Hi Risto,
Thanks for your answer. It helped.
I was checking the sec manual for the EventGroup example and I tried it several
times to understand its working.
So, now I have some questions because I get a little confused. This is the
example:
type=EventGroup3
ptype=regexp
pattern=sshd\[\d+\]: Failed .+ for (\S+) from ([\d.]+) port \d+ ssh2
varmap= user=1; ip=2
count=alias OPER_$+{ip} LOGIN_FAILED_$+{user}_$+{ip}
ptype2=regexp
pattern2=sshd\[\d+\]: Accepted .+ for (\S+) from ([\d.]+) port \d+ ssh2
varmap2= user=1; ip=2
context2=LOGIN_FAILED_$+{user}_$+{ip}
ptype3=regexp
pattern3=kernel: iptables:.* SRC=([\d.]+)
varmap3= ip=1
desc=Client $+{ip} accessed a firewalled port and had difficulties with
logging in
action=pipe %t: %s /bin/mail root@localhost
init=create OPER_$+{ip}
slide=delete OPER_$+{ip}; reset 0
end=delete OPER_$+{ip}
window=120
Questions:
1. According to the example, you say that "at least an iptables event was
observed for the IP *and* and least one login failure for a user which was
followed by a successful login for the same user" however I tested it but it
didn't trigger the action unless iptables and login failure occur twice
followed by one succesful login. I tried it cutting and pasting in the standard
input, could I make a mistake?
2. I see varmap lets get readable names for variables matched in the pattern
field. Can I use the same variable name throughout the next rules? I need to
match the same IP on all events.
3. I've asked you about an event P1 as the first event and S1|S3|S2|Sn as its
symptoms. You suggested create a context for the P1 event from the count field,
will have the same effect if I create the context with the action field? what's
the difference?
4. why use context alias?
Thanks again for your help, meanwhile I will keep playing with sec.
Gaoke.
---- On Fri, 04 Nov 2011 15:37:34 -0700 Risto Vaarandi
<risto.vaara...@gmail.com> wrote ----
hi,
yes, the EventGroup rule is probably the best solution for this case,
since it does matching for unordered event groups. However, in order
to verify that P1 is the first event to match the rule and trigger the
event correlation operation, you could create a context from the
'count' field for P1. Then, you can check for the presence of this
context when each S event arrives, which verifies that P1 has been
observed in the past.
hope this helps,
risto
2011/11/4 mindman101 <mindman...@zoho.com>:
>
> Hello list!
> I've been using SEC for a while just configuring single rules. However,
now
> I'm figuring out how to configure a rule that match a problem and then,
> match its symptoms. I mean, for example, match the event P1 and next wait
> for time window where S2|S5|S1|S3|S4 will arrive. As you can see, no
matter
> the arrival order.
> I think the new event type EventGroup could help but how?
> Thanks for your help.
> Gaoke.
>
------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
