Hi,
Thank you! I was testing your code and it was working only with thresh=2.
Like this.
type = SingleWithThreshold
desc = Check for connection by $2 not from $1
ptype = regexp
rem = $1 is ip address, $2 is user
pattern = POST ([0-9.]+) (.*)
context = ! seen_connection_from_$2_at_$1
window=3600
thresh=2
action = write c:\alerts.log "user $2 logged in from 5 different ips";
delete seen_connection_from_$2;
type = Single
desc = Record connection by $2 from $1 for 1 hour
ptype = regexp
rem = $1 is ip address, $2 is user
pattern = POST ([0-9.]+) (.*)
context = ! seen_connection_from_$2_at_$1
action = create seen_connection_from_$2 3600; alias seen_connection_from_$2
seen_connection_from_$2_at_$1;
I tried to do like this but it detects the differences between ip´s but it
is unable to write the alert on the file and i don´t know what i´m doing
wrong.Any ideas?
type = Single
continue=takenext
desc = Record connection by $2 from $1 for 1 hour
ptype = regexp
rem = $1 is ip address, $2 is user
pattern = POST ([0-9.]+) (.*)
action = create seen_connection_from_$2 3600;
type=EventGroup2
desc = Check for connection by $2 not from $1
ptype = regexp
rem = $1 is ip address, $2 is user
pattern = POST ([0-9.]+) (.*)
context = ! seen_connection_from_$2_at_$1
window=3600
thresh=2
count=alias seen_connection_from_$2 seen_connection_from_$2_ip_$1;event
escribe_$2__$1;
ptype2 = SubStr
pattern2 = escribe_$2__$1
action = write C:\alerts.log 'user $2 logged in from 5 different ips';
delete seen_connection_from_$2;
Regards.
2015-11-18 13:01 GMT+01:00 Risto Vaarandi <risto.vaara...@gmail.com>:
> hi Jaren,
>
> if you would like to memorize already observed IP addressed in a Perl hash
> table, you are free to do so, since it is another way for addressing the
> problem. Note, however, that sec contexts are implemented as a hash table
> in the sec code, so creating the hash table manually doesn't yield any
> performance benefits. Also, I would recommend to use Perl code inside rules
> only when there is no other way for accomplishing the task. Whenever it is
> possible to solve a task with the primitives of the sec rule language, you
> should be taking advantage of those primitives without writing extra code
> snippets.
>
> Since in your particular case the problem can be easily addressed with
> contexts, I'd personally prefer this since the resulting ruleset is more
> readable and compact. The solution that John proposed nicely illustrates
> this, and in fact I am using a quite similar example in my lecture slides
> at the university :) This solution can be varied in several ways, and the
> introduction of the sec man page (
> http://simple-evcorr.github.io/man.html#lbAD) contains an example of the
> EventGroup rule which addresses a similar problem.
>
> hope this helps,
> risto
>
> 2015-11-18 11:30 GMT+02:00 Jaren Peich <burkol...@gmail.com>:
>
>> Hi,
>>
>> Thanks for your answer. I thought a different way. What do you think?
>>
>> type=Calendar
>> time=0 * * * *
>> desc=drop byte counters
>> action=lcall %o -> ( sub { %ip = () } )
>>
>> type=Single
>> ptype=RegExp
>> pattern=.{16}:[^\s]*\s([^\s]*)\s([^\s]*)
>> desc=$0
>> context=$1 $2 -> ( sub { $ip{$_[1]} = $_[0];\
>> Here load the hash table, insert the data and compare the elements. In
>> case is it true create an event to generate an alert.
>> })
>> action=none
>>
>> Another doubt is i tried to have this code in splitted files. I use the
>> external variables from ParserUser file in AlertaUser file to fill the data
>> into the hash table and makes me an error and i don´t know how to solve. Is
>> it possible to do that?Fill a hash table with external variables?
>>
>> ____________________________________________________________________
>>
>> ParserUser
>> ____________________________________________________________________
>>
>> type=Calendar
>> time=0 * * * *
>> desc=drop byte counters
>> action=lcall %o -> ( sub { %ip = () } )
>>
>> type=Single
>> ptype=RegExp
>> pattern=.{16}:[^\s]*\s([^\s]*)\s([^\s]*)
>> desc=$0
>> varmap = proxyUser;log=0;ip=1;user=2
>> action =none
>>
>> ____________________________________________________________________
>>
>> AlertaUser
>> ____________________________________________________________________
>>
>> type = Single
>> continue= takenext
>> desc = -
>> ptype = regexp
>> pattern = SEC_STARTUP|SEC_RESTART()
>> action = event loadHash;
>>
>> type=Single
>> desc=load hash list
>> ptype=SubStr
>> pattern=loadHash
>> action=lcall %o -> ( sub { %ip = () } )
>>
>> type=Single
>> ptype=Cached
>> pattern=proxyUser
>> desc=User_$+{user}
>> action=eval %o ( $ip{$+{user}} = $+{ip};\
>> print "######################\n";\
>> $counter = keys %ip;\
>> print "Number of keys: $counter \n";\
>> )
>>
>>
>> Kindly regards. Thanks for your help again.
>>
>>
>> 2015-11-18 7:50 GMT+01:00 John P. Rouillard <rou...@cs.umb.edu>:
>>
>>>
>>> Hello Mr. Peich:
>>>
>>> In message
>>> <cact5sexby3phgblkpkyvkdm5xu06skpq4sn2-0zbsoogaua...@mail.gmail.com>,
>>> Jaren Peich writes:
>>> >I tried to create an alert that detects a user connecting to a device
>>> >throught 5 diferent ip address if this happends create an alert.
>>> >I don´t know how to detect the differences. with desc i can group by
>>> user
>>> >but i don´t know how to detect the differences between the ip
>>> addresses.
>>> >Another doubt, Can you read the context names that the alert is
>>> managing at
>>> >the same time? List or something of it.
>>> >
>>> >Log file
>>> >
>>> >29/09/2015 10:14:POST 132.56.96.123 Korsakof
>>> >29/09/2015 10:14:POST 132.56.96.124 Korsakof
>>>
>>>
>>> I assume you want to alert if you see the same user from 5 different
>>> addresses within an hour.
>>>
>>> Assume you have the following 5 log lines:
>>>
>>> 29/09/2015 10:14:POST 132.56.96.123 Korsakof
>>> 29/09/2015 10:14:POST 132.56.96.124 Korsakof
>>> 29/09/2015 10:14:POST 132.56.96.125 Korsakof
>>> 29/09/2015 10:14:POST 132.56.96.126 Korsakof
>>> 29/09/2015 10:14:POST 132.56.96.127 Korsakof
>>>
>>> Since you want to count over some time period, you can use a Single
>>> With Threshold rule like:
>>>
>>> type = SingleWithThreshold
>>> takenext = continue
>>> desc = Check for connection by $2 not from $1
>>> ptype = regexp
>>> rem = $1 is ip address, $2 is user
>>> pattern = POST ([0-9.]+) (.*)
>>> context = ! seen_connection_from_$2_at_$1
>>> action = write 'user $2 logged in from 5 different ips';
>>> delete seen_connection_from_$2
>>> window=3600
>>> threshold=5
>>>
>>> type = Single
>>> desc = Record connection by $2 from $1 for 1 hour
>>> ptype = regexp
>>> rem = $1 is ip address, $2 is user
>>> pattern = POST ([0-9.]+) (.*)
>>> context = ! seen_connection_from_$2_at_$1
>>> action = create seen_connection_from_$2 3600;
>>> alias seen_connection_from_$2 seen_connection_from_$2_at_$1
>>>
>>> The idea is to use the context as a filter.
>>>
>>> When:
>>>
>>> 29/09/2015 10:14:POST 132.56.96.123 Korsakof
>>>
>>> is seen, the threshold rule files and counts 1. This same event is
>>> then passed to the single rule (because of takenext=continue on the
>>> threshold rule). The single rule then creates the context:
>>>
>>> seen_connection_from_Korsakof_at_132.56.96.123
>>>
>>> if another event:
>>>
>>> 29/09/2015 10:14:POST 132.56.96.123 Korsakof
>>>
>>> comes through, the threshold rule see it, but the context check
>>> requires that the context:
>>>
>>> seen_connection_from_Korsakof_at_132.56.96.123
>>>
>>> does not exist. However it does exit for 1 hour, so the even is not
>>> counted.
>>>
>>> When
>>>
>>> 29/09/2015 10:14:POST 132.56.96.124 Korsakof
>>>
>>> comes in, the context:
>>>
>>> seen_connection_from_Korsakof_at_132.56.96.124
>>>
>>> does not exist yet, so it is counted. Then that context is created by
>>> the following single rule so it won't be counted again in the hour.
>>>
>>> The time window, threshold etc can be changed but this is what I would
>>> use to do this.
>>>
>>> There are some actions that should clear out the old contexts, reset
>>> on trigger etc. but this should get you started.
>>>
>>> (Note I am working from memory, so the rules may need to be changed
>>> but I think the idea is correct.)
>>>
>>> --
>>> -- rouilj
>>> John Rouillard
>>>
>>> ===========================================================================
>>> My employers don't acknowledge my existence much less my opinions.
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>>
>
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
