• Support
  • Forums
  • Blogs

Setup a directive rule which gets fired off when this specific error occurs 100 times

MolinaMolina

Entry Level
Could anyone please tell me how I could setup a directive rule which gets fired off when an specific error (ex. an icmp log message) occurs 100 times in OSSIM.

The events are arriving well on my sensor. If possible, let me know if any documentation about this exits.

Thanks,
Molina.

Share post:

Best Answers

Answers

  • imageHi again!! 

    I am trying to setup what I explained in my first post but I am not able to manage it. 

    I mean, I send an email whenever that event occurs but I can't make a correlation rules in order to send an email when that event occurs twice. 

    I send attached the image of my directives. I have tried two different ways, but no one works.

    image
  • You should make a DS group from this directive, and create a policy with an email action.  Did you do that?
  • Yes, I did that, and that is not the problem because I can send one email for each event. But I really want to send and email when that event occurs twice.
  • Can you send some screenshots showing how you set that up?
  • Hi hoarse, 

    I send you all screenshot about what I have set up.
    This is the DS group:
    image
    That picture is about the action.
    image
    And those picture are about the policy.
    image

    image
  • I have read the documentation you gave me and I think I do exactly the same but it doesn't work. I send an email for each event. 

    This is the link: 
    https://www.alienvault.com/wiki/doku.php?id=user_manual:intelligence:correlation_directives:directives
  • Does the first directive "AV-FREE FEED Administration Event" have a policy as well?  Does it help if you disable it?  Although I don't think it should have any effect.
    Do you see a SIEM event being generated from the second directive if the event occurs twice?  Just want to make sure the directive is working well.
  • Both directives do the same. They send an email whenever the events occurs.

    Yes, when I generated that event twice I check they are generated in SIEM event and also I receive one email for each event. So I think the problem is that I am not doing well as far as the correlation rule is concerned.
  • Hi hoarse!!

    I have done a new policy and it works well!! But I have another problem although it can occurs because of ossim. 

    My problem now is: 
    I want to send an email only when this event occurs 10 times. Now it sends an emails when this event occurs first and when after 10 times. I will express better with a "table"
    event occurs once ---> send an email.
    event occurs twice --> no email sent
    three times --> no email sent
    ........
    ten times --> no email sent
    eleven times --> send an email (ten times since last email was sent)
    twelve times --> send an email (it starts its count to cero, like a loop)
    thirteen times ---> no email sent
    .....
    twenty times --> send an email (ten times since last email was sent)

    it works like a loop and when it sends the email because of the ten times it starts its count to cero....

    image
    I changed "ocurrencia" value to 10 but because of the timeout value it sends yet an email whenever it occurs


  • What I do in such a case, is create another level of directive alert, with an unrealist high number for "occurence" and a choosen time.  That would mean the SIEM will keep on working on that directive rule after it's been fired 10 times, but nothing would happen.  I hope that makes sense.
    It's a sort of "clean up" rule which works as a buffer to avoid too much events.  
  • Thanks for your advice hoarse but if I do what you have told me it only sends two emails (the first when the event occurs once, and the second when it occurs eleven times). What I really want is that it sends an email when ten events occurs; I mean, when the event occurs once, 11 times, 21 times, 31 times, 41 times... 

    I have the idea of creating many level of directive alert, all of them with an "ocurrencia" value of 10 but I don't know if there is another "more elegant" option.


  • Thank you so much!!! 
This discussion has been closed.