Hi,
Thanks for your answer. I thought a different way. What do you think?
type=Calendar
time=0 * * * *
desc=drop byte counters
action=lcall %o -> ( sub { %ip = () } )
type=Single
ptype=RegExp
pattern=.{16}:[^\s]*\s([^\s]*)\s([^\s]*)
desc=$0
context=$1 $2 -> ( sub { $ip{$_[1]} = $_[0];\
Here load the hash table, insert the data and compare the elements. In case
is it true create an event to generate an alert.
})
action=none
Another doubt is i tried to have this code in splitted files. I use the
external variables from ParserUser file in AlertaUser file to fill the data
into the hash table and makes me an error and i don´t know how to solve. Is
it possible to do that?Fill a hash table with external variables?
____________________________________________________________________
ParserUser
____________________________________________________________________
type=Calendar
time=0 * * * *
desc=drop byte counters
action=lcall %o -> ( sub { %ip = () } )
type=Single
ptype=RegExp
pattern=.{16}:[^\s]*\s([^\s]*)\s([^\s]*)
desc=$0
varmap = proxyUser;log=0;ip=1;user=2
action =none
____________________________________________________________________
AlertaUser
____________________________________________________________________
type = Single
continue= takenext
desc = -
ptype = regexp
pattern = SEC_STARTUP|SEC_RESTART()
action = event loadHash;
type=Single
desc=load hash list
ptype=SubStr
pattern=loadHash
action=lcall %o -> ( sub { %ip = () } )
type=Single
ptype=Cached
pattern=proxyUser
desc=User_$+{user}
action=eval %o ( $ip{$+{user}} = $+{ip};\
print "######################\n";\
$counter = keys %ip;\
print "Number of keys: $counter \n";\
)
Kindly regards. Thanks for your help again.
2015-11-18 7:50 GMT+01:00 John P. Rouillard <rou...@cs.umb.edu>:
>
> Hello Mr. Peich:
>
> In message
> <cact5sexby3phgblkpkyvkdm5xu06skpq4sn2-0zbsoogaua...@mail.gmail.com>,
> Jaren Peich writes:
> >I tried to create an alert that detects a user connecting to a device
> >throught 5 diferent ip address if this happends create an alert.
> >I don´t know how to detect the differences. with desc i can group by user
> >but i don´t know how to detect the differences between the ip addresses.
> >Another doubt, Can you read the context names that the alert is managing
> at
> >the same time? List or something of it.
> >
> >Log file
> >
> >29/09/2015 10:14:POST 132.56.96.123 Korsakof
> >29/09/2015 10:14:POST 132.56.96.124 Korsakof
>
>
> I assume you want to alert if you see the same user from 5 different
> addresses within an hour.
>
> Assume you have the following 5 log lines:
>
> 29/09/2015 10:14:POST 132.56.96.123 Korsakof
> 29/09/2015 10:14:POST 132.56.96.124 Korsakof
> 29/09/2015 10:14:POST 132.56.96.125 Korsakof
> 29/09/2015 10:14:POST 132.56.96.126 Korsakof
> 29/09/2015 10:14:POST 132.56.96.127 Korsakof
>
> Since you want to count over some time period, you can use a Single
> With Threshold rule like:
>
> type = SingleWithThreshold
> takenext = continue
> desc = Check for connection by $2 not from $1
> ptype = regexp
> rem = $1 is ip address, $2 is user
> pattern = POST ([0-9.]+) (.*)
> context = ! seen_connection_from_$2_at_$1
> action = write 'user $2 logged in from 5 different ips';
> delete seen_connection_from_$2
> window=3600
> threshold=5
>
> type = Single
> desc = Record connection by $2 from $1 for 1 hour
> ptype = regexp
> rem = $1 is ip address, $2 is user
> pattern = POST ([0-9.]+) (.*)
> context = ! seen_connection_from_$2_at_$1
> action = create seen_connection_from_$2 3600;
> alias seen_connection_from_$2 seen_connection_from_$2_at_$1
>
> The idea is to use the context as a filter.
>
> When:
>
> 29/09/2015 10:14:POST 132.56.96.123 Korsakof
>
> is seen, the threshold rule files and counts 1. This same event is
> then passed to the single rule (because of takenext=continue on the
> threshold rule). The single rule then creates the context:
>
> seen_connection_from_Korsakof_at_132.56.96.123
>
> if another event:
>
> 29/09/2015 10:14:POST 132.56.96.123 Korsakof
>
> comes through, the threshold rule see it, but the context check
> requires that the context:
>
> seen_connection_from_Korsakof_at_132.56.96.123
>
> does not exist. However it does exit for 1 hour, so the even is not
> counted.
>
> When
>
> 29/09/2015 10:14:POST 132.56.96.124 Korsakof
>
> comes in, the context:
>
> seen_connection_from_Korsakof_at_132.56.96.124
>
> does not exist yet, so it is counted. Then that context is created by
> the following single rule so it won't be counted again in the hour.
>
> The time window, threshold etc can be changed but this is what I would
> use to do this.
>
> There are some actions that should clear out the old contexts, reset
> on trigger etc. but this should get you started.
>
> (Note I am working from memory, so the rules may need to be changed
> but I think the idea is correct.)
>
> --
> -- rouilj
> John Rouillard
> ===========================================================================
> My employers don't acknowledge my existence much less my opinions.
>
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
