On Thu, 24 Mar 2011, Miles Stevenson wrote:
> With the help of the online FAQ and a search of the mailing list archives,
> I've been able to get a rule working which is supposed to alert me of SIP
> brute force login attempts. The general idea for this rule, is that I want to
> be alerted after only a single failed login, but in the case of brute force
> attacks, I don't want to end up with hundreds or thousands of email alerts.
> So I wanted it to open a context and capture similar attempts from the same
> IP address for 2 minutes, group them into a single alert, and then send it.
>
> Here is my result:
>
> #SIP Brute Force Attempts
> type=single
> ptype=RegExp
> pattern=^\[[A-Z][a-z]{1,4} [0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\]
> NOTICE\[[0-9]*\] chan_sip\.c: Registration from.* failed for
> '(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})'.*
> desc=SIP Registration Failure from $1
> action=add sip_$1 $0; set sip_$1 120 (report sip_$1 /bin/mail -s 'SEC: SIP
> Brute Force' ad...@example.com -- -f sec@server)
>
> This works, but I have two problems.
>
> 1) The context doesn't simply timeout after 120 seconds. If more logs are
> coming in which continue to match the context, the context stays open for an
> indefinite period of time until no further matches have been seen for 120
> seconds. Instead, I want it to alert no matter what after 2 minutes.
>
> 2) Instead emailing me every instance of $0 (which could be thousands of
> lines), I'd like SEC to include only a single line, along with a count of how
> many instances there were in the context. Kind of a "last message repeated n
> times" sort of thing.
>
> Any advice? Should I be using something other than the "set" action, such as
> "event"? For the line count, should I be using a Perl expression on the
> context variable "sip_$1"?
It sounds like what you really want is SingleWithSupress and set the
window to 120 seconds
David Lang
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
