2011/6/22 Ludovic Hutin <ludovic.hu...@ac-nancy-metz.fr>:
> Risto,
>
> The first solution is good. I have just integrate them !
>
> I was playing with perl function, but i am not a perl developper. I
> have change the code :
> type=EventGroup
> init=create COUNTING_$2
> end=delete COUNTING_$2
> ptype=perlfunc
> pattern=sub { if ( $_[0] =~ /.* logger:
> ([^\t]*)\t([^\t-]*)\t([^\t]*)\t([^\t]*)/ ) { \
> return ($1, lc($2)); } else { return 0;} }
> context=!$1_COUNTED_FOR_$2
> count=alias COUNTING_$2 $1_COUNTED_FOR_$2 ; \
> write result/$2.ip %t $1 ;
> desc=3 logins from different IPs for $2
> action=pipe 'envoiMail' /root/sendMail10.pl $2 ;
> window=3600
> thresh=3
>
> Is there a way, with context, to write result in result/$2.ip only
> when we got 3 differents ip ?
Hmm... with thewrite-action in the 'count' field it is not possible,
since the action gets executed on every matching event, and during the
counting it is impossible to predict if the threshold will be reached
or not.
However, you could try a simple trick -- store matching events to the
COUNTING_$2 context with the add-action, and from the 'action' field
use report-action to write the content of the context to a file.
regards,
risto
>
> I think i can do the same with this perl func (i have to learn more
> about playing with perl) :
> count=lcall %ret $2 $1 -> ( sub { use Data::Dumper;
> $ucountsIP{$_[0]}->{$_[1]} = 1 ; print Dumper($ucountsIP{$_[0]}) ; } );
> // This one is not a perl function ;)
> end=lcall %ret $2 -> ( sub { foreach keys in $ucountsIP{$_[0]};
> ( write_to_file $keys ; ) } );
>
> All i want to do, sec can do it, it's brilliant
>
> Thanks a lot !
>
> Ludovic.
>
> Le 21/06/2011 16:35, Risto Vaarandi a écrit :
>> Ludovic,
>>
>> if you are willing to tolerate a slight inaccuracy, the following fairly
>> simple rule could do:
>>
>> type=EventGroup
>> init=create COUNTING_$2
>> end=delete COUNTING_$2
>> ptype=RegExp
>> pattern=([\d.]+) (\w+)
>> context=!$1_COUNTED_FOR_$2
>> count=alias COUNTING_$2 $1_COUNTED_FOR_$2
>> desc=3 logins from different IPs for $2
>> action=write - %s
>> window=3600
>> thresh=3
>>
>> This rule will trigger a counting operation for the user name when a
>> login for it has been seen. The operation will produce an alert if for
>> the same user name, three logins from different IPs have been observed.
>> After a login from an IP has been seen for the given user name, the
>> context name ipaddress_COUNTED_FOR_username will be created with the
>> 'alias' action, and the presence of this context name will ensure that
>> further login events for this IP will no longer match (because of
>> context=!$1_COUNTED_FOR_$2). The context names created during event
>> correlation are alias names to COUNTING_username context, which is
>> created when operation is initialized, and removed when operation
>> terminates.
>>
>> The inaccuracy I was talking about can happen when the window slides
>> forward -- it will be moved to the next event matched by the operation,
>> but there might have been events not matched due to the 'context' field.
>> However, to be *entirely* precise, the window should be moved to such
>> previously suppressed event instance.
>>
>> Of course, there is a way out, although somewhat more complex -- instead
>> of setting up a context name, you could create an element in a Perl hash
>> with the 'count' field, have 'multact' field set to 'yes', and run
>> alerting action through Perl code. In the code, you can check the number
>> of hash elements, and alert only if the number equals to the threshold.
>>
>> One thing that the future releases of SEC might have is an opportunity
>> to do such simple branching (and perhaps looping) explicitly in the
>> 'action' field, e.g.,
>>
>> action=eval %o (++$i == 10); if %o (write - %s)
>>
>> HTH,
>> risto
>>
>>
>> On 06/21/2011 03:03 PM, Ludovic Hutin wrote:
>>> Hi,
>>>
>>> I got another problem with this simple exemple
>>>
>>> I got entry like that
>>> 10.0.0.1 login
>>> 10.0.0.2 login
>>> 10.0.0.1 login
>>> 10.0.0.6 login => Send a alert.
>>> 1.1.1.1 login2
>>> 2.2.2.2 login2 => do nothing.
>>>
>>> etc...
>>>
>>> I want to send a alert if a login is detected with 3 differents IP
>>> in a windows of 1 hour.
>>>
>>> I try with 3 SingleWithSuppress but i don't know how to link the
>>> differents rules.
>>> i am sure i will have to write a small perlfunc :(
>>>
>>> Sorry for this (stupid ?) question,
>>>
>>> Ludovic.
>>>
>>> ------------------------------------------------------------------------------
>>> EditLive Enterprise is the world's most technically advanced content
>>> authoring tool. Experience the power of Track Changes, Inline Image
>>> Editing and ensure content is compliant with Accessibility Checking.
>>> http://p.sf.net/sfu/ephox-dev2dev
>>> _______________________________________________
>>> Simple-evcorr-users mailing list
>>> Simple-evcorr-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>
>>
>> ------------------------------------------------------------------------------
>> EditLive Enterprise is the world's most technically advanced content
>> authoring tool. Experience the power of Track Changes, Inline Image
>> Editing and ensure content is compliant with Accessibility Checking.
>> http://p.sf.net/sfu/ephox-dev2dev
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
> ------------------------------------------------------------------------------
> Simplify data backup and recovery for your virtual environment with vRanger.
> Installation's a snap, and flexible recovery options mean your data is safe,
> secure and there when you need it. Data protection magic?
> Nope - It's vRanger. Get your free trial download today.
> http://p.sf.net/sfu/quest-sfdev2dev
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
