Project

General

Profile

Feature #246

New LML-Ruleset for rishi - please review

Added by almost 14 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
Normal
Target version:
Start date:
Due date:
% Done:

0%

Resolution:
fixed

Description

http://zero.ram.rwth-aachen.de/rishi/

see attachment for ruleset

rishi.rules (4.62 KB) , 07/06/2007 04:36 PM

Associated revisions

Revision 9371ee84 (diff)
Added by Pierre Chifflier over 13 years ago

Add new ruleset for Rishi (Closes #246)
Thanks to Bjoern Weiland for the initial submission.

git-svn-id: file:///home/yoann/dev/prelude/git/nok/SVN/prelude-lml/trunk@10098 09c5ec92-17d4-0310-903a-819935f44dba

History

#1 Updated by Yoann VANDOORSELAERE almost 14 years ago

Thanks for this contribution!

Here are a few comments concerning the ruleset. Once the following issues are discussed and/or fixed, we will be able to include this ruleset within the LML distribution.

  • In case the software might report Ipv6 attack, it would be best to match the IP address using (\S+), and leaving address.category unspecified (Prelude-Manager Normalizer will take care of setting it appropriately).
  • In the ruleset regexp, the INFO keyword is matched: Is it part of Rishi logging (and not the system logger) and won't this change depending on the user logging configuration?
  • The "Value" look like some sort of severity, would using a separate rule to match it and set alert.assessment.impact.severity (or maybe alert.assessment.impact.confidence) be appropriate?
  • Instead of setting the nickname within [[AdditionalData]], did you investigate whether setting it within source/target User/UserID (with category set to application) be appropriate?
  • Not sure about the analyzer class, wouldn't NIDS fit ?
  • analyzer.name should be set to Rishi (currently doesn't use an uppercase, but the project name does).

Hope this help,

#2 Updated by over 13 years ago

Hey Yoann,

  • The software does not report IPv6
  • There is no rakish logging configuration, what we are interested in is only INFO and only INFO is logged in the file we are watching
  • The "Value" is in fact a custom severity. I did not investigate the possibility of the mentioned IDMEF fields though, and unfortunately our systems are currently down so i cannot test the ideas/changes. Same holds for the nickname.
  • NIDS fits as analyzer class

#3 Updated by Pierre Chifflier over 13 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

(In r10098) Add new ruleset for Rishi (Closes #246)
Thanks to Bjoern Weiland for the initial submission.

#4 Updated by Yoann VANDOORSELAERE almost 12 years ago

  • Project changed from PRELUDE SIEM to Prelude-LML
  • Category deleted (4)
  • Target version deleted (0.9.11)

Also available in: Atom PDF