Instead of adding values to a context you could save the values in a
perl hash formatting as you go along.
For example (not tested):
Rule action collecting IP per connection:
action=eval %ip_msg ($ldap_conn{$1} = "from IP address $2"; return
$ldap_conn{$1}; )
Rule action collecting UID per connection (notice concatenation period
before '=' sign):
action=eval %uid_msg ($ldap_conn{$1} .= " per user $2"; return
$ldap_conn{$1}; )
Success rule action:
action=eval %success_msg (my $msg = "conn=$1 authentication succeeded
$ldap_conn{$1}"; delete $ldap_conn{$1}; return $msg;)
Failure rule action:
action=eval %failure_msg (my $msg = "conn=$1 authentication failed
$ldap_conn{$1}"; delete $ldap_conn{$1}; return $msg;)
You'd save the preferred log's timestamp somewhere in there.
Regards,
Rock
From: Don Faulkner [mailto:[email protected]]
Sent: Monday, April 13, 2009 12:58 PM
To: [email protected]
Subject: [Simple-evcorr-users] detecting LDAP authentication failures
(long)
Good morning all.
I'm working with an older version of an LDAP server that doesn't support
syslog in any form. As a result I'm having to read through the LDAP
server's access logs. I'm trying to detect successful & failed
authentication attempts and then write an event to syslog (so our
central loghost can read it).
What I want out are syslog entries that look more or less like this:
Mar 7 04:30:50 ldap-server ldap: [conn=14758663] Authentication
succeeded for username1 from 1.1.1.2
Mar 7 04:43:43 ldap-server ldap: [conn=14758706] Authentication failed
for username2 from 1.1.1.3
Here's my problem. I can find the conn#, the ip, the username, and
detect success/failure. I'm currently doing that by dumping all that
info into a context in NAME=value pairs. To write it out, I've had to
call an external perl script to parse the context dump and return a
reasonable one-line string. There has to be a better way.
I'd appreciate any advice. Below, I've listed a sample success &
failure, as well as the rules I'm currently using.
======
Here's a successful authentication (note that err=0):
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=-1 msgId=-1 - fd=53
slot=53 LDAP connection from 1.1.1.2 to 1.1.1.1
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=0 msgId=1 - BIND dn=""
method=128 version=3
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=0 msgId=1 - RESULT err=0
tag=97 nentries=0 etime=0 dn=""
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=1 msgId=2 - SRCH
base="ou=myou,o=domain.com" scope=2 filter="(uid=username1)" attrs=ALL
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=1 msgId=2 - RESULT err=0
tag=101 nentries=1 etime=0
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=2 msgId=3 - ABANDON
targetop=NOTFOUND msgid=2
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=3 msgId=4 - BIND
dn="uid=username1,ou=myou,o=domain.com" method=128 version=3
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=3 msgId=4 - RESULT err=0
tag=97 nentries=0 etime=0 dn="uid=username1,ou=myou,o=domain.com"
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=4 msgId=5 - UNBIND
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=4 msgId=-1 - closing - U1
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=-1 msgId=-1 - closed.
Here's an unsuccessful authentication (note that err=49):
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=-1 msgId=-1 - fd=91
slot=91 LDAP connection from 1.1.1.3 to 1.1.1.1
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=0 msgId=1 - BIND dn=""
method=128 version=3
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=0 msgId=1 - RESULT err=0
tag=97 nentries=0 etime=0 dn=""
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=1 msgId=2 - SRCH
base="ou=myou,o=domain.com" scope=2 filter="(uid=username2)" attrs=ALL
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=1 msgId=2 - RESULT err=0
tag=101 nentries=1 etime=0
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=2 msgId=3 - ABANDON
targetop=NOTFOUND msgid=2
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=3 msgId=4 - BIND
dn="uid=username2,ou=myou,o=domain.com" method=128 version=3
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=3 msgId=4 - RESULT err=49
tag=97 nentries=0 etime=0
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=4 msgId=5 - UNBIND
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=4 msgId=-1 - closing - U1
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=-1 msgId=-1 - closed.
I've almost got this. Here's the ruleset so far:
# notice the beginning of a connection.
# create a context named for the conn#, add timestamp and source ip.
type=single
continue=takenext
ptype=regexp
pattern=\[([^ ]+) .*\] conn=(\d+) .* LDAP connection from
(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) to
desc=LDAP session opened from $3
action=create ldap_conn_$2;\
add ldap_conn_$2 LDAP_STAMP=$1;\
add ldap_conn_$2 LDAP_IP=$3;
# notice the bind attempt, add the uid to the context.
type=single
continue=takenext
ptype=regexp
pattern=conn=(\d+) .*BIND dn=\"uid=(\w+),
context=ldap_conn_$1
desc=LDAP session $1 uid is $2
action=add ldap_conn_$1 LDAP_UID=$2;
# catch an authentication failure.
type=single
continue=takenext
ptype=regexp
pattern=conn=(\d+).*RESULT err=49
context=ldap_conn_$1
desc=LDAP connection $1 has bad credentials
action=report ldap_conn_$1 $HOME/bin/ldap-bad-auth.pl
# catch the rest
type=single
continue=takenext
ptype=regexp
pattern=conn=(\d+)
context=ldap_conn_$1
desc=LDAP session event for $1
action=none
# catch the end of the connection. delete the context
type=single
ptype=regexp
pattern=conn=(\d+) .* - closing -
context=ldap_conn_$1
desc=LDAP session closed for $1
action=delete ldap_conn_$1
--
Don Faulkner
[email protected]
*****
The information transmitted is intended only for the person or entity to which
it is addressed and may contain confidential, proprietary, and/or privileged
material. Any review, retransmission, dissemination or other use of, or taking
of any action in reliance upon this information by persons or entities other
than the intended recipient is prohibited. If you received this in error,
please contact the sender and delete the material from all computers. GA623
------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
