Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed static filters related to the system_name field #684

Merged
merged 1 commit into from
May 28, 2020
Merged

Fixed static filters related to the system_name field #684

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions tools/rules-testing/rules/test_rules.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -202,16 +202,16 @@
<description>Same status works</description>
</rule>

<!-- Trigger alerts which depend on same_systemname. -->
<!-- Dec 19 17:20:08 User test_same_filters[12345]:Test same_systemname 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1 -->
<!-- Trigger alerts which depend on same_system_name. -->
<!-- Dec 19 17:20:08 User test_same_filters[12345]:Test same_system_name 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1 -->
<rule id="999233" level="3">
<match>Test same_systemname</match>
<description>Testing same_systemname</description>
<match>Test same_system_name</match>
<description>Testing same_system_name</description>
</rule>

<rule id="999234" level="7" frequency="4" timeframe="300">
<if_matched_sid>999233</if_matched_sid>
<same_systemname />
<same_system_name />
<description>Same system_name works</description>
</rule>

Expand Down Expand Up @@ -371,16 +371,16 @@
<description>Different status works</description>
</rule>

<!-- Trigger alerts which depend on different_systemname. -->
<!-- Dec 19 17:20:08 User test_different_filters[12345]:Test different_systemname 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1 -->
<!-- Trigger alerts which depend on different_system_name. -->
<!-- Dec 19 17:20:08 User test_different_filters[12345]:Test different_system_name 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1 -->
<rule id="999259" level="3">
<match>Test different_systemname</match>
<description>Testing different_systemname</description>
<match>Test different_system_name</match>
<description>Testing different_system_name</description>
</rule>

<rule id="999260" level="7" frequency="4" timeframe="300">
<if_matched_sid>999259</if_matched_sid>
<different_systemname />
<different_system_name />
<description>Different system_name works</description>
</rule>

Expand Down
30 changes: 15 additions & 15 deletions tools/rules-testing/tests/static_filters.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,14 +154,14 @@ rule = 999232
alert = 7
decoder = test_same_filters

[same_fields: same_systemname]
log 1 pass = Dec 19 17:20:08 User test_same_filters[12345]:Test same_systemname 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1
log 1 pass = Dec 19 17:20:08 User test_same_filters[12345]:Test same_systemname 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1
log 1 pass = Dec 19 17:20:08 User test_same_filters[12345]:Test same_systemname 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1
log 1 pass = Dec 19 17:20:08 User test_same_filters[12345]:Test same_systemname 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system100
log 1 pass = Dec 19 17:20:08 User test_same_filters[12345]:Test same_systemname 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system100
log 1 pass = Dec 19 17:20:08 User test_same_filters[12345]:Test same_systemname 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system100
log 1 pass = Dec 19 17:20:08 User test_same_filters[12345]:Test same_systemname 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1
[same_fields: same_system_name]
log 1 pass = Dec 19 17:20:08 User test_same_filters[12345]:Test same_system_name 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1
log 1 pass = Dec 19 17:20:08 User test_same_filters[12345]:Test same_system_name 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1
log 1 pass = Dec 19 17:20:08 User test_same_filters[12345]:Test same_system_name 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1
log 1 pass = Dec 19 17:20:08 User test_same_filters[12345]:Test same_system_name 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system100
log 1 pass = Dec 19 17:20:08 User test_same_filters[12345]:Test same_system_name 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system100
log 1 pass = Dec 19 17:20:08 User test_same_filters[12345]:Test same_system_name 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system100
log 1 pass = Dec 19 17:20:08 User test_same_filters[12345]:Test same_system_name 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1
rule = 999234
alert = 7
decoder = test_same_filters
Expand Down Expand Up @@ -309,13 +309,13 @@ rule = 999258
alert = 7
decoder = test_different_filters

[different_fields: different_systemname]
log 1 pass = Dec 19 17:20:08 User test_different_filters[12345]:Test different_systemname 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1
log 1 pass = Dec 19 17:20:08 User test_different_filters[12345]:Test different_systemname 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1
log 1 pass = Dec 19 17:20:08 User test_different_filters[12345]:Test different_systemname 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1
log 1 pass = Dec 19 17:20:08 User test_different_filters[12345]:Test different_systemname 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1
log 1 pass = Dec 19 17:20:08 User test_different_filters[12345]:Test different_systemname 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1
log 1 pass = Dec 19 17:20:08 User test_different_filters[12345]:Test different_systemname 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system2
[different_fields: different_system_name]
log 1 pass = Dec 19 17:20:08 User test_different_filters[12345]:Test different_system_name 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1
log 1 pass = Dec 19 17:20:08 User test_different_filters[12345]:Test different_system_name 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1
log 1 pass = Dec 19 17:20:08 User test_different_filters[12345]:Test different_system_name 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1
log 1 pass = Dec 19 17:20:08 User test_different_filters[12345]:Test different_system_name 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1
log 1 pass = Dec 19 17:20:08 User test_different_filters[12345]:Test different_system_name 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system1
log 1 pass = Dec 19 17:20:08 User test_different_filters[12345]:Test different_system_name 'Srcuser' 'User' logged from 192.168.1.100:8 to 192.168.5.4:20 pro:ftp act:remove id:1 url:ossec dat:huzaw e_data:hwazu sta:rejected systemname:system2
rule = 999260
alert = 7
decoder = test_different_filters