nevermind this.. Jeroen pointed out the mistake in my perl script,
although not sure why it worked earlier..
> print MAIL "Subject: $subject\n";
I think you might need to change that to
print MAIL "Subject: $subject\n\n";
There needs to be an empty line to separate message headers and body.
Without, the body is prone to be parsed as (invalid) headers, and
discarded.
Regards, Jeroen.
On Fri, Jul 5, 2013 at 10:20 AM, Orangepeel Beef
<orangepeelb...@gmail.com>wrote:
> Hmm, this worked fine in 2.7.3 but in 2.7.4 it doesn't work anymore...
>
> The event still fires off, but the email body is blank.
>
> type=EventGroup
> desc=[SEC-E] Possible brute force attempt of $1 from $3 (>15 in 30min)
> ptype=regexp
> pattern=^\d+-\d+-\S+ (\S+).+UI CMD_EXECUTED \d+ \d+ :\s+User (\w+) -
> Remote_ip (\d+\.\d+\.\d+\.\d+) - Command "login.+" - Status "ERROR: Invalid
> username or password"
> init = create brute_$1_$3
> count = add brute_$1_$3 $0
> action = report brute_$1_$3 /usr/local/sbin/sec_mail.pl '%s' '%e'
> end = delete brute_$1_$3
> window = 1800
> thresh = 15
>
>
>
>
>
> 2013-07-05T17:13:30.077186+00:00 ops-server0005 sec[19341]: Adding
> event(s) '2013-07-05T17:13:29.978080+00:00 lb1.mydomain.com
> 07/05/2013:17:13:09 GMT LB1AW2 0-PPE-4 : UI CMD_EXECUTED 374287 0 : User
> root - Remote_ip x.y.11.100 - Command "login root "********"" - Status
> "ERROR: Invalid username or password"' to context
> 'brute_lb1.mydomain.com_x.y.11.100'
> 2013-07-05T17:13:30.478278+00:00 ops-server0005 sec[19341]: Adding
> event(s) '2013-07-05T17:13:30.407279+00:00 lb1.mydomain.com
> 07/05/2013:17:13:09 GMT LB1AW2 0-PPE-4 : UI CMD_EXECUTED 374288 0 : User
> emailswitch - Remote_ip x.y.11.100 - Command "login emailswitch "********""
> - Status "ERROR: Invalid username or password"' to context
> 'brute_lb1.mydomain.com_x.y.11.100'
> 2013-07-05T17:13:30.578727+00:00 ops-server0005 sec[19341]: Adding
> event(s) '2013-07-05T17:13:30.481710+00:00 lb1.mydomain.com
> 07/05/2013:17:13:09 GMT LB1AW2 0-PPE-4 : UI CMD_EXECUTED 374289 0 : User
> root - Remote_ip x.y.11.100 - Command "login root "********"" - Status
> "ERROR: Invalid username or password"' to context
> 'brute_lb1.mydomain.com_x.y.11.100'
>
> 2013-07-05T10:04:48.219121+00:00 ops-server0005 sec[11357]: Reporting the
> event store of context 'brute_lb1.mydomain.com_x.y.11.100' through shell
> command '/usr/local/sbin/sec_mail.pl '[SEC-W] Possible brute force
> attempt of lb1.mydomain.com from x.y.11.100 (>15 in 30min)' '
> s...@email.com'
>
>
> #sec_mail script
>
> #!/usr/bin/perl -w
> $from='sec-uswest-not...@mydomain.com';
> $subject=$ARGV[0];
> $to=$ARGV[1];
> $body='';
> while (<stdin>) {
> $body = $body . $_;
> }
>
> open(MAIL, "|/usr/sbin/sendmail -t");
> print MAIL "To: $to\n";
> print MAIL "From: $from\n";
> print MAIL "Subject: $subject\n";
> print MAIL $body."\n";
> close(MAIL)
>
>
>
>
> On Tue, Jun 25, 2013 at 11:30 AM, John P. Rouillard <rou...@cs.umb.edu>wrote:
>
>>
>> In message
>> <cahkpr1fe+bh0cq92gi9_tom1yy9vxhxus6vsjz89qk6rtnb...@mail.gmail.com> ,
>> Orangepeel Beef writes:
>>
>> >I am wondering if it is possible to collect all the events that match in
>> a
>> >singlewiththreshold and send them all out when the threshold is hit?
>> >
>> >#more than 15 failed logins
>> >type=singlewiththreshold
>> >desc=Possible brute force attempt of $1 from $3 (>15 in 30min)
>> >ptype=regexp
>> >pattern=\d+:\d+:\d+ GMT (\w+) .+UI CMD_EXECUTED \d+ \d+ :\s+User (\w+) -
>> >Remote_ip (\d+\.\d+\.\d+\.\d+) - Command "login.+" - Status "ERROR:
>> Invalid
>> >username or password"
>> >action=pipe '$0' /usr/bin/mail -s '%s' %e
>> >window=1800
>> >thresh=15
>> >
>> >
>> >This is working, but I'm only getting the 1 log line from the last event
>> >that triggered the threshold.
>>
>> You that's all you get with pipe. You need to record the prior lines
>> somewhere and send those into a program. Usually you record the lines
>> in a context and report the context.
>>
>> >I'd like to be able to send all the previous
>> >log lines with it in the email.
>>
>> Look at EventGroup in the SEC man page. You will probably want
>> something like:
>>
>> type=EventGroup
>> desc=Possible brute force attempt of $1 from $3 (>15 in 30min)
>> ptype=regexp
>> pattern=\d+:\d+:\d+ GMT (\w+) .+UI CMD_EXECUTED \d+ \d+ :\s+User (\w+)
>> - Remote_ip (\d+\.\d+\.\d+\.\d+) - Command "login.+" - Status "ERROR:
>> Invalid username or password"
>>
>> init = create somecontext
>> count = add somecontext $0
>> action = report somecontext/usr/bin/mail -s '%s' %e
>> end = delete somecontext
>> window = 1800
>> thresh = 15
>>
>> So you create/empty somecontext when the rule is triggered, for every
>> matching event (that gets counted) add the event ($0) to somecontext.
>> When the rule triggers take the action to report the context.
>>
>> Note you will probably want to replace "somecontext" with a unique
>> context name like:
>>
>> brute_force_15_events_of_$1_from_$3
>>
>> so you have a unique context for every correlation.
>>
>> Also you may need to do some work on the count to trim the context to
>> 15 events. You would replace the count argument above by something
>> like:
>>
>> rem = trim context somecontext to no more than 15 newest lines
>> count = add somecontext $0 ; \
>> getsize %size somecontext; \
>> lcall %gt15 %size -> ( sub { $_[0] > 15 } ); \
>> while %gt15 ( shift somecontext %discard; \
>> getsize %size somecontext; \
>> lcall %gt15 %size -> ( sub { $_[0] > 15 } ); \
>> )
>>
>> --
>> -- rouilj
>> John Rouillard
>>
>> ===========================================================================
>> My employers don't acknowledge my existence much less my opinions.
>>
>>
>
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
