In message
<cahkpr1fe+bh0cq92gi9_tom1yy9vxhxus6vsjz89qk6rtnb...@mail.gmail.com> ,
Orangepeel Beef writes:
>I am wondering if it is possible to collect all the events that match in a
>singlewiththreshold and send them all out when the threshold is hit?
>
>#more than 15 failed logins
>type=singlewiththreshold
>desc=Possible brute force attempt of $1 from $3 (>15 in 30min)
>ptype=regexp
>pattern=\d+:\d+:\d+ GMT (\w+) .+UI CMD_EXECUTED \d+ \d+ :\s+User (\w+) -
>Remote_ip (\d+\.\d+\.\d+\.\d+) - Command "login.+" - Status "ERROR: Invalid
>username or password"
>action=pipe '$0' /usr/bin/mail -s '%s' %e
>window=1800
>thresh=15
>
>
>This is working, but I'm only getting the 1 log line from the last event
>that triggered the threshold.
You that's all you get with pipe. You need to record the prior lines
somewhere and send those into a program. Usually you record the lines
in a context and report the context.
>I'd like to be able to send all the previous
>log lines with it in the email.
Look at EventGroup in the SEC man page. You will probably want
something like:
type=EventGroup
desc=Possible brute force attempt of $1 from $3 (>15 in 30min)
ptype=regexp
pattern=\d+:\d+:\d+ GMT (\w+) .+UI CMD_EXECUTED \d+ \d+ :\s+User (\w+) -
Remote_ip (\d+\.\d+\.\d+\.\d+) - Command "login.+" - Status "ERROR: Invalid
username or password"
init = create somecontext
count = add somecontext $0
action = report somecontext/usr/bin/mail -s '%s' %e
end = delete somecontext
window = 1800
thresh = 15
So you create/empty somecontext when the rule is triggered, for every
matching event (that gets counted) add the event ($0) to somecontext.
When the rule triggers take the action to report the context.
Note you will probably want to replace "somecontext" with a unique
context name like:
brute_force_15_events_of_$1_from_$3
so you have a unique context for every correlation.
Also you may need to do some work on the count to trim the context to
15 events. You would replace the count argument above by something
like:
rem = trim context somecontext to no more than 15 newest lines
count = add somecontext $0 ; \
getsize %size somecontext; \
lcall %gt15 %size -> ( sub { $_[0] > 15 } ); \
while %gt15 ( shift somecontext %discard; \
getsize %size somecontext; \
lcall %gt15 %size -> ( sub { $_[0] > 15 } ); \
)
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
