With the help of the online FAQ and a search of the mailing list archives, I've
been able to get a rule working which is supposed to alert me of SIP brute
force login attempts. The general idea for this rule, is that I want to be
alerted after only a single failed login, but in the case of brute force
attacks, I don't want to end up with hundreds or thousands of email alerts. So
I wanted it to open a context and capture similar attempts from the same IP
address for 2 minutes, group them into a single alert, and then send it.
Here is my result:
#SIP Brute Force Attempts
type=single
ptype=RegExp
pattern=^\[[A-Z][a-z]{1,4} [0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\]
NOTICE\[[0-9]*\] chan_sip\.c: Registration from.* failed for
'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})'.*
desc=SIP Registration Failure from $1
action=add sip_$1 $0; set sip_$1 120 (report sip_$1 /bin/mail -s 'SEC: SIP
Brute Force' ad...@example.com -- -f sec@server)
This works, but I have two problems.
1) The context doesn't simply timeout after 120 seconds. If more logs are
coming in which continue to match the context, the context stays open for an
indefinite period of time until no further matches have been seen for 120
seconds. Instead, I want it to alert no matter what after 2 minutes.
2) Instead emailing me every instance of $0 (which could be thousands of
lines), I'd like SEC to include only a single line, along with a count of how
many instances there were in the context. Kind of a "last message repeated n
times" sort of thing.
Any advice? Should I be using something other than the "set" action, such as
"event"? For the line count, should I be using a Perl expression on the context
variable "sip_$1"?
Thanks in advance.
-Miles
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
