Antonio,
You will need to parse the IP address first:
Exec if $Message =~ /^\d{2}\\\d{2}-\d{2}:\d{2}:\d{2}\.\d+
((?:\d{1,3}\.){3}\d{1,3})/ $IP = $1;
The $IP field can (should) be used as the context in the Thresholded rule:
<Thresholded>
Condition ...
Threshold 3
Interval 60
Context $IP
Exec log_info("3 ECHO REPLY packets from host " + $IP);
</Thresholded>
Note that this still does not check whether there are multiple ICMP
responses from the same IP to _different_ IPs.
For that you'd need to parse the destination IP and perhaps use set_var()
and get_var() in the rule to add this check.
Regards,
Botond
On Fri, 13 May 2016 04:16:09 +0200
Antonio Cuesta García <antoniocuest...@hotmail.com> wrote:
> Hi, I'm student and newbie with nxlog . How would be a rule which
> detects me are making multiple responses of ICMP from the same IP in
> which there are diferent IPs?
>
> A sample file:
>
> 05/10-16:36:30.859038 216.58.201.131 -> 192.168.20.151
> ICMP TTL:128 TOS:0x0 ID:33169 IpLen:20 DgmLen:84
> Type:0 Code:0 ID:20089 Seq:2 ECHO REPLY
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 05/10-16:36:31.861001 216.58.201.131 -> 192.168.20.151
> ICMP TTL:128 TOS:0x0 ID:33170 IpLen:20 DgmLen:84
> Type:0 Code:0 ID:20089 Seq:3 ECHO REPLY
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 05/10-16:36:32.862880 216.58.201.131 -> 192.168.20.151
> ICMP TTL:128 TOS:0x0 ID:33171 IpLen:20 DgmLen:84
> Type:0 Code:0 ID:20089 Seq:4 ECHO REPLY
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 05/10-16:36:33.864879 216.58.201.20 -> 192.168.20.151
> ICMP TTL:128 TOS:0x0 ID:33172 IpLen:20 DgmLen:84
> Type:0 Code:0 ID:20089 Seq:5 ECHO REPLY
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 05/10-16:36:34.866876 216.58.201.20 -> 192.168.20.151
> ICMP TTL:128 TOS:0x0 ID:33173 IpLen:20 DgmLen:84
> Type:0 Code:0 ID:20089 Seq:6 ECHO REPLY
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 05/10-16:36:35.868668 216.58.201.131 -> 192.168.20.151
> ICMP TTL:128 TOS:0x0 ID:33174 IpLen:20 DgmLen:84
> Type:0 Code:0 ID:20089 Seq:7 ECHO REPLY
>
>
> I had thought of a rule " Thresholded " but I don’t know if I have to
> use contexts.
>
> Sorry for the translation. I’m Spanish.
>
>
>
> I do this:
>
> <Input in4>
> Module im_file
> File "/home/antonio/Descargas/sn"
> SavePos TRUE
> ReadFromLast TRUE
> Exec if ($raw_event =~ /^(\(.+)/) { \
> $Message = $2; \
> $raw_event = $Message; \
> }
> </Input>
>
>
> <Output out4>
> Module om_file
> File "/home/antonio/Descargas/nx"
> </Output>
>
> <Processor evcorr>
> Module pm_evcorr
>
> <Thresholded>
> Condition $Message =~ /^\d{2}\\\d{2}-\d{2}:\d{2}:\d{2}\.\d+
> ((?:\d{1,3}\.){3}\d{1,3}) ->
> (?:\d{1,3}\.){3}\d{1,3}.*?\nICMP.*?\n.*?ECHO REPLY/ Threshold 3
> Interval 60 Exec log_info("20 ECHO REPLY packets from host
> $1"); </Thresholded>
>
> </Processor>
>
> <Route 2>
> Path in4 => evcorr => out4
> </Route>
>
>
> But this Only copy the text in4 in the out4. And i want that when
> detect write in out4: “20 ECHO REPLY packets from host $1”
>
> Thanksss! 😊
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
