if_sid vs if_matched_sid

[Jason 'XenoPhage' Frisvold]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

I'd like to see the online docs updated to make this more clear. Can
someone please verify my understanding (original from
http://www.ossec.net/doc/syntax/head_rules.html#options) :

group.rule.if_sid
Matches if the ID has matched once.
Allowed: Any rule id

group.rule.if_matched_sid
Matches if the ID has matched multiple times. Used for composite rules.
Allowed: Any rule id

If this is correct, who do I need to contact to get the online docs
updated? Or maybe the online docs should all be moved to the wiki so
the community can update it?

- --
- ---------------------------
Jason 'XenoPhage' Frisvold
xeno...@godshell.com
- ---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4I0JIACgkQ8CjzPZyTUTQ0KQCeNrV4+Z30ivqj40GbWkdsB27y
RWUAmQFvpQBuhS0WFImE0LOYIYyZnHFv
=2EZS
-----END PGP SIGNATURE-----

[Kelly Fitzgerald]

I vote online wiki

Sent from my iPhone

[dan (ddp)]

Hi Jason,

On Mon, Jun 27, 2011 at 2:48 PM, Jason 'XenoPhage' Frisvold
<xeno...@godshell.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi all,
>
>        I'd like to see the online docs updated to make this more clear.  Can
> someone please verify my understanding (original from
> http://www.ossec.net/doc/syntax/head_rules.html#options) :
>
> group.rule.if_sid
>    Matches if the ID has matched once.
>    Allowed: Any rule id
>
> group.rule.if_matched_sid
>    Matches if the ID has matched multiple times.  Used for composite rules.
>    Allowed: Any rule id
>

These always confuse me. I'll look into it. :)

> If this is correct, who do I need to contact to get the online docs
> updated?  Or maybe the online docs should all be moved to the wiki so
> the community can update it?
>

Wikis suck. The current documentation can be found at
https://bitbucket.org/ddpbsd/ossec-rules
It's done in sphinx (with help from paver). Someone else started it,
and I don't have a good grasp on how to do anything fancy with it. But
I can definitely update the above.
Feel free to fork it, modify it, etc. And/or create issues on bitbucket for me.
dan

[Jason 'XenoPhage' Frisvold]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/27/2011 05:09 PM, dan (ddp) wrote:
>> Wikis suck. The current documentation can be found at
>> https://bitbucket.org/ddpbsd/ossec-rules
>> It's done in sphinx (with help from paver). Someone else started it,
>> and I don't have a good grasp on how to do anything fancy with it. But
>> I can definitely update the above.
>> Feel free to fork it, modify it, etc. And/or create issues on bitbucket for me.

I should be savvy enough to figure this out.. :P hginit.com here I come!

>> dan

- --
- ---------------------------
Jason 'XenoPhage' Frisvold
xeno...@godshell.com
- ---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4KFQMACgkQ8CjzPZyTUTRDhACgiPgJGYR6gSF57UzMMkLQoFsB
G1oAoI1zJBQihvs8iCIlXql6W1O2oq9o
=N/vS
-----END PGP SIGNATURE-----

[dan (ddp)]

On Tue, Jun 28, 2011 at 1:53 PM, Jason 'XenoPhage' Frisvold
<xeno...@godshell.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 06/27/2011 05:09 PM, dan (ddp) wrote:
>>> Wikis suck. The current documentation can be found at
>>> https://bitbucket.org/ddpbsd/ossec-rules
>>> It's done in sphinx (with help from paver). Someone else started it,
>>> and I don't have a good grasp on how to do anything fancy with it. But
>>> I can definitely update the above.
>>> Feel free to fork it, modify it, etc. And/or create issues on bitbucket for me.
>
> I should be savvy enough to figure this out..  :P  hginit.com here I come!
>

It's not too hard. If you need help, send me a message or something.

[BP9906]

I'm wondering the same thing. Whats the difference between the 2
anyway?

I'm ultimately trying to have 2 frequency rules and the second one
doesnt fire. I suspect its something to do with the if_sid or
if_matched_sid.

On Jun 27, 2:09 pm, "dan (ddp)" <ddp...@gmail.com> wrote:
> Hi Jason,
>
> On Mon, Jun 27, 2011 at 2:48 PM, Jason 'XenoPhage' Frisvold
>
>
>
>
>
>
>
>
>
> <xenoph...@godshell.com> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
>
> > Hi all,
>
> >        I'd like to see the online docs updated to make this more clear.  Can
> > someone please verify my understanding (original from
> >http://www.ossec.net/doc/syntax/head_rules.html#options) :
>
> > group.rule.if_sid
> >    Matches if the ID has matched once.
> >    Allowed: Any rule id
>
> > group.rule.if_matched_sid
> >    Matches if the ID has matched multiple times.  Used for composite rules.
> >    Allowed: Any rule id
>
> These always confuse me. I'll look into it. :)
>
> > If this is correct, who do I need to contact to get the online docs
> > updated?  Or maybe the online docs should all be moved to the wiki so
> > the community can update it?
>

> Wikis suck. The current documentation can be found athttps://bitbucket.org/ddpbsd/ossec-rules

> It's done in sphinx (with help from paver). Someone else started it,
> and I don't have a good grasp on how to do anything fancy with it. But
> I can definitely update the above.
> Feel free to fork it, modify it, etc. And/or create issues on bitbucket for me.
> dan
>
>
>
>
>
>
>
> > - --
> > - ---------------------------
> > Jason 'XenoPhage' Frisvold

> > xenoph...@godshell.com

> > - ---------------------------
> > "Any sufficiently advanced magic is indistinguishable from technology."
> > - - Niven's Inverse of Clarke's Third Law
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2.0.17 (GNU/Linux)

> > Comment: Using GnuPG with Fedora -http://enigmail.mozdev.org/

[dan (ddp)]

On Thu, Jul 7, 2011 at 12:36 PM, BP9906 <craz...@gmail.com> wrote:
> I'm wondering the same thing. Whats the difference between the 2
> anyway?
>

if_sid: For this log message, is sid XXX a valid match>
if_matched_sid: Has sid YYY matched a recent log message (but not
necessarily this one)?

[dan (ddp)]

On Fri, Jul 8, 2011 at 11:29 AM, dan (ddp) <ddp...@gmail.com> wrote:
>
> if_sid: For this log message, is sid XXX a valid match>
> if_matched_sid: Has sid YYY matched a recent log message (but not
> necessarily this one)?
>

This is simplistic and partly wrong.

if_sid is basically correct. If sid XXX matches the current log
message, then use rule YYY instead:

<rule id="YYY" level="10">
<if_sid>XXX</if_sid>
<description>This rule should be triggered instead of XXX</description>
</rule>

if_matched_sid is generally used in frequency based rules, and
determines whether sid XXX has been triggered Z times in A seconds. :P

<rule id="YYY" frequency="3" timeframe="30" level="12">
<if_matched_sid>XXX</if_matched_sid>
<description>If XXX is triggered 5+ times in 30 seconds, YYY should
be triggered</description>
</rule>

HTH

[BP9906]

Thanks Dan, that makes more sense.

Would that be the same for <if_group> vs <if_group_matched> ? Also,
how does if_group_matched figure into if_matched_sid? It seems as
though as events come in the group list counting isnt every alert
being processed; meaning the alert would either be added to the sid
match composite rule counts OR the group match composite rule counts.

[dan (ddp)]

I believe that would be the same for if_matched_group.
I haven't done any testing with if_matched_group yet, so I don't know
much about it.