Following Event in OSSIM
In server if there is flow of above we will need trigger (alert) in our ossim. User make ‘QUIT’ event with following ‘DATA’ event
<directive id="500002" name="Exceeding the email count" priority="4">
<rule type="detector" name="Exceeding the mail count" from="ANY" to="ANY" port_from="ANY" port_to="ANY" reliability="1" occurrence="1" plugin_id="9002" plugin_sid="4">
<rules>
<rule type="detector" name="Test" from="ANY" to="ANY" port_from="ANY" port_to="ANY" reliability="5" occurrence="1" plugin_id="9002" plugin_sid="5"/>
</rules>
</rule>
</directive>
Testing the Use case
Reading Event in real-time
Event QUIT is followed by QUIT OR RCPT
Alert will trigger only User make ‘QUIT’ event with following ‘DATA’ or ‘RCPT’ event
<directive id="500002" name="Exceeding the email count" priority="4">
<rule type="detector" name="Exceeding the mail count" from="ANY" to="ANY" port_from="ANY" port_to="ANY" reliability="1" occurrence="1" plugin_id="9002" plugin_sid="4,1">
<rules>
<rule type="detector" name="Test" from="ANY" to="ANY" port_from="ANY" port_to="ANY" reliability="5" occurrence="1" plugin_id="9002" plugin_sid="5"/>
</rules>
</rule>
</directive>
Event Occurrence count
<rule type="detector" name="Exceeding the mail count" from="ANY" to="ANY" port_from="ANY" port_to="ANY" reliability="1" occurrence="1" plugin_id="9002" plugin_sid="4">
<rules>
<rule type="detector" name="Test" from="ANY" to="ANY" port_from="ANY" port_to="ANY" reliability="5" occurrence="2" plugin_id="9002" plugin_sid="5"/>
</rules>
</rule>
</directive>
Alert will trigger only User make ‘QUIT’ event two times with following ‘DATA’ event
No comments:
Post a Comment