Extend "same_xyz" support for rules

[jrossi]

Rules support the "same_source_port", "same_dst_port" and "same_location". This should be extended to cover the other decoded fields, in particular "srcip", "user", "action" and "status". This would allow for more options when looking for events by frequency.

For example, as we have a relatively large user base we see a significant volume of failed logins in short time periods. If it was possible to use "same_user" as part of a rule, it should be possible to identify brute force attempts.

This could also facilitate looking for bulk phishing attacks by looking at SMTP logs, as discussed here - https://groups.google.com/forum/#!topic/ossec-list/GCkyMeJsCtU

Note: This issue has been automatically migrated from Bitbucket Created by chris_hembrow on 2013-12-18 16:54:13+00:00, last updated: 2014-01-06 18:06:38+00:00

[jrossi]

FYI, we do have same_source_ip, same_user and same_location. But some of the others you mentioned such as same_subject would be useful.

Note: This comment has been automatically migrated from Bitbucket Created by mstarks01 on 2013-12-19 17:42:09+00:00

[jrossi]

Thanks. I wasn't aware of "same_user"; it's not documented on the Rules Syntax page on ossec.net.

Note: This comment has been automatically migrated from Bitbucket Created by chris_hembrow on 2013-12-20 09:01:44+00:00

[jrossi]

I was also unaware of it. Documentation will be updated!

Note: This comment has been automatically migrated from Bitbucket Created by ddpbsd on 2014-01-06 18:06:38+00:00