You are here: Features > Configuration > Advanced Configuration > Event Rules > Event Rule Table

TOC & Recently Viewed

Recently Viewed Topics

Event Rule Table

The following table contains all the filter types that can be used for a rule. Each rule created must contain one or more filters, and start with a “Name” and ending with either “ignore”, “Command”, or a log source. If “Command” is used, an action must be given. If the filter is matched, the “Command” will execute. Entering “ignore” at the end of the filter will ignore all events that are matched by that filter. If a log source is used it can be either “cef” or “syslog” and if the rule is matched the log would be forwarded to the log server in either “cef” or “syslog” format. See each example for additional details in the table below.

Filters Description Usage

IPS

Filter on source or destination IP or CIDR.

 

Examples:

192.168.1.1, 192.168.0.0/16

Name: Ignore local logins

+Types: login

+IPs: 127.0.0.1

ignore

SrcIPS

Filter strictly on source IP.

 

Examples:

192.168.1.1, 192.168.0.0/16

Name: Ignore local login failures

+Types: login-failure

+SrcIPS: 127.0.0.1

ignore

DstIPS

Filter strictly on destination IP.

 

Examples:

192.168.1.1, 192.168.0.0/16

Name: Ignore local file access

+Types: file-access

+DstIPs: 127.0.0.1

ignore

Events

Filter on LCE normalized event name.

 

Example:

Cisco-IDS_Command_Execution

Name: Ignore Application Changes

+Events: Application_Change

+IPs: 192.168.1.0/24

ignore

Sensors

Filter on sensor name, available in the LCE sensor summary view or specified in the syslog_sensors.txt file.

 

Example:

XPmarketing01, Win7payroll02

Name: Ignore Application Changes

+Events: Application_Change

+IPs: 192.168.1.0/24

+Sensors: Exchange-10

ignore

Types

Filter on LCE event type.

 

Example:

login, lce, intrusion, scanning, system

Name: Ignore local file access and system

+Types: file-access, system

+IPs: 127.0.0.1

ignore

Ports

Filter on the source or destination port.

 

Example:

80, 443, 8080

Name: Ignore lce / login events on port 22

+IPS: 192.168.1.1

+Types: lce,login

+Ports: 22

Ignore

Protocols

Filter on the protocol of the event.

 

Example:

1 for ICMP, 2 for IGMP, 6 for TCP, 17 for UDP

Name: Ignore DNS Query

+Event: PVS-DNS_Client_Query

+IPS: 192.168.1.0/24

+Protocols: UDP

+Ports: 53

Ignore

Users

Filter on the username in a log.

 

Example:

Bob, Phil, Dan

Name: Ignore System login

+IPS: 192.168.1.0/24

+Types: login

+Users: SYSTEM

ignore

Text

Filter on any text token in the log (tokens can include spaces and punctuation, but not commas).

 

Example:

Login, Failure

Name: Ignore 404 errors

+IPS: 192.168.1.0/24

+Text:404 page not found

ignore

IText

Filter on any text token in the log, but the text considered would be case insensitive (tokens can include spaces and punctuation, but not commas).

 

Example:

Login, Failure

Name: Ignore 404 errors

+IPS: 192.168.1.0/24

+IText:404 page not found

ignore

Vulnerable

"yes" or "no" - yes if you want to only match logs that correlate to vulnerable hosts.

 

Example:

"yes", or "no"

Name: E-mail vulnerability correlations

Vulnerable: yes

Command: echo "body: $log" | sendmail rgula@example.com "subject: $event1 from $sip"

Threshold

The number of events required over a specified length of time to trigger the rule. The timeframe can be expressed in "second", "minute", "hour", "day", "week", "month", or "year".

 

Example:

5 in a minute

Name: Potential SSH account username/password guessing

+Events: SSH-Invalid_User, SSH-Failed_Password

+IPs: 10.0.0.0/8

-IPs: 10.0.0.1, 10.0.0.7-15

+Sensors: DMZ-1, DMZ-2

-Users: (unknown)

syslog: 10.10.10.10 "Possible password guessing evidence: $log" -priority 97 -port 514

Threshold: 5 in a minute

RateLimit: 1 per minute

MaxQueue: 100

Threshold: 5 in a minute

RateLimit: 1 per minute

MaxQueue: 100

MaxQueue

The number of events that will be placed into the event processing queue before being dropped from rule evaluation.

 

Example:

100

Name: Potential SSH account username/password guessing

+Events: SSH-Invalid_User, SSH-Failed_Password

+IPs: 10.0.0.0/8

-IPs: 10.0.0.1, 10.0.0.7-15

+Sensors: DMZ-1, DMZ-2

-Users: (unknown)

syslog: 10.10.10.10 "Possible password guessing evidence: $log" -priority 97 -port 514

Threshold: 5 in a minute

RateLimit: 1 per minute

MaxQueue: 100

Ratelimit

The maximum number of triggers that will occur over a specified length of time regardless of the number of triggering events. The timeframe can be expressed in "second", "minute", "hour", "day", "week", "month", or "year".

 

Example:

1 per minute

Name: Potential SSH account username/password guessing

+Events: SSH-Invalid_User, SSH-Failed_Password

+IPs: 10.0.0.0/8

-IPs: 10.0.0.1, 10.0.0.7-15

+Sensors: DMZ-1, DMZ-2

-Users: (unknown)

syslog: 10.10.10.10 "Possible password guessing evidence: $log" -priority 97 -port 514

Threshold: 5 in a minute

RateLimit: 1 per minute

MaxQueue: 100

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.