Hi,

well, I changed several things including the threshold to 1 and something
have changed. Now it works!!

mypandora:/home/javier/Simple Event Correlator/sec-2.5.3 # perl
sec.pl-conf=my2.conf -input=/var/log/snmptt/snmptthandler.debug
SEC (Simple Event Correlator) 2.5.3
Reading configuration from my2.conf
1 rules loaded from my2.conf
Stdin connected to terminal, SIGINT can't be used for changing the logging
level
Executing shell command '/home/javier/msg.sh'
Child 18068 created for command '/home/javier/msg.sh'


This was really my first exercise to find out how Sec works. Now my next
task is correlate and resend some traps.

Thank you all !!



2010/5/21 Risto Vaarandi <risto.vaara...@seb.ee>

> On 05/21/2010 03:46 PM, Bufalo wrote:
> > Hi again,
> >
> > well, i tried all that but still not working... i´m still investigating
> > but any idea would be appreciated.
>
> are you sure there are 5 traps in the log within the 1 minute window?
> Try changing the threshold from 5 to 1 and see if this changes anything...
> BR,
> risto
>
> >
> >
> > thanks
> >
> > 2010/5/21 Alberto Losada <alos...@s21sec.com <mailto:alos...@s21sec.com
> >>
> >
> >     Hi,
> >
> >     I think your input file is /var/log/snmptt/snmpttunknown.log. It
> should
> >     be the file where the traps are logged. The outputs seems correct, I
> >     mean, there is no error loading the sec rule you wrote.
> >
> >     If you're sure that /var/log/snmptt/snmpttunknown.log contains lines
> >     that match the pattern, you can force to re-read all the file from
> the
> >     beginning:
> >     perl sec.pl <http://sec.pl> <http://sec.pl> -conf=my2.conf
> >     -input=/var/log/snmptt/snmpttunknown.log -fromstart
> >
> >     If still does not work, it is a good idea that sec rule read
> information
> >     from the stdin, in this way:
> >     perl sec.pl <http://sec.pl> <http://sec.pl> -conf=my2.conf -input=-
> >     Once it started, you can enter information through stdin. Try to
> paste:
> >     Fri May 21 11:44:16 2010: Unknown trap (OID) received from >
> >     10.15.112.38 at:
> >
> >     Good luck
> >     br
> >
> >     Bufalo escribió:
> >      > Hi,
> >      >
> >      > Alberto, thanks for the quick answer but still not working. When
> >     i run
> >      > perl sec... i see the next output:
> >      >
> >      > # perl sec.pl <http://sec.pl> <http://sec.pl> -conf=my2.conf
> >      > -input=/var/log/snmptt/snmptthandler.debug
> >      > SEC (Simple Event Correlator) 2.5.3
> >      > Reading configuration from my2.conf
> >      > 1 rules loaded from my2.conf
> >      > Stdin connected to terminal, SIGINT can't be used for changing the
> >      > logging level
> >      >
> >      > Could it be the reason?
> >      >
> >      > thanks
> >      >
> >      > 2010/5/21 Alberto Losada <alos...@s21sec.com
> >     <mailto:alos...@s21sec.com> <mailto:alos...@s21sec.com
> >     <mailto:alos...@s21sec.com>>>
> >      >
> >      >     Hi,
> >      >
> >      >     It seems that you missed the input file to check against the
> >     rule:
> >      >
> >      >     perl sec.pl <http://sec.pl> <http://sec.pl> <http://sec.pl>
> >     -conf=my2.conf
> >      >     -imput=/var/log/snmptt/snmptthandler.log
> >      >
> >      >     br
> >      >
> >      >     Bufalo escribió:
> >      > > Hi,
> >      > >
> >      > > i just want to integrate a SingleWithThreshold rule that works
> >      >     like this:
> >      > >
> >      > > i receive a trap to /var/log/snmptt/snmpttunknown.log. The first
> >      > > trap's line in the log contains this:
> >      > >
> >      > > Fri May 21 11:44:16 2010: Unknown trap (OID) received from
> >      > > 10.15.112.38 at:
> >      > >
> >      > > where OID is a variable large number. Then i call this rule:
> >      > >
> >      > >
> >      > > #Don't show alert until it repeats 5 times in 1 minute
> >      > > type=SingleWithThreshold
> >      > > ptype=RegExp
> >      > > pattern=Unknown trap (\S+)
> >      > > desc=Mensaje de $1
> >      > > action=shellcmd /home/javier/msg.sh   --> this script is:
> #!/bin/sh
> >      > > (next line) echo umbral superado >> traps.log
> >      > > window=60
> >      > > thresh=5
> >      > >
> >      > >
> >      > > in this way:
> >      > >
> >      > > perl sec.pl <http://sec.pl> <http://sec.pl> <http://sec.pl>
> >     -conf=my2.conf
> >      > > -syslog=/var/log/snmptt/snmptthandler.debug
> >      > >
> >      > > But it doesn´t writes nothing in traps.log. So, anyone knows
> >      >     what am i
> >      > > doing surely wrong?
> >      > >
> >      > > thanks
> >      > >
> >      >
> >
> ------------------------------------------------------------------------
> >      > >
> >      > >
> >      >
> >
> ------------------------------------------------------------------------------
> >      > >
> >      > >
> >      > >
> >      >
> >
> ------------------------------------------------------------------------
> >      > >
> >      > > _______________________________________________
> >      > > Simple-evcorr-users mailing list
> >      > > Simple-evcorr-users@lists.sourceforge.net
> >     <mailto:Simple-evcorr-users@lists.sourceforge.net>
> >      > <mailto:Simple-evcorr-users@lists.sourceforge.net
> >     <mailto:Simple-evcorr-users@lists.sourceforge.net>>
> >      > >
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> >      > >
> >      >
> >      >
> >      >     --
> >      >     Alberto Losada Grande
> >      >     Dpto Integración Productos Propios
> >      >
> >      >     Tlf: 93 544 27 23
> >      >     Móvil: 607 81 36 89
> >      >
> >      > www.s21sec.com <http://www.s21sec.com> <http://www.s21sec.com>,
> >     blog.s21sec.com <http://blog.s21sec.com>
> >      > <http://blog.s21sec.com>
> >      >     La seguridad digital del futuro, Hoy.
> >      >
> >      >     La información contenida en este mail, así como los archivos
> >      >     adjuntos, es CONFIDENCIAL. Grupo S21sec Gestión, S.A.
> >     garantiza la
> >      >     adopción de las medidas necesarias para asegurar el
> tratamiento
> >      >     confidencial de los datos de carácter personal. En el caso de
> que
> >      >     el destinatario del correo no sea usted, le rogamos envíe una
> >      >     notificación al remitente y lo destruya de forma inmediata. La
> >      >     lectura y/o manipulación de esta información en la situación
> >      >     señalada anteriormente será considerada ilegal, permitiendo a
> la
> >      >     empresa remitente realizar acciones legales de diferente
> >     envergadura.
> >      >
> >      >
> >
> >
> >     --
> >     Alberto Losada Grande
> >     Dpto Integración Productos Propios
> >
> >     Tlf: 93 544 27 23
> >     Móvil: 607 81 36 89
> >
> >     www.s21sec.com <http://www.s21sec.com>, blog.s21sec.com
> >     <http://blog.s21sec.com>
> >     La seguridad digital del futuro, Hoy.
> >
> >     La información contenida en este mail, así como los archivos
> >     adjuntos, es CONFIDENCIAL. Grupo S21sec Gestión, S.A. garantiza la
> >     adopción de las medidas necesarias para asegurar el tratamiento
> >     confidencial de los datos de carácter personal. En el caso de que el
> >     destinatario del correo no sea usted, le rogamos envíe una
> >     notificación al remitente y lo destruya de forma inmediata. La
> >     lectura y/o manipulación de esta información en la situación
> >     señalada anteriormente será considerada ilegal, permitiendo a la
> >     empresa remitente realizar acciones legales de diferente envergadura.
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> >
> >
> >
> >
> > _______________________________________________
> > Simple-evcorr-users mailing list
> > Simple-evcorr-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------

_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to