In message <4d679119.5060...@seb.ee>,
Risto Vaarandi writes:
>I'd like to return to a topic recently discussed in the mailing list.
>I am in the process of implementing a pattern match caching for SEC, and
>it is really hard to decide which way is the best one. Currently, I have
>already implemented a separate Parse rule for this purpose. For example,
>
>type=Parse
>ptype=RegExp
>pattern=sshd\[(?'pid'\d+)\]: Failed (?'auth'\w+) for (?'user'[\w.-]+) from
>(?'ip'[\d.]+)
>continue=TakeNext
>dpat=sshd-login-failure
>
>would create a new dynamic pattern sshd-login-failure,
Does parse also include the action and context keywords? Also if the
context is false is dpat created and are $+auth, $+user
and $+ip defined? I assume not.
>and this pattern
>could be reused by the following rules:
>
>type=SingleWithThreshold
>ptype=dynamic
>pattern=sshd-login-failure
>continue=TakeNext
>desc=3 login failures for user $+{user}
>action=write - %s
>thresh=3
>window=60
>
>type=SingleWithThreshold
>ptype=dynamic
>pattern=sshd-login-failure
>continue=TakeNext
>desc=3 login failures from IP address $+{ip}
>action=write - %s
>thresh=3
>window=60
>
>The above two rules would only look into a pattern match cache that is
>reinitialized each time a new line is read from input. If an entity with
>a given name is found in the match cache, the rule pattern matches and
>match variables from the cache are used.
I like this since the names are included in the pattern. This prevents
the very prevalent problem (IMHO) of incorrectly matching the $N
variables to names. E.G. If I modify:
pattern=sshd\[(?'pid'\d+)\]: Failed (?'auth'\w+) for (?'user'[\w.-]+) from
(?'ip'[\d.]+)
to:
pattern=(sshd\[(?'pid'\d+)\]: Failed (?'auth'\w+) for (?'user'[\w.-]+) from
(?'ip'[\d.]+))
I don't need to count parenthesis at all as part of reassigning names
to $N variables.
I envision using this heavily as:
type=Parse
ptype=RegExp
pattern=sshd\[(?'pid'\d+)\]: Failed (?'auth'\w+) for (?'user'[\w.-]+) from
(?'ip'[\d.]+)
continue=TakeNext
dpat=sshd-login-failure
# route to ssh parsing rules if prior pattern matched
type = jump
continue = takenext
desc = matches sshd login failure
ptype = dynamic
pattern = sshd-login-failure
cfset = ssh_block
so I can parse a line then jump to the ruleset that will use the
parsed values.
Also is it possible to trigger on multiple pattern matches?
# route to ssh parsing rules if prior pattern matched
type = jump
desc = matches sshd login failure
ptype = dynamic
pattern = sshd-login-failure ssh-login-success
cfset = ssh_access_log
So I can log the auth, user and ip using a one rule for bothe
unsuccessful and successful attempts? (In this case I use a jump rule,
but this could just as easily be a single rule with a write action for
example.)
>However, there are also different scenarios to consider:
>
>2) implement a separate parameter for the 'varmap' field, e.g.,
>varmap=sshd-login-failure;pid=1;auth=2;user=3;ip=4
>would create an entity sshd-login-failure in the match cache with given
>match variables. An advantage of this approach is that no separate Parse
>rule is needed. On the other hand, a separate rule makes things clearer.
I agree about the Parse rule being clearer and the varmap still
requires the $1...$N to name mapping to be re-calculated if the regexp
is changed.
>Also, 'varmap' would create a cache entity even if the rule context
>expression evaluates false
Hmm, why would that be the case? Won't the mapping be done only if the
rule would be executed (i.e. if an action would be executed)?
(Also this brings up an unrelated question, would it be possible to
allow an action for a Jump command? This way I can add:
action = logonly jumping to ssh ruleset
to a jump rule to make tracing easier.)
>-- which is sometimes beneficial, but sometimes might be confusing.
Could you elaborate on when it would be beneficial? I can't think of a
use for that off the top of my head.
>3) use a separate action -- however, actions can also be triggered by
>system clock and not by input line, thus there are no match variables as
>such to cache. Even more, the next input line would immediately
>reinitialize the cache which is again somewhat confusing.
Plus with an action you have to count ()'s again.
So I vote for the parse rule with the embedded subpattern naming.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business
insights. http://p.sf.net/sfu/splunk-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
