Re: Does my directive look correct?

Thread: Re: Does my directive look correct?

Search this list only Search all lists
Re: Does my directive look correct?
	2007-09-21 09:59:13
Hello Brian, The syntax of your directive is right. What's the exact problem?. What you're seeing in Correlation->Directives may be broken. That code is a bit old, and it's only a visualization of the directives files. What is loaded in the ossim server has nothing to do with that. The ossim server loads the directives from the xml files, if there are some error in the web code, it doesn't matter for the correlation itself. Also: > [directive_alert] directive_event: FooBar host (SRC_IP) 2007-09-14 > 14:58:54 192.168.1.132 Plugin: directive_alert (1505) > Plugin SID: directive_event: FooBar host (SRC_IP) (20) This is a normal directive event. When an alarm is generated, in fact what is generated is a new event, with plugin_id=1505, wich is reserved for directives. Alberto. El Sábado, 15 de Septiembre de 2007 00:20, Brian Lavender escribió: > Does my directive look correct? > > <directive id="20" name="FooBar host (SRC_IP) " priority="2"> > <rule type="detector" name="A Foo Bar" reliability="2" occurrence="1" > from="ANY" to="ANY" port_from="ANY" port_to="ANY" plugin_id="20000" > plugin_sid="1" /> </directive> > > After creating a plugin, I decided to create a directive, so I could at > least see an alarm being generated. I am not sure completely of the > synatx, but this is the directive I created. OSSIM seems to recognize > it, but when I look at Correlation -> Directives, I see information that > doesn't belong to it. It appears that it is picking up the event from > the Agent, but the output seems strange. > > - [directive_alert] directive_event: FooBar host (SRC_IP) 2007-09-14 > 14:58:54 192.168.1.132 Plugin: directive_alert (1505) > Plugin SID: directive_event: FooBar host (SRC_IP) (20) > > brian ------------------------------------------------------------ ------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Os-sim-support mailing list Os-sim-supportlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/os-sim-s upport

Re: Does my directive look correct?
United States	2007-09-21 13:58:03
This is good news. Actually, there appears to be no problem. I thought when I looked at the web interface that there was something wrong with the directive, but after doing a little bit of investigation, I began to confirm what you stated. So, now I just need to get a better understanding of the parameters for events and how alarms are triggered. On Fri, Sep 21, 2007 at 04:59:13PM +0200, Alberto Roman Linacero wrote: > Hello Brian, > > The syntax of your directive is right. What's the exact problem?. > > What you're seeing in Correlation->Directives may be broken. That code is a > bit old, and it's only a visualization of the directives files. What is > loaded in the ossim server has nothing to do with that. The ossim server > loads the directives from the xml files, if there are some error in the web > code, it doesn't matter for the correlation itself. > > Also: > > > [directive_alert] directive_event: FooBar host (SRC_IP) 2007-09-14 > > 14:58:54 192.168.1.132 Plugin: directive_alert (1505) > > Plugin SID: directive_event: FooBar host (SRC_IP) (20) > > This is a normal directive event. When an alarm is generated, in fact what is > generated is a new event, with plugin_id=1505, wich is reserved for > directives. > > Alberto. > > > El S?bado, 15 de Septiembre de 2007 00:20, Brian Lavender escribi?: > > Does my directive look correct? > > > > <directive id="20" name="FooBar host (SRC_IP) " priority="2"> > > <rule type="detector" name="A Foo Bar" reliability="2" occurrence="1" > > from="ANY" to="ANY" port_from="ANY" port_to="ANY" plugin_id="20000" > > plugin_sid="1" /> </directive> > > > > After creating a plugin, I decided to create a directive, so I could at > > least see an alarm being generated. I am not sure completely of the > > synatx, but this is the directive I created. OSSIM seems to recognize > > it, but when I look at Correlation -> Directives, I see information that > > doesn't belong to it. It appears that it is picking up the event from > > the Agent, but the output seems strange. > > > > - [directive_alert] directive_event: FooBar host (SRC_IP) 2007-09-14 > > 14:58:54 192.168.1.132 Plugin: directive_alert (1505) > > Plugin SID: directive_event: FooBar host (SRC_IP) (20) > > > > brian -- Brian Lavender http://www.brie.com/brian/ ------------------------------------------------------------ ------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Os-sim-support mailing list Os-sim-supportlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/os-sim-s upport

[1-2]

about | contact Other archives ( Real Estate discussion Medical topics )