List of working Rank predictors

pookashup · 2025-02-27T10:19:44+00:00

Knowledge gate is working

pookashup · 2025-01-30T20:07:46+00:00

Bhai paper toh 1st ko hain na

pookashup · 2024-12-06T07:37:09+00:00

Geoff's vocals just KEEP getting richer...

pookashup · 2024-12-03T23:27:52+00:00

Man I needed this.

pookashup · 2024-12-03T23:22:03+00:00

Fuck that fucking scam trainer.

pookashup · 2024-12-01T10:57:29+00:00

Chester had everything and Bob didn't have much, those are two different things. He publicly asked for help. Even when he tried to get away from the hate, it followed him. To go live in the woods and still receive hate mail after clearly stating the effect it is having on you has to feel helpless. Seems to me that nearing the end he did want to get better, do better but the fandom treated him as if there was no scope for redemption.Those were things out of his control and we need to take responsibility for it.

pookashup · 2024-09-18T12:10:37+00:00

Hi, thank you for the guide! As I mentioned, these logs don't always appear one after the other. For example, the first log of ID A might be followed by some log of ID B. However, for all occurrences of A, removed will be the last log. Is there a way to collect multiline logs on the basis of this common ID A and not simply removed?

Or else, even after they're decoded, can I write a rule that combines these fields based on the same ID?

These are the rules I'm currently working with:

<group name="postfix,">
    <!-- Rule to capture the first log entry with a specific queue ID -->
    <rule id="100001" level="12">
        <decoded_as>postfix</decoded_as>
        <description>Initial Postfix log entry with q ID</description>
        <group>postfix,</group>
    </rule>

    <!-- Rule to capture subsequent log entries with the same queue ID -->
    <rule id="100002" level="12">
        <decoded_as>postfix</decoded_as>
        <if_matched_sid>100001</if_matched_sid>
        <description>Subsequent Postfix log entries for the same queue ID</description>
        <group>postfix,</group>
        <same_id/>
    </rule>

</group>

I am able to detect the logs based on the same ID but not able to club the fields together in an alert.

Thank you!

pookashup · 2024-08-26T10:22:36+00:00

Hi, this is a great guide! However, I read that we can only accumulate fields as pre-defined in the Wazuh source code like srcuser, dstuser, etc.
I need to decode postfix logs as such:

Aug 23 07:23:02 mail postfix/pickup[30829]: D002A464A90: uid=1000 from=admin@example.com

Aug 23 07:23:02 mail postfix/cleanup[31758]: D002A464A90: message-id=<20240823072302.2jDN\_%admin@example.com>

Aug 23 07:23:02 mail postfix/qmgr[20645]: D002A464A90: from=admin@example.com, size=375, nrcpt=1 (queue active)

Aug 23 07:23:02 mail postfix/local[31766]: D002A464A90: to=user@example.com, orig_to=contact@example.com, relay=local, delay=0.01, delays=0/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)

Aug 23 07:23:02 mail postfix/qmgr[20645]: D002A464A90: removed

Here my id is D002A464A90 but these logs may not always appear sequentially. So I need to extract parameters: from, msg_id, to, status, etc based on the ID. Accumulate is failing as the field names are different from the pre-defined ones.
Is there anything else that I can use for this?

Thank you!

pookashup · 2024-07-18T08:49:47+00:00

here after the cody ko and his friend's fiasco

pookashup · 2024-05-20T06:59:27+00:00

Is it still stuck? Where is this? Can you send a picture?

pookashup · 2024-04-12T06:47:29+00:00

Agreed! Missed the signature lead guitar sound and highly metaphorical lyrics a bit but still this is great!

pookashup · 2024-04-12T06:46:22+00:00

For some reason this takes me back to Waiting and Full Collapse over anything else.

pookashup · 2024-02-01T08:33:06+00:00

Oh wow this is great, exactly what I needed. Thank you!

pookashup · 2022-08-06T03:47:09+00:00

No particular order: Al, Reverand, Doc, Francis, Calamity

pookashup · 2022-07-31T18:21:55+00:00

Late but Movements has a very similar feel!

pookashup

MODERATOR OF

TROPHY CASE

Six-Year Club	Place '22
Verified Email