Sorry, I didn't have enough time to understand the problem, but I'll try harder in the near future, promise :) On Sun, 2011-01-16 at 11:54 -0600, Martin Holste wrote:
Ok, got it. So here's the patterndb correlation challenge I'm working on: Cisco's Ironport is an email/spam filter that produces verbose logging. The logs have two ID's of interest, the ICID which goes with the connection and the MID which goes with each individual email. Usually, a single email will produce between 15 and 30 log messages. I'm looking to use correlation to produce one "meta" message which has the most important details from all messages so that when searching logs, you don't have to do follow-up searches to find all of the info you're looking for. Here's what I've got so far:
<ruleset> <rules> <rule class="10" id="10" context-id="ironport-icid" context-timeout="10" context-scope="program"> <patterns> <pattern>Info: New SMTP ICID @NUMBER:icid:@ interface @ESTRING:interface_name: @(@IPv4:interface_ip:@) address @IPv4:sender_ip:@ reverse dns host @ESTRING:sender_dns: @verified yes</pattern> </patterns> <examples>
-- Bazsi