On 10/07/2009 05:44 PM, Jeff Schroeder wrote: > On Wed, Oct 7, 2009 at 4:02 AM, Risto Vaarandi<rvaara...@yahoo.com> wrote: >> Jeff, >> with the current version of SEC, you also have to provide action-on-expire >> for 'set' -- if only lifetime is provided, the action-on-expire will be >> cleared. This issue was actually recently discussed in this list, and since >> there have been no objections to changing the semantics of 'set', in the >> next version you have to indicate empty action-on-expire explicitly. In >> other words, your ruleset will work without changes for the next version :) >> BR, >> risto > > Alright great. Two questions for you now. When will the next version > be released :) > > How would the syntax for the action on expire look like? I'm not quite > sure how to modify my config to work with the latest released version > of sec.
Here's the exact description of the change: If you currently create a context with the following statement: create MYCONTEXT 30 (report MYCONTEXT /bin/mail root) and then the following action is executed: set MYCONTEXT 30 the 'set' above action will *only* extend the lifetime of MYCONTEXT to 30 seconds without the 'report' action being executed when the context expires (in other words, SEC will clear the action list you specified at the creation of the context, since it was not given). In order to have the desired effect with the current version of SEC, you must write the above action as: set MYCONTEXT 30 (report MYCONTEXT /bin/mail root) In the following version, 'set MYCONTEXT 30' would no longer drop the action list. If one wishes to erase the action-on-expire, this would have to be done explicitly, e.g., 'set MYCONTEXT 30 -' hth, risto > > >>> From: Jeff Schroeder<jeffschr...@gmail.com> >>> Subject: [Simple-evcorr-users] Problem using SingleWithThreshold >>> To: "SEC"<simple-evcorr-users@lists.sourceforge.net> >>> Date: Wednesday, October 7, 2009, 2:34 AM >>> The goal is for a context to be >>> triggered once>= 5 matches happen >>> within 60 seconds. If additional matches happen before the >>> context >>> becomes stale, the context should be extended for an >>> additional 30 >>> seconds. When the context becomes stale, a summary email >>> showing all >>> matched lines should be sent out containing all matching >>> entries. >>> >>> It seems that the contexts get created but it doesn't >>> always send >>> emails. When it does send emails, it only sends mails out >>> for 1 or two >>> of the contexts and I'm not sure why. >>> >>> Example log lines: >>> Sep 24 09:42:02.399 util3.wha01.dev1.int sshd[10552]: >>> Failed password >>> for admin from 10.107.24.195 port 46937 ssh2 >>> Sep 25 10:37:07.105 build1.qa1.int sshd[4481]: Failed >>> password for >>> moneymaker from 10.123.200.31 port 43842 ssh2 >>> Sep 30 17:27:56.247 init1.nyc22.int sshd[8156]: Failed >>> password for >>> codebuild from 10.122.221.187 port 59681 ssh2 >>> Sep 30 17:37:55.389 build1.qa1.int sshd[14437]: Failed >>> password for >>> invalid user jdoe from 10.107.21.161 port 50804 ssh2 >>> Sep 30 17:38:01.232 build1.qa1.int sshd[14437]: Failed >>> password for >>> invalid user jdoe from 10.107.21.161 port 50804 ssh2 >>> Oct 6 12:50:29.000 ops1.sys.adm1.int sshd[6964]: >>> Failed password for >>> tmales from 10.121.103.165 port 53182 ssh2 >>> >>> >>> ================================================== >>> # create the context on the initial triggering cluster of >>> events >>> type=SingleWithThreshold >>> ptype=RegExp >>> pattern=^.+\d+:\d+:\d+\.\d+ (.+) sshd\[\d+\]: Failed (.*) >>> for >>> (?:invalid user )?(.*?) from (\d+\.\d+\.\d+\.\d+) >>> desc=Possible brute force attack (ssh) user $3 on $1 from >>> $4 >>> window=60 >>> thresh=5 >>> context=!SSH_BRUTE_FROM_$4 >>> action=create SSH_BRUTE_FROM_$4 60 (report >>> SSH_BRUTE_FROM_$4 /bin/mail >>> -s "ssh brute force attack on $1 from $4" syst...@mycompany.com); >>> add >>> SSH_BRUTE_FROM_$4 5 failed ssh attempts within 60 seconds >>> detected; >>> add SSH_BRUTE_FROM_$4 $0 >>> >>> # add subsequent events to the context >>> type=Single >>> ptype=RegExp >>> pattern=^.+\d+:\d+:\d+\.\d+ (.+) sshd\[\d+\]: Failed (.*) >>> for >>> (?:invalid user )?(.*?) from (\d+\.\d+\.\d+\.\d+) >>> desc=Possible brute force attack (ssh) user $3 on $1 from >>> $4 >>> context=SSH_BRUTE_FROM_$4 >>> action=add SSH_BRUTE_FROM_$4 "Additional event: $0"; set >>> SSH_BRUTE_FROM_$4 30 >>> ================================================== >>> >>> Example paste from sec.pl -input=- -debug=6 after >>> copy/pasting a bunch >>> of log entries into it and waiting a few: >>> Deleting stale context 'SSH_BRUTE_FROM_10.144.130.55' >>> Stale context 'SSH_BRUTE_FROM_10.144.130.55' deleted >>> Deleting stale context 'SSH_BRUTE_FROM_10.109.20.135' >>> Stale context 'SSH_BRUTE_FROM_10.109.20.135' deleted >>> Deleting stale context 'SSH_BRUTE_FROM_10.107.21.220' >>> Stale context 'SSH_BRUTE_FROM_10.107.21.220' deleted >>> Deleting stale context 'SSH_BRUTE_FROM_10.107.24.195' >>> Stale context 'SSH_BRUTE_FROM_10.107.24.195' deleted >>> Deleting stale context 'SSH_BRUTE_FROM_10.107.24.38' >>> Reporting the event store of context >>> 'SSH_BRUTE_FROM_10.107.24.38' >>> through shell command '/bin/mail -s "ssh brute force attack >>> on >>> util3.wha01.dev1.int from 10.107.28.38" syst...@mycompany.com >>> Child 25908 created for command '/bin/mail -s "ssh brute >>> force attack >>> on util3.wha01.dev1.int from 10.107.28.38" syst...@mycompany.com' >>> Stale context 'SSH_BRUTE_FROM_10.107.28.38' deleted >>> >>> >>> What am I doing wrong? >>> >>> Thanks >>> >>> -- >>> Jeff Schroeder >>> >>> Don't drink and derive, alcohol and analysis don't mix. >>> http://www.digitalprognosis.com >>> >>> ------------------------------------------------------------------------------ >>> Come build with us! The BlackBerry(R) Developer Conference >>> in SF, CA >>> is the only developer event you need to attend this year. >>> Jumpstart your >>> developing skills, take BlackBerry mobile applications to >>> market and stay >>> ahead of the curve. Join us from November 9 - 12, 2009. >>> Register now! >>> http://p.sf.net/sfu/devconference >>> _______________________________________________ >>> Simple-evcorr-users mailing list >>> Simple-evcorr-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >>> >> >> >> >> > > > ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
