROTECTED]> >> Subject: [Simple-evcorr-users] pair pattern question >> To: [email protected] >> Date: Friday, August 1, 2008, 9:36 PM >> Hi list, >> >> I was wondering if you can re-use a pattern with multiple >> pattern2's in >> a pair. >> >> For example if I had 2 pairs >> >> # pair 1 >> type=pair >> ptype=regexp1 >> pattern=audit\(\d+).*success\=yes\s >> desc="Successful command execution" >> action=none >> ptype2=regexp1 >> pattern2=audit\(\d+\.\d+\:($1)\)\:.*filterkey\=my-first-key >> desc2=$0 >> action2=shellcmd /do/something >> >> >> >> and >> >> >> >> # pair 2 >> type=pair >> ptype=regexp1 >> pattern=audit\(\d+).*success\=yes\s >> desc="Successful command execution" >> action=none >> ptype2=regexp1 >> pattern2=audit\(\d+\.\d+\:($1)\)\:.*filterkey\=my-second-key >> desc2=$0 >> action2=shellcmd /do/something/else >> >> >> >> If they both have the same initial pattern, is it possible >> for the >> second pair to ever be met? I guess I'm having that >> problem. The first >> pattern occurs often in my log files, and I really just >> want to make a >> decision based on the second pattern (if the first pattern >> is also met). >> I'm not seeing SEC match the second pair's pattern2 >> though. I think it >> may be because it's waiting for the first pair's >> pattern2??? >> >> Can someone clarify this? I think a workaround is to >> specify a bunch of >> OR cases in my second pattern, but that's less than >> ideal because there >> may be many OR cases in the future. >> >> Thanks in advance, >> Tim >> >> ------------------------------------------------------------------------- >> This SF.Net email is sponsored by the Moblin Your Move >> Developer's challenge >> Build the coolest Linux based applications with Moblin SDK >> & win great prizes >> Grand prize is a trip for two to an Open Source event >> anywhere in the world >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >> _______________________________________________ >> Simple-evcorr-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
