hi Jaren, if you would like to memorize already observed IP addressed in a Perl hash table, you are free to do so, since it is another way for addressing the problem. Note, however, that sec contexts are implemented as a hash table in the sec code, so creating the hash table manually doesn't yield any performance benefits. Also, I would recommend to use Perl code inside rules only when there is no other way for accomplishing the task. Whenever it is possible to solve a task with the primitives of the sec rule language, you should be taking advantage of those primitives without writing extra code snippets.
Since in your particular case the problem can be easily addressed with contexts, I'd personally prefer this since the resulting ruleset is more readable and compact. The solution that John proposed nicely illustrates this, and in fact I am using a quite similar example in my lecture slides at the university :) This solution can be varied in several ways, and the introduction of the sec man page ( http://simple-evcorr.github.io/man.html#lbAD) contains an example of the EventGroup rule which addresses a similar problem. hope this helps, risto 2015-11-18 11:30 GMT+02:00 Jaren Peich <burkol...@gmail.com>: > Hi, > > Thanks for your answer. I thought a different way. What do you think? > > type=Calendar > time=0 * * * * > desc=drop byte counters > action=lcall %o -> ( sub { %ip = () } ) > > type=Single > ptype=RegExp > pattern=.{16}:[^\s]*\s([^\s]*)\s([^\s]*) > desc=$0 > context=$1 $2 -> ( sub { $ip{$_[1]} = $_[0];\ > Here load the hash table, insert the data and compare the elements. In > case is it true create an event to generate an alert. > }) > action=none > > Another doubt is i tried to have this code in splitted files. I use the > external variables from ParserUser file in AlertaUser file to fill the data > into the hash table and makes me an error and i don´t know how to solve. Is > it possible to do that?Fill a hash table with external variables? > > ____________________________________________________________________ > > ParserUser > ____________________________________________________________________ > > type=Calendar > time=0 * * * * > desc=drop byte counters > action=lcall %o -> ( sub { %ip = () } ) > > type=Single > ptype=RegExp > pattern=.{16}:[^\s]*\s([^\s]*)\s([^\s]*) > desc=$0 > varmap = proxyUser;log=0;ip=1;user=2 > action =none > > ____________________________________________________________________ > > AlertaUser > ____________________________________________________________________ > > type = Single > continue= takenext > desc = - > ptype = regexp > pattern = SEC_STARTUP|SEC_RESTART() > action = event loadHash; > > type=Single > desc=load hash list > ptype=SubStr > pattern=loadHash > action=lcall %o -> ( sub { %ip = () } ) > > type=Single > ptype=Cached > pattern=proxyUser > desc=User_$+{user} > action=eval %o ( $ip{$+{user}} = $+{ip};\ > print "######################\n";\ > $counter = keys %ip;\ > print "Number of keys: $counter \n";\ > ) > > > Kindly regards. Thanks for your help again. > > > 2015-11-18 7:50 GMT+01:00 John P. Rouillard <rou...@cs.umb.edu>: > >> >> Hello Mr. Peich: >> >> In message >> <cact5sexby3phgblkpkyvkdm5xu06skpq4sn2-0zbsoogaua...@mail.gmail.com>, >> Jaren Peich writes: >> >I tried to create an alert that detects a user connecting to a device >> >throught 5 diferent ip address if this happends create an alert. >> >I don´t know how to detect the differences. with desc i can group by user >> >but i don´t know how to detect the differences between the ip addresses. >> >Another doubt, Can you read the context names that the alert is managing >> at >> >the same time? List or something of it. >> > >> >Log file >> > >> >29/09/2015 10:14:POST 132.56.96.123 Korsakof >> >29/09/2015 10:14:POST 132.56.96.124 Korsakof >> >> >> I assume you want to alert if you see the same user from 5 different >> addresses within an hour. >> >> Assume you have the following 5 log lines: >> >> 29/09/2015 10:14:POST 132.56.96.123 Korsakof >> 29/09/2015 10:14:POST 132.56.96.124 Korsakof >> 29/09/2015 10:14:POST 132.56.96.125 Korsakof >> 29/09/2015 10:14:POST 132.56.96.126 Korsakof >> 29/09/2015 10:14:POST 132.56.96.127 Korsakof >> >> Since you want to count over some time period, you can use a Single >> With Threshold rule like: >> >> type = SingleWithThreshold >> takenext = continue >> desc = Check for connection by $2 not from $1 >> ptype = regexp >> rem = $1 is ip address, $2 is user >> pattern = POST ([0-9.]+) (.*) >> context = ! seen_connection_from_$2_at_$1 >> action = write 'user $2 logged in from 5 different ips'; >> delete seen_connection_from_$2 >> window=3600 >> threshold=5 >> >> type = Single >> desc = Record connection by $2 from $1 for 1 hour >> ptype = regexp >> rem = $1 is ip address, $2 is user >> pattern = POST ([0-9.]+) (.*) >> context = ! seen_connection_from_$2_at_$1 >> action = create seen_connection_from_$2 3600; >> alias seen_connection_from_$2 seen_connection_from_$2_at_$1 >> >> The idea is to use the context as a filter. >> >> When: >> >> 29/09/2015 10:14:POST 132.56.96.123 Korsakof >> >> is seen, the threshold rule files and counts 1. This same event is >> then passed to the single rule (because of takenext=continue on the >> threshold rule). The single rule then creates the context: >> >> seen_connection_from_Korsakof_at_132.56.96.123 >> >> if another event: >> >> 29/09/2015 10:14:POST 132.56.96.123 Korsakof >> >> comes through, the threshold rule see it, but the context check >> requires that the context: >> >> seen_connection_from_Korsakof_at_132.56.96.123 >> >> does not exist. However it does exit for 1 hour, so the even is not >> counted. >> >> When >> >> 29/09/2015 10:14:POST 132.56.96.124 Korsakof >> >> comes in, the context: >> >> seen_connection_from_Korsakof_at_132.56.96.124 >> >> does not exist yet, so it is counted. Then that context is created by >> the following single rule so it won't be counted again in the hour. >> >> The time window, threshold etc can be changed but this is what I would >> use to do this. >> >> There are some actions that should clear out the old contexts, reset >> on trigger etc. but this should get you started. >> >> (Note I am working from memory, so the rules may need to be changed >> but I think the idea is correct.) >> >> -- >> -- rouilj >> John Rouillard >> >> =========================================================================== >> My employers don't acknowledge my existence much less my opinions. >> > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
