Alert Condition false positive

Graylog Central (peer support)
1

Hello,

I just created a alert condition to match multiple URLs. It looks like this:

URL Check (Field Content Alert Condition)
Alerting on stream Proxy-Connections
Configuration: Alert is triggered when messages matching <URI_Host: ""bit.ly" OR "136.243.203.174" OR "mail.mei.gov.qa" OR "yip.su" OR "dnsupdateservers.net" OR "microsoftupdate.mom""> are received. Grace period: 0 minutes. Including last message in alert notification. Configured to repeat notifications.

The notification looks like this:

MALICIOUS URL

${if backlog} 
${foreach backlog message} 
Zeitstempel (UTC): ${message.fields.timestamp} 
URI_Host: ${message.fields.URI_Host} 
Client: ${message.fields.Client_Address}
${end}${else}<No backlog> ${end}`

Everything works fine, but I get some false positives, like:

ftp2.de.debian.org
update.libreoffice.org
1c3mlb450ose39j89b4cor60.wpengine.netdna-cdn.com

kind regards
Philipp

2

You can surpass that limit by properly formatting your text snippets, also see Markdown Reference.

Example:

```
TEXT
```
3

Am I the only one?

Am I doing something wrong?

Is there another approach?

4

The alert condition is incorrect. You cannot use logical OR in alert conditions in that way.

Try creating individual alert conditions instead of using the (incorrect) logical OR in your existing alert condition.

5

Thanks. So What about list this as an improvement?

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.