Re: [Simple-evcorr-users] singlewiththreshold collect events

Orangepeel Beef Fri, 05 Jul 2013 10:23:29 -0700

Hmm, this worked fine in 2.7.3  but in 2.7.4 it doesn't work anymore...

The event still fires off, but the email body is blank.


type=EventGroup
desc=[SEC-E] Possible brute force attempt of $1 from $3 (>15 in 30min)
ptype=regexp
pattern=^\d+-\d+-\S+ (\S+).+UI CMD_EXECUTED \d+ \d+ :\s+User (\w+) -
Remote_ip (\d+\.\d+\.\d+\.\d+) - Command "login.+" - Status "ERROR: Invalid
username or password"
init = create brute_$1_$3
count = add brute_$1_$3 $0
action = report brute_$1_$3 /usr/local/sbin/sec_mail.pl '%s' '%e'
end = delete brute_$1_$3
window = 1800
thresh = 15





2013-07-05T17:13:30.077186+00:00 ops-server0005 sec[19341]: Adding event(s)
'2013-07-05T17:13:29.978080+00:00 lb1.mydomain.com  07/05/2013:17:13:09 GMT
LB1AW2 0-PPE-4 : UI CMD_EXECUTED 374287 0 :  User root - Remote_ip
x.y.11.100 - Command "login root "********"" - Status "ERROR: Invalid
username or password"' to context 'brute_lb1.mydomain.com_x.y.11.100'
2013-07-05T17:13:30.478278+00:00 ops-server0005 sec[19341]: Adding event(s)
'2013-07-05T17:13:30.407279+00:00 lb1.mydomain.com  07/05/2013:17:13:09 GMT
LB1AW2 0-PPE-4 : UI CMD_EXECUTED 374288 0 :  User emailswitch - Remote_ip
x.y.11.100 - Command "login emailswitch "********"" - Status "ERROR:
Invalid username or password"' to context
'brute_lb1.mydomain.com_x.y.11.100'
2013-07-05T17:13:30.578727+00:00 ops-server0005 sec[19341]: Adding event(s)
'2013-07-05T17:13:30.481710+00:00 lb1.mydomain.com  07/05/2013:17:13:09 GMT
LB1AW2 0-PPE-4 : UI CMD_EXECUTED 374289 0 :  User root - Remote_ip
x.y.11.100 - Command "login root "********"" - Status "ERROR: Invalid
username or password"' to context 'brute_lb1.mydomain.com_x.y.11.100'

2013-07-05T10:04:48.219121+00:00 ops-server0005 sec[11357]: Reporting the
event store of context 'brute_lb1.mydomain.com_x.y.11.100' through shell
command '/usr/local/sbin/sec_mail.pl '[SEC-W] Possible brute force attempt
of lb1.mydomain.com from x.y.11.100 (>15 in 30min)' 's...@email.com'


#sec_mail script

#!/usr/bin/perl -w
$from='sec-uswest-not...@mydomain.com';
$subject=$ARGV[0];
$to=$ARGV[1];
$body='';
while (<stdin>) {
    $body = $body . $_;
}

open(MAIL, "|/usr/sbin/sendmail -t");
print MAIL "To: $to\n";
print MAIL "From: $from\n";
print MAIL "Subject: $subject\n";
print MAIL $body."\n";
close(MAIL)




On Tue, Jun 25, 2013 at 11:30 AM, John P. Rouillard <rou...@cs.umb.edu>wrote:

>
> In message
> <cahkpr1fe+bh0cq92gi9_tom1yy9vxhxus6vsjz89qk6rtnb...@mail.gmail.com> ,
> Orangepeel Beef writes:
>
> >I am wondering if it is possible to collect all the events that match in a
> >singlewiththreshold and send them all out when the threshold is hit?
> >
> >#more than 15 failed logins
> >type=singlewiththreshold
> >desc=Possible brute force attempt of $1 from $3 (>15 in 30min)
> >ptype=regexp
> >pattern=\d+:\d+:\d+ GMT (\w+) .+UI CMD_EXECUTED \d+ \d+ :\s+User (\w+) -
> >Remote_ip (\d+\.\d+\.\d+\.\d+) - Command "login.+" - Status "ERROR:
> Invalid
> >username or password"
> >action=pipe '$0' /usr/bin/mail -s '%s' %e
> >window=1800
> >thresh=15
> >
> >
> >This is working, but I'm only getting the 1 log line from the last event
> >that triggered the threshold.
>
> You that's all you get with pipe.  You need to record the prior lines
> somewhere and send those into a program. Usually you record the lines
> in a context and report the context.
>
> >I'd like to be able to send all the previous
> >log lines with it in the email.
>
> Look at EventGroup in the SEC man page. You will probably want
> something like:
>
>   type=EventGroup
>   desc=Possible brute force attempt of $1 from $3 (>15 in 30min)
>   ptype=regexp
>   pattern=\d+:\d+:\d+ GMT (\w+) .+UI CMD_EXECUTED \d+ \d+ :\s+User (\w+) -
> Remote_ip (\d+\.\d+\.\d+\.\d+) - Command "login.+" - Status "ERROR: Invalid
> username or password"
>
>   init = create somecontext
>   count = add somecontext $0
>   action = report somecontext/usr/bin/mail -s '%s' %e
>   end = delete somecontext
>   window = 1800
>   thresh = 15
>
> So you create/empty somecontext when the rule is triggered, for every
> matching event (that gets counted) add the event ($0) to somecontext.
> When the rule triggers take the action to report the context.
>
> Note you will probably want to replace "somecontext" with a unique
> context name like:
>
>    brute_force_15_events_of_$1_from_$3
>
> so you have a unique context for every correlation.
>
> Also you may need to do some work on the count to trim the context to
> 15 events. You would replace the count argument above by something
> like:
>
> rem = trim context somecontext to no more than 15 newest lines
> count = add somecontext $0 ; \
>         getsize %size somecontext; \
>         lcall %gt15 %size -> ( sub { $_[0] > 15 } ); \
>         while %gt15 ( shift somecontext %discard; \
>            getsize %size somecontext; \
>            lcall %gt15 %size -> ( sub { $_[0] > 15 } ); \
>         )
>
> --
>                                 -- rouilj
> John Rouillard
> ===========================================================================
> My employers don't acknowledge my existence much less my opinions.
>
>

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Re: [Simple-evcorr-users] singlewiththreshold collect events

Reply via email to