New LML-Ruleset for rishi - please review
see attachment for ruleset
#1 Updated by Yoann VANDOORSELAERE almost 14 years ago
Thanks for this contribution!
Here are a few comments concerning the ruleset. Once the following issues are discussed and/or fixed, we will be able to include this ruleset within the LML distribution.
- In case the software might report Ipv6 attack, it would be best to match the IP address using (\S+), and leaving address.category unspecified (Prelude-Manager Normalizer will take care of setting it appropriately).
- In the ruleset regexp, the INFO keyword is matched: Is it part of Rishi logging (and not the system logger) and won't this change depending on the user logging configuration?
- The "Value" look like some sort of severity, would using a separate rule to match it and set alert.assessment.impact.severity (or maybe alert.assessment.impact.confidence) be appropriate?
- Instead of setting the nickname within [[AdditionalData]], did you investigate whether setting it within source/target User/UserID (with category set to application) be appropriate?
- Not sure about the analyzer class, wouldn't NIDS fit ?
- analyzer.name should be set to Rishi (currently doesn't use an uppercase, but the project name does).
Hope this help,
#2 Updated by over 13 years ago
- The software does not report IPv6
- There is no rakish logging configuration, what we are interested in is only INFO and only INFO is logged in the file we are watching
- The "Value" is in fact a custom severity. I did not investigate the possibility of the mentioned IDMEF fields though, and unfortunately our systems are currently down so i cannot test the ideas/changes. Same holds for the nickname.
- NIDS fits as analyzer class