Re: [Simple-evcorr-users] PairWithWindow rule with misleading behaviour
On Wed, 5 Sep 2012, mindman101 wrote: Hello Sec users, I've written two PairWithWindow rules that just differs on the order they match events. The first rule waits for a first event like this: Link down on interface FastEthernet and ip 10.10.10.10 and waits for a second event unitl 10 seconds. For example: Ospf on device 10.10.10.10 has changed neighbor 11.11.11.11 On the other hand, the second rule is almost the first just on a switched order, I mean, it waits for a first event like this: Ospf on device 10.10.10.10 has changed neighbor 11.11.11.11 and a second one unitl 10 seconds like this one: Link down on interface FastEthernet and ip 10.10.10.10 Both rules works perfectly on separated config files but when I put together on the same config file, just the first one works as expected. Do you have any idea of this misleading behavior? My guess is that you are being tripped up by the fact that by default the first rule that matches ends processing of that log message. try adding continue=takenext to the first rule and see if that works. David Lang-- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
Re: [Simple-evcorr-users] PairWithWindow rule with misleading behaviour
In message alpine.deb.2.02.1209051632420.31...@asgard.lang.hm, da...@lang.hm writes: On Wed, 5 Sep 2012, mindman101 wrote: I've written two PairWithWindow rules that just differs on the order they match events. The first rule waits for a first event like this: Link down on interface FastEthernet and ip 10.10.10.10 and waits for a second event unitl 10 seconds. For example: Ospf on device 10.10.10.10 has changed neighbor 11.11.11.11 Let's call this rule 1. On the other hand, the second rule is almost the first just on a switched order, I mean, it waits for a first event like this: Ospf on device 10.10.10.10 has changed neighbor 11.11.11.11 and a second one unitl 10 seconds like this one: Link down on interface FastEthernet and ip 10.10.10.10 Let's call this rule 2. Both rules works perfectly on separated config files but when I put together on the same config file, just the first one works as expected. Do you have any idea of this misleading behavior? My guess is that you are being tripped up by the fact that by default the first rule that matches ends processing of that log message. try adding continue=takenext to the first rule and see if that works. To further expand on David's explanation ass ume a rule file with rule 1 before rule 2. The following events (in order) come in: event 1) Ospf on device 10.10.10.10 has changed neighbor 11.11.11.11 event 2) Link down on interface FastEthernet and ip 10.10.10.10 When event 1 comes in rule 2 is triggered, consumes event 1 and starts looking for event 2. When event 2 comes in rule 1 gets started and event 1 is consumed. Rule 2 never sees event 2 becuase it is consumed by rule 1. David's continue option causes rule 1 to pass event 2 to the next rule (rule 2) in the file and trigger the pairwithwindow rule. However this is an odd set of rules. What are you trying to do? Just determine if event 1 and event 2 occur within 10 seconds of each other regardless of the order in which they arrive? If so see http://www.cs.umb.edu/~rouilj/sec/sec_paper_full.pdf section 3.9.2 (page 27) titled Recognizing coinciding events that can be easily expanded to more than 2 events. -- -- rouilj John Rouillard === My employers don't acknowledge my existence much less my opinions. -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
Re: [Simple-evcorr-users] PairWithWindow rule with misleading behaviour
In message 201209060153.q861rr5u022...@mx1.cs.umb.edu, John P. Rouillard writes: However this is an odd set of rules. What are you trying to do? Just determine if event 1 and event 2 occur within 10 seconds of each other regardless of the order in which they arrive? If so see ... I forgot to mention that the EventGroup rule (in SEC version 2.6.2) should also be able to do this order independent correlation much more directly than the method in the paper above. I think the following (untested and I am not as familiar with the EventGoup rule as I would like) should work: type = EventGroup2 ptype = regexp pattern = Link down on interface FastEthernet and ip 10.10.10.10 ptype2 = regexp pattern2 = Ospf on device 10.10.10.10 has changed neighbor 11.11.11.11 desc = detect pattern and pattern2 arriving in any order within 10 seconds action = write - say event1 and event2 in 10 seconds window = 10 If I am wrong hopefully somebody will correct this. -- -- rouilj John Rouillard === My employers don't acknowledge my existence much less my opinions. -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
