On Tue, 4 Jun 2013, John P. Rouillard wrote: > In message <51ade265.8020...@trueblade.com>, > "Eric V. Smith" writes: >> On 06/04/2013 08:37 AM, termo meter wrote: >>> I have question on how SEC doing pattern matching. >>> >>> For example i have below logs from my firewall: >>> >>> 5-23-2013 4:10:03 PM UDP Traffic Received from 10.1.1.1: >>> <163>May 23 2011 15:59:45: %ASA-3-10614: Deny inbound icmp src >>> outside:10.10.0.63 dst outside:192.168.0.10 (type 8, code 0) >>> [...] >>> Let say i want to capture only denied logs, protocaol use icmp, and from >>> this IP address 10.10.0.63 only. >>> >>> When i use this conf:- >>> >>> type=Single >>> ptype=RegExp >>> pattern=Deny\s\S+ icmp >>> desc=$0 >>> action=write output.txt $0 >>> >>> it will capture this logs:- >>> >>> 5-23-2013 4:10:03 PM UDP Traffic Received from 10.1.1.1: >>> <163>May 23 2011 15:59:45: %ASA-3-10614: Deny inbound icmp src >>> outside:10.10.0.63 dst outside:192.168.0.10 (type 8, code 0) >>> >>> 5-23-2013 4:10:13 PM UDP Traffic Received from 10.1.1.1: >>> <163>May 23 2011 15:59:55: %ASA-3-10614: Deny inboundicmp src >>> outside:192.168.0.63 dst outside:192.168.0.10 (type 8, code 0) >>> >>> How i can set SEC to capture logs only from specifics IP address? >> >> Include the address in your regular expression. Something like (untested): >> >> pattern=Deny\s\S+ icmp.*outside:10\.10\.0\.63 > > If you have a lot of addresses or you need to change them on a regular > basis, you can create and delete contexts on the fly to make this more > dynamic. >
I agree on making them dynamic, my approach is a bit different though. I would use a perl code snippet You can load a table at startup time with a rule like: # load a table of what IP addresses the admins of different products are expected to use # table format is <product>|<ip> type=Single desc=Load known admin IPs on startup ptype=RegExp continue=TakeNext pattern=(SEC_STARTUP|SEC_RESTART) context=[SEC_INTERNAL_EVENT] action=eval %a ( open(FILE, "</usr/local/sec/known_admin_ips.txt");\ while (<FILE>) { chomp; @junk=split('|',$_); $known_admin_ips{$junk[0]}{$junk[1]} = 1;}; close(FILE); ) You can setup a trigger to reload the table by just sending a log line that SEC matches with a rule like: type=Single desc=reLoad known admin IPs ptype=SubStr continue=TakeNext pattern=reload known admin IP addresses action=eval %a ( %known_admin_ips=(); open(FILE, "</usr/local/sec/known_admin_ips.txt"); \ while (<FILE>) { chomp; @junk=split('|',$_); $known_admin_ips{$junk[0]}{$junk[1]} = 1; }; close(FILE); ) And then later in your ruleset, you can have rules that use the perl snippet "if exists $known_admin_ips{product}{ip}" for a very fast lookup for even a large number of possible IP addresse David Lang ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users