Re: [Simple-evcorr-users] (no subject)

Mon, 26 Aug 2019 19:27:07 -0700 

try writing the log to /dev/log rather than sending it over the network
if you are needing to send it over the network, check your buffers, are they getting full (and is your receiving syslog daemon keeping up) 

On Tue, 27 Aug 2019, Santhosh Kumar wrote:


Date: Tue, 27 Aug 2019 10:55:44 +0900
From: Santhosh Kumar <santhoshkmrre...@gmail.com>
To: Risto Vaarandi <risto.vaara...@gmail.com>
Cc: simple-evcorr-users@lists.sourceforge.net
Subject: Re: [Simple-evcorr-users] (no subject)

Hello Risto


I’ve been running tests on SEC for a while and stuck with below points. I’m
not familiar with Perl though I tried to find a solution from sec mail
bucket but no luck, please suggest if this can be achieved with high
performance,



  1. I could see a log drops when I tested with the event rate of 15000
  logs/sec. A simple SEC rule to receive and forward all the logs to a
  destination. The output shows relatively less number of logs. This also
  increases the cpu usage from 0.3% to 45%

************************

Type=single

Ptype=regexp

Pattern=([.\d]+)

Desc=$1

Action=pipe $0 nc syslog101 514

************************



  1. On a different scenario, I was interested to match the logs with list
  of IOC’s. Here i was trying to mail the detected log along with IOC name. I
  could achieve it to certain level as mentioned in example but no luck with
  this cases, "Split IP's from the IOC file and use it on the “pattern” to
  match IP from logs"

************************

IOC_data_proposal.txt

187.163.222.244:465 - emotet

187.189.195.208:8443 - emotet

188.166.253.46:8080 - emotet

189.209.217.49:80  - heartbleed

************************

Please check and share some insights.





Eg: I currently tested below case and its working fine as this is a
straight forward IOC matches.

************************

#Current Rule for matching IOC:

type=Single

ptype=RegExp

pattern=(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)

desc=load IOC data

action=logonly; delete IP; create IP; \

      lcall %iocevents -> (sub{scalar `cat
/usr/local/bin/sec-rules/ioc_data.txt`});
\

      cevent IOC_IP 0 %iocevents;



type=Single

ptype=RegExp

pattern=.

context=IOC_IP

desc=create an entry

action=logonly; alias IOC IOC_$0



type=Single

ptype=regexp

context=IOC_$2

pattern= syslog.*hostname=([\w\-\d]+).*IP=([\d\.]+)

desc=Matched host & ip: $2 && $3

action=pipe '$0' mail -s ‘%s’ ‘test123.gmail.com’



IOC_data.txt

187.163.222.244

187.189.195.208

188.166.253.46

189.209.217.49

187.163.222.244

187.189.195.208

188.166.253.46

189.209.217.49

************************



Regards,

san

_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users






















					Reply via email to