Hello Mr. Peich:
In message
<cact5sexby3phgblkpkyvkdm5xu06skpq4sn2-0zbsoogaua...@mail.gmail.com>,
Jaren Peich writes:
>I tried to create an alert that detects a user connecting to a device
>throught 5 diferent ip address if this happends create an alert.
>I don´t know how to detect the differences. with desc i can group by user
>but i don´t know how to detect the differences between the ip addresses.
>Another doubt, Can you read the context names that the alert is managing at
>the same time? List or something of it.
>
>Log file
>
>29/09/2015 10:14:POST 132.56.96.123 Korsakof
>29/09/2015 10:14:POST 132.56.96.124 Korsakof
I assume you want to alert if you see the same user from 5 different
addresses within an hour.
Assume you have the following 5 log lines:
29/09/2015 10:14:POST 132.56.96.123 Korsakof
29/09/2015 10:14:POST 132.56.96.124 Korsakof
29/09/2015 10:14:POST 132.56.96.125 Korsakof
29/09/2015 10:14:POST 132.56.96.126 Korsakof
29/09/2015 10:14:POST 132.56.96.127 Korsakof
Since you want to count over some time period, you can use a Single
With Threshold rule like:
type = SingleWithThreshold
takenext = continue
desc = Check for connection by $2 not from $1
ptype = regexp
rem = $1 is ip address, $2 is user
pattern = POST ([0-9.]+) (.*)
context = ! seen_connection_from_$2_at_$1
action = write 'user $2 logged in from 5 different ips';
delete seen_connection_from_$2
window=3600
threshold=5
type = Single
desc = Record connection by $2 from $1 for 1 hour
ptype = regexp
rem = $1 is ip address, $2 is user
pattern = POST ([0-9.]+) (.*)
context = ! seen_connection_from_$2_at_$1
action = create seen_connection_from_$2 3600;
alias seen_connection_from_$2 seen_connection_from_$2_at_$1
The idea is to use the context as a filter.
When:
29/09/2015 10:14:POST 132.56.96.123 Korsakof
is seen, the threshold rule files and counts 1. This same event is
then passed to the single rule (because of takenext=continue on the
threshold rule). The single rule then creates the context:
seen_connection_from_Korsakof_at_132.56.96.123
if another event:
29/09/2015 10:14:POST 132.56.96.123 Korsakof
comes through, the threshold rule see it, but the context check
requires that the context:
seen_connection_from_Korsakof_at_132.56.96.123
does not exist. However it does exit for 1 hour, so the even is not
counted.
When
29/09/2015 10:14:POST 132.56.96.124 Korsakof
comes in, the context:
seen_connection_from_Korsakof_at_132.56.96.124
does not exist yet, so it is counted. Then that context is created by
the following single rule so it won't be counted again in the hour.
The time window, threshold etc can be changed but this is what I would
use to do this.
There are some actions that should clear out the old contexts, reset
on trigger etc. but this should get you started.
(Note I am working from memory, so the rules may need to be changed
but I think the idea is correct.)
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
