OSSEC rule match time and timeframe
46 views
Skip to first unread message
Fredrik Hilmersson
Jul 3, 2017, 6:10:18 AM7/3/17
to ossec-list
Hello,
Lets say I have a script which runs once every half an hour. With a latency difference in about 10-20 seconds.
Would it be possible to match the following:
1. Time
2. Hostname
3. Username
The reason I prefer more than a single match, i.e only time is to not by mistake miss an actual event.
<rule id="100203" level="0" timeframe="20">
<if_sid>5501</if_sid>
<time>**:30</time>
<hostname>agent-hostname</hostname>
<user>ssh-user</user>
<options>no_email_alert</options>
<description>Ignore rule 5501 for host </description>
</rule>
Kind regards,
Fredrik
Jesus Linares
Jul 4, 2017, 2:00:53 PM7/4/17
to ossec-list
Hi Fredrik,
do you want to ignore the rule 5501 if it is fired by your script?. is it not enough with the hostname and the user?.
Regards.
dan (ddp)
Jul 5, 2017, 9:46:49 PM7/5/17
to ossec...@googlegroups.com
are stripped off and not evaluated.
>
> Kind regards,
> Fredrik
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Jesus Linares
Jul 7, 2017, 6:11:33 AM7/7/17
to ossec-list
I never used it: http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html#element-time
I think is the time when the event comes to the manager (not the original time).
dan (ddp)
Jul 8, 2017, 1:55:27 PM7/8/17
to ossec...@googlegroups.com
On Fri, Jul 7, 2017 at 6:11 AM, Jesus Linares <je...@wazuh.com> wrote:
> I never used it:
> http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html#element-time
>
> I think is the time when the event comes to the manager (not the original
> time).
>
Oh, ok. Obviously I have never used it either.
> I never used it:
> http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html#element-time
>
> I think is the time when the event comes to the manager (not the original
> time).
>
Fredrik Hilmersson
Jul 11, 2017, 5:27:39 AM7/11/17
to ossec-list
I did end up doing this, user and hostname. However this isn't the 'optimal' solution as I do prefer to get alerts from the user + hostname at other times then ignoring it every half an hour. I will look more into the element time later on, and see if there's a way to achieve what I were trying to do.
Thanks for the response and help though!
Kind regards
Reply all
Reply to author
Forward
0 new messages