On Tue, 4 Jun 2013, John P. Rouillard wrote:

> In message <51ade265.8020...@trueblade.com>,
> "Eric V. Smith" writes:
>> On 06/04/2013 08:37 AM, termo meter wrote:
>>> I have question on how SEC doing pattern matching.
>>>
>>> For example i have below logs from my firewall:
>>>
>>> 5-23-2013 4:10:03 PM     UDP Traffic Received from 10.1.1.1:
>>> <163>May 23 2011 15:59:45: %ASA-3-10614: Deny inbound icmp src
>>> outside:10.10.0.63 dst outside:192.168.0.10 (type 8, code 0)
>>> [...]
>>> Let say i want to capture only denied logs, protocaol use icmp, and from
>>> this IP address 10.10.0.63 only.
>>>
>>> When i use this conf:-
>>>
>>> type=Single
>>> ptype=RegExp
>>> pattern=Deny\s\S+ icmp
>>> desc=$0
>>> action=write output.txt $0
>>>
>>> it will capture this logs:-
>>>
>>> 5-23-2013 4:10:03 PM     UDP Traffic Received from 10.1.1.1:
>>> <163>May 23 2011 15:59:45: %ASA-3-10614: Deny inbound icmp src
>>> outside:10.10.0.63 dst outside:192.168.0.10 (type 8, code 0)
>>>
>>> 5-23-2013 4:10:13 PM     UDP Traffic Received from 10.1.1.1:
>>> <163>May 23 2011 15:59:55: %ASA-3-10614: Deny inboundicmp src
>>> outside:192.168.0.63 dst outside:192.168.0.10 (type 8, code 0)
>>>
>>> How i can set SEC to capture logs only from specifics IP address?
>>
>> Include the address in your regular expression. Something like (untested):
>>
>> pattern=Deny\s\S+ icmp.*outside:10\.10\.0\.63
>
> If you have a lot of addresses or you need to change them on a regular
> basis, you can create and delete contexts on the fly to make this more
> dynamic.
>

I agree on making them dynamic, my approach is a bit different though. I would 
use a perl code snippet

You can load a table at startup time with a rule like:
# load a table of what IP addresses the admins of different products are 
expected to use
# table format is <product>|<ip>
type=Single
desc=Load known admin IPs on startup
ptype=RegExp
continue=TakeNext
pattern=(SEC_STARTUP|SEC_RESTART)
context=[SEC_INTERNAL_EVENT]
action=eval %a ( open(FILE, "</usr/local/sec/known_admin_ips.txt");\
    while (<FILE>) { chomp; @junk=split('|',$_); 
$known_admin_ips{$junk[0]}{$junk[1]} = 1;}; close(FILE); )

You can setup a trigger to reload the table by just sending a log line that SEC 
matches with a rule like:

type=Single
desc=reLoad known admin IPs
ptype=SubStr
continue=TakeNext
pattern=reload known admin IP addresses
action=eval %a ( %known_admin_ips=(); open(FILE, 
"</usr/local/sec/known_admin_ips.txt"); \
    while (<FILE>) { chomp; @junk=split('|',$_); 
$known_admin_ips{$junk[0]}{$junk[1]} = 1; }; close(FILE); )

And then later in your ruleset, you can have rules that use the perl snippet
"if exists $known_admin_ips{product}{ip}"
for a very fast lookup for even a large number of possible IP addresse

David Lang

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to