2013/12/1 termvrl term <term...@gmail.com>

> Hi all,
>
> i have working on correlate the alert from modsecurity.
> when i simulate XSS attacks, modsec will generate alert and it will match
> with SQL rule and XSS rule. So, i want to use SEC to correlate if detect
> both signature then, use write action to log a new message. Here is conf
> file.
>
> # Rule to match XSS attack.
> # SQL + XSS
>
> type=Pair
> ptype=RegExp
> pattern=sql_injection_attacks
> desc=$0
> action=write - SQL rule matched
> ptype2=RegExp
> pattern2=xss_attacks\s*CRITICAL
> desc2=$0
> action2=write - XSS matched
> window=5
>
> The problem is it detect only the first pattern, and the second pattern
> never matched. Is it because the modsecurity generate it with same
> timestamp?
>
> Attach is the sample log that i want to correlate.
>
> Thanks
> Term
>

hi,
the Pair rule works as follows -- if an event is observed which matches the
pattern given with the 'pattern' field, a waiting operation is started
which gets its ID from the 'desc' field, rule file name, and rule offset in
the file (the use of the rule file name and offset ensures that operation
IDs do not clash for different rules).
The waiting operation started by the Pair rule runs for the 'window'
seconds, and expects to see an event which is matched by 'pattern2'. Your
sample rule assumes the following:
1) first an event which matches a regular expression sql_injection_attacks
must come in,
2) the incoming event starts an operation which has the ID containing the
entire matching line (held by $0 variable),
3) the operation runs for 5 seconds and waits an event matching the regular
expression xss_attacks\s*CRITICAL (this regular expression means "the
string xss_attacks, followed by 0 or more whitespace characters, followed
by the string CRITICAL").

Generally, it's a bad idea to set desc to $0, since entire matching line
contains a timestamp, which starts a new waiting operation each time a
matching line with a newer timestamp is observed. Are you actually trying
to do processing on the client IP address basis? If so, your regular
expressions should match the IP address from incoming events and assign it
to a match variable, and this variable should be used in the 'desc' field.
In that way, you run separate event correlation operations for distinct IP
addresses (also, have a look into the relevant section in the official
documentation: http://simple-evcorr.sourceforge.net/man.html#lbAW)

Also, the Pair rule assumes that events are ordered. If this is not the
case, I would recommend to consider the EventGroup2 rule. Finally, your
second regular expression xss_attacks\s*CRITICAL assumes that only
whitespace can appear in between "xss_attacks" and "CRITICAL", but your log
messages seem to be different. This is probably the reason why the second
pattern of your Pair rule fails to match incoming events.

hope this helps,
risto





>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to