Thanks for this contribution!

Here are a few comments concerning the ruleset. Once the following issues are discussed and/or fixed, we will be able to include this ruleset within the LML distribution.

• In case the software might report Ipv6 attack, it would be best to match the IP address using (\S+), and leaving address.category unspecified (Prelude-Manager Normalizer will take care of setting it appropriately).

• In the ruleset regexp, the INFO keyword is matched: Is it part of Rishi logging (and not the system logger) and won't this change depending on the user logging configuration?

• The "Value" look like some sort of severity, would using a separate rule to match it and set alert.assessment.impact.severity (or maybe alert.assessment.impact.confidence) be appropriate?

• Instead of setting the nickname within [[AdditionalData]], did you investigate whether setting it within source/target User/UserID (with category set to application) be appropriate?

• Not sure about the analyzer class, wouldn't NIDS fit ?

• analyzer.name should be set to Rishi (currently doesn't use an uppercase, but the project name does).

Hope this help,

Hey Yoann,

• The software does not report IPv6
• There is no rakish logging configuration, what we are interested in is only INFO and only INFO is logged in the file we are watching
• The "Value" is in fact a custom severity. I did not investigate the possibility of the mentioned IDMEF fields though, and unfortunately our systems are currently down so i cannot test the ideas/changes. Same holds for the nickname.
• NIDS fits as analyzer class