2014-07-01 15:21 GMT+03:00 kirankumar veluri <kiran.vel...@gmail.com>:
> Hi rouilj,
>
> Thanks for the reply . My question is can we have duplicate patterns
> in the configuration file ?
>
> For example I need to look out for the SSH failed login's for same
> user from different sources and different users from same source.In
> both the cases the search pattern will be same .
>
> So can there be 2 rules with the same pattern text in the configuration
> file ?
>
yes.
>
> When I kept the same pattern in 2 different rules I am not getting the
> matched event for 2nd rule.
>
You need to set the 'continue' parameter properly in your first rule
(continue=TakeNext), in order to pass matching events to following rules
for further processing. The following section in the official documentation
provides a detailed discussion:
http://simple-evcorr.sourceforge.net/man.html#lbAF
hope this helps,
risto
> Thanks,
> Kiran
>
> On Mon, Jun 30, 2014 at 9:25 PM, John P. Rouillard <rou...@cs.umb.edu>
> wrote:
> >
> > In message
> > <CABYmqbrtSDP1Zbdok=B-VzmssO3pHeQNHhKs=X486Gk7=cb...@mail.gmail.com> ,
> > kirankumar veluri writes:
> >
> >>I am new to SEC tool . I have a configuration file with below listed
> rule set.
> >>
> >>#Failed ssh logins for the same user from different IP addresses
> >>within a time period
> >>type=SingleWithThreshold
> >>ptype=RegExp
> >>pattern=sshd\[\d+\]: error:\sPAM: Authentication failure for (\w+) from
> (\S+
> >>)
> >>desc=$1
> >>action=logonly
> >>window=60
> >>thresh=3
> >>
> >>#Failed XS logins for the same user from different IP addresses within
> >>a time period
> >>type=SingleWithThreshold
> >>ptype=RegExp
> >>pattern=XSSYSLOG:(\S+).*:LOGON.*FAILURE\s+BY\s+(\S+)
> >>desc=Three XS login failures within 1m for user $2 from different source
> hos
> >>ts
> >>action=logonly
> >>window=60
> >>thresh=3
> >>
> >>#Failed SSH, XS logins for same user on different IP addresses within
> >>a time period
> >>type=PairWithWindow
> >>ptype=RegExp
> >>pattern=sshd\[\d+\]: error:\sPAM: Authentication failure for (\w+) from
> (\S+
> >>)
> >>desc=$1
> >>continue=TakeNext
> >>action=write - XS Failed login event didn't follow SSH failed event
> >>within window
> >>ptype2=RegExp
> >>pattern2=XSSYSLOG:(\S+).*:LOGON.*FAILURE\s+BY\s+(\S+)
> >>desc2=$2
> >>action2=write - Failed SSH, ES logins for user $2 within 2 min window ;
> >>window=120
> >>
> >>The problem I am facing is even though there are matched events in the
> >>input file, SEC is never throwing actions specified in
> >>"PairWithWindow" rule type.
> >>
> >>If I keep the same single rule in a separate configuration file and
> >>execute SEC I could see the output on my console. My question is can
> >>we have the same(duplicate) pattern's in the configuration file.
> >
> > Look at the man page for the continue keyword. By default processing
> > for an event stops (for that file) as soon as a rule is matched.
> >
> > Setting:
> >
> > continue=takenext
> >
> > in your rule says to apply the same event to the next rule in the file.
> >
> > --
> > -- rouilj
> > John Rouillard
> >
> ===========================================================================
> > My employers don't acknowledge my existence much less my opinions.
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
