hi Miles,
in fact, your question touches nicely couple of new features of the
2.6.0 version.
With previous versions, there were several options for addressing this
question. First, you could set up two rules in the style described in
Q17 of the FAQ (http://simple-evcorr.sourceforge.net/FAQ.html#17) --
since the context lifetime is set only once on first matching event,
this will guarantee that the context will expire exactly after 2
minutes. Then you could count the number of lines in the context (with
external 'wc -l' command, for example), and include the number in the
report. Another option would be to use Perl code snippet for counting,
and report the counter after 120 seconds.
However, I think the problem is best addressed by the new EventGroup
rule, which in this particular case is set up only for processing one
event type without thresholding:
type=EventGroup
ptype=regexp
pattern=^\[[A-Z][a-z]{1,4} [0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\]
NOTICE\[[0-9]*\] chan_sip\.c: Registration from.* failed for
'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})'.*
count=lcall %ret $1 -> ( sub { ++$sipcounts{$_[0]}; } )
desc=SIP Registration Failure from $1
action=none
end=lcall %ret $1 -> ( sub { return delete $sipcounts{$_[0]}; } ); \
write - %s (%ret events seen)
window=120
Since EventGroup allows for triggering actions during counting both on
each matching event ('count' field) and at the end of event correlation
window ('end' field), you have all the functionality you want. Note that
since we are *not* using the thresh field, it defaults to 1, so the
threshold is reached immediately when the first event is seen, and thus
no window sliding can ever happen (in other words, the action in 'end'
field is guaranteed to fire exactly 120 seconds after the first matching
event).
For each IP address, there is a counter in the %sipcounts hash which is
incremented with the action in 'count' field on each matching event for
this IP. Reporting is done with the action in 'end' field which deletes
a counter for given IP from the %sipcounts hash and assigns its value to
the %ret variable.
It is also interesting to note that the 'action' field is empty, since
we don't need to trigger an action on the first matching event.
(However, if you actually want an alert, you can configure it for the
'action' field.)
This example also harnesses the lcall-action which is nice to use in our
case, since unlike eval-action the Perl code is compiled only once (and
unlike call-action, we don't need to compile the Perl code with the
separate rule at SEC startup).
All in all, EventGroup and lcall allow for expressing your correlation
idea with one rule only :)
hope this helps,
risto
On 03/24/2011 10:32 PM, Miles Stevenson wrote:
> With the help of the online FAQ and a search of the mailing list archives,
> I've been able to get a rule working which is supposed to alert me of SIP
> brute force login attempts. The general idea for this rule, is that I want to
> be alerted after only a single failed login, but in the case of brute force
> attacks, I don't want to end up with hundreds or thousands of email alerts.
> So I wanted it to open a context and capture similar attempts from the same
> IP address for 2 minutes, group them into a single alert, and then send it.
>
> Here is my result:
>
> #SIP Brute Force Attempts
> type=single
> ptype=RegExp
> pattern=^\[[A-Z][a-z]{1,4} [0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\]
> NOTICE\[[0-9]*\] chan_sip\.c: Registration from.* failed for
> '(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})'.*
> desc=SIP Registration Failure from $1
> action=add sip_$1 $0; set sip_$1 120 (report sip_$1 /bin/mail -s 'SEC: SIP
> Brute Force' ad...@example.com -- -f sec@server)
>
> This works, but I have two problems.
>
> 1) The context doesn't simply timeout after 120 seconds. If more logs are
> coming in which continue to match the context, the context stays open for an
> indefinite period of time until no further matches have been seen for 120
> seconds. Instead, I want it to alert no matter what after 2 minutes.
>
> 2) Instead emailing me every instance of $0 (which could be thousands of
> lines), I'd like SEC to include only a single line, along with a count of how
> many instances there were in the context. Kind of a "last message repeated n
> times" sort of thing.
>
> Any advice? Should I be using something other than the "set" action, such as
> "event"? For the line count, should I be using a Perl expression on the
> context variable "sip_$1"?
>
> Thanks in advance.
> -Miles
>
>
> ------------------------------------------------------------------------------
> Enable your software for Intel(R) Active Management Technology to meet the
> growing manageability and security demands of your customers. Businesses
> are taking advantage of Intel(R) vPro (TM) technology - will your software
> be a part of the solution? Download the Intel(R) Manageability Checker
> today! http://p.sf.net/sfu/intel-dev2devmar
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
