[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] Re: RV: Rule questions
From: Skyler.Bingham () londen-insurance ! com
Date: 2009-01-21 21:27:48
Message-ID: OF1262AC99.04A2CC10-ON07257545.00745385-07257545.0075D32D () londen-insurance ! com
[Download RAW message or body]
I believe you can use <email_alerts> to do this:
<email_alerts>
<email_to>operator@domain.com</email_to>
<level>7</level>
</email_alerts>
<email_alerts>
<email_to>sysadmin@domain.com</email_to>
<level>11</level>
</email_alerts>
<email_alerts>
<email_to>blackberry@domain.com</email_to>
<level>15</level>
</email_alerts>
This will do what you are asking, but I believe it will have the
side-effect of emailing all three email addresses all alerts with levels 14
and over, but that may be what you are looking to do.
Check out the link below for more <email_alerts> options.
http://www.ossec.net/main/manual/#email_alerts
HTH,
Skyler Bingham
GIAC {GSEC, GCIH, GCIA, GCFA}, CEH
(602) 957-1650 x1139
Xavier Romero
<XRomero@nexica.c
om> To
Sent by: "ossec-list@googlegroups.com"
ossec-list@google <ossec-list@googlegroups.com>
groups.com cc
Subject
01/21/2009 01:14 [ossec-list] Re: RV: Rule questions
PM
Please respond to
ossec-list@google
groups.com
Thank Rick,
Already found the | way to make an OR.
Multiple lines certainly I guess they're also an OR, as for example default
rule 31103.
<rule id="31103" level="6">
<if_sid>31100</if_sid>
<url>='|select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url>
<url>union+|where+|null,null|xp_cmdshell</url>
<description>SQL injection attempt.</description>
<group>attack,sql_injection,</group>
</rule>
Another question I have now... it's possible to have separate alerts level
for separate emails?? It is, I wish something like:
ALL alerts level > 6 : email to operator@
ALL alerts level > 10 : email to sysadmin@
ALL alerts level > 14 : email to blackberry@
I'm only seeing a single point of global level configuration.
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>6</email_alert_level>
</alerts>
And the last question and prolly the foolish one... there is no exhaustive
documentation about all configuration options and rules syntax, right?
Thank you all!
Xavi.
________________________________________
De: ossec-list@googlegroups.com [ossec-list@googlegroups.com] En nom de
McClinton, Rick [rmcclinton@tmaresources.com]
Enviat el: dimecres, 21 / gener / 2009 18:24
Per a: ossec-list@googlegroups.com
Tema: [ossec-list] Re: RV: Rule questions
Xavier wrote:
> What happens when tehre are 2 <match> or 2 <url>.. that acts as OR or as
AND ?!?
2 match as in <match>ONE|TWO</match> or as in <match>one</match>
<match>two</match> ?
First example I know is OR, I'm not sure what will happen per the second
example, I think it is still OR.
Thanks,
Rick
This message contains TMA Resources confidential information and is
intended only for the individual named. If you are not the named addressee
you should not disseminate, distribute or copy this e-mail. Please notify
the sender immediately by e-mail if you have received this e-mail by
mistake and delete this e-mail from your system. E-mail transmission cannot
be guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
contain viruses. The sender therefore does not accept liability for any
errors or omissions in the contents of this message which arise as a result
of e-mail transmission. If verification is required please request a
hard-copy version.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic