The goal is for a context to be triggered once >= 5 matches happen within 60 seconds. If additional matches happen before the context becomes stale, the context should be extended for an additional 30 seconds. When the context becomes stale, a summary email showing all matched lines should be sent out containing all matching entries.
It seems that the contexts get created but it doesn't always send emails. When it does send emails, it only sends mails out for 1 or two of the contexts and I'm not sure why. Example log lines: Sep 24 09:42:02.399 util3.wha01.dev1.int sshd[10552]: Failed password for admin from 10.107.24.195 port 46937 ssh2 Sep 25 10:37:07.105 build1.qa1.int sshd[4481]: Failed password for moneymaker from 10.123.200.31 port 43842 ssh2 Sep 30 17:27:56.247 init1.nyc22.int sshd[8156]: Failed password for codebuild from 10.122.221.187 port 59681 ssh2 Sep 30 17:37:55.389 build1.qa1.int sshd[14437]: Failed password for invalid user jdoe from 10.107.21.161 port 50804 ssh2 Sep 30 17:38:01.232 build1.qa1.int sshd[14437]: Failed password for invalid user jdoe from 10.107.21.161 port 50804 ssh2 Oct 6 12:50:29.000 ops1.sys.adm1.int sshd[6964]: Failed password for tmales from 10.121.103.165 port 53182 ssh2 ================================================== # create the context on the initial triggering cluster of events type=SingleWithThreshold ptype=RegExp pattern=^.+\d+:\d+:\d+\.\d+ (.+) sshd\[\d+\]: Failed (.*) for (?:invalid user )?(.*?) from (\d+\.\d+\.\d+\.\d+) desc=Possible brute force attack (ssh) user $3 on $1 from $4 window=60 thresh=5 context=!SSH_BRUTE_FROM_$4 action=create SSH_BRUTE_FROM_$4 60 (report SSH_BRUTE_FROM_$4 /bin/mail -s "ssh brute force attack on $1 from $4" syst...@mycompany.com); add SSH_BRUTE_FROM_$4 5 failed ssh attempts within 60 seconds detected; add SSH_BRUTE_FROM_$4 $0 # add subsequent events to the context type=Single ptype=RegExp pattern=^.+\d+:\d+:\d+\.\d+ (.+) sshd\[\d+\]: Failed (.*) for (?:invalid user )?(.*?) from (\d+\.\d+\.\d+\.\d+) desc=Possible brute force attack (ssh) user $3 on $1 from $4 context=SSH_BRUTE_FROM_$4 action=add SSH_BRUTE_FROM_$4 "Additional event: $0"; set SSH_BRUTE_FROM_$4 30 ================================================== Example paste from sec.pl -input=- -debug=6 after copy/pasting a bunch of log entries into it and waiting a few: Deleting stale context 'SSH_BRUTE_FROM_10.144.130.55' Stale context 'SSH_BRUTE_FROM_10.144.130.55' deleted Deleting stale context 'SSH_BRUTE_FROM_10.109.20.135' Stale context 'SSH_BRUTE_FROM_10.109.20.135' deleted Deleting stale context 'SSH_BRUTE_FROM_10.107.21.220' Stale context 'SSH_BRUTE_FROM_10.107.21.220' deleted Deleting stale context 'SSH_BRUTE_FROM_10.107.24.195' Stale context 'SSH_BRUTE_FROM_10.107.24.195' deleted Deleting stale context 'SSH_BRUTE_FROM_10.107.24.38' Reporting the event store of context 'SSH_BRUTE_FROM_10.107.24.38' through shell command '/bin/mail -s "ssh brute force attack on util3.wha01.dev1.int from 10.107.28.38" syst...@mycompany.com Child 25908 created for command '/bin/mail -s "ssh brute force attack on util3.wha01.dev1.int from 10.107.28.38" syst...@mycompany.com' Stale context 'SSH_BRUTE_FROM_10.107.28.38' deleted What am I doing wrong? Thanks -- Jeff Schroeder Don't drink and derive, alcohol and analysis don't mix. http://www.digitalprognosis.com ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
