hi Jaren,
2015-11-23 13:19 GMT+02:00 Jaren Peich <burkol...@gmail.com>:
> Hi,
>
> Thank you! I was testing your code and it was working only with thresh=2.
> Like this.
>
> type = SingleWithThreshold
> desc = Check for connection by $2 not from $1
> ptype = regexp
> rem = $1 is ip address, $2 is user
> pattern = POST ([0-9.]+) (.*)
> context = ! seen_connection_from_$2_at_$1
> window=3600
> thresh=2
> action = write c:\alerts.log "user $2 logged in from 5 different ips";
> delete seen_connection_from_$2;
>
>
> type = Single
> desc = Record connection by $2 from $1 for 1 hour
> ptype = regexp
> rem = $1 is ip address, $2 is user
> pattern = POST ([0-9.]+) (.*)
> context = ! seen_connection_from_$2_at_$1
> action = create seen_connection_from_$2 3600; alias
> seen_connection_from_$2 seen_connection_from_$2_at_$1;
>
>
> I tried to do like this but it detects the differences between ip´s but it
> is unable to write the alert on the file and i don´t know what i´m doing
> wrong.Any ideas?
>
after looking into your ruleset, I noticed a small typo -- I think the
'desc' field should be set to
desc=Check for connection by $2
Setting the 'desc' field defines what is the scope of event correlation,
and having the field set to "Check for connection by $2" would do event
counting for each username separately, since the string set by the 'desc'
field is part of the event correlation operation identifier.
However, setting 'desc' field as
desc=Check for connection by $2 not from $1
would count events for each distinct username-IP pair separately which is
not what you want. Also, it is best to create the seen_connection_from_$2
context with the 'init' field of the EventGroup rule without a lifetime,
and delete this context with the 'end' field.
After modifying your ruleset as follows, it was producing the expected
effect:
type=EventGroup
ptype=regexp
pattern=POST ([0-9.]+) (.*)
context=!seen_connection_from_$2_ip_$1
desc=Check for connection by $2
init=create seen_connection_from_$2
count=alias seen_connection_from_$2 seen_connection_from_$2_ip_$1
end=create seen_connection_from_$2
window=3600
thresh=5
action = write - 'user $2 logged in from 5 different ips'
This rule has one slight deficiency -- all context
aliases seen_connection_from_$2_ip_$1 will exist until the operation
terminates, and if the event correlation window of 3600 will slide during
the event processing, the aliases can exist for much longer than 3600
seconds. As a consequence, each username-IP pair will be counted only once
during the entire lifetime of the operation (the operation can live longer
than 3600 seconds if the window slides).
hope this helps,
risto
> type = Single
> continue=takenext
> desc = Record connection by $2 from $1 for 1 hour
> ptype = regexp
> rem = $1 is ip address, $2 is user
> pattern = POST ([0-9.]+) (.*)
> action = create seen_connection_from_$2 3600;
>
> type=EventGroup2
> desc = Check for connection by $2 not from $1
> ptype = regexp
> rem = $1 is ip address, $2 is user
> pattern = POST ([0-9.]+) (.*)
> context = ! seen_connection_from_$2_at_$1
> window=3600
> thresh=2
> count=alias seen_connection_from_$2 seen_connection_from_$2_ip_$1;event
> escribe_$2__$1;
> ptype2 = SubStr
> pattern2 = escribe_$2__$1
> action = write C:\alerts.log 'user $2 logged in from 5 different ips';
> delete seen_connection_from_$2;
>
>
> Regards.
>
> 2015-11-18 13:01 GMT+01:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>
>> hi Jaren,
>>
>> if you would like to memorize already observed IP addressed in a Perl
>> hash table, you are free to do so, since it is another way for addressing
>> the problem. Note, however, that sec contexts are implemented as a hash
>> table in the sec code, so creating the hash table manually doesn't yield
>> any performance benefits. Also, I would recommend to use Perl code inside
>> rules only when there is no other way for accomplishing the task. Whenever
>> it is possible to solve a task with the primitives of the sec rule
>> language, you should be taking advantage of those primitives without
>> writing extra code snippets.
>>
>> Since in your particular case the problem can be easily addressed with
>> contexts, I'd personally prefer this since the resulting ruleset is more
>> readable and compact. The solution that John proposed nicely illustrates
>> this, and in fact I am using a quite similar example in my lecture slides
>> at the university :) This solution can be varied in several ways, and the
>> introduction of the sec man page (
>> http://simple-evcorr.github.io/man.html#lbAD) contains an example of the
>> EventGroup rule which addresses a similar problem.
>>
>> hope this helps,
>> risto
>>
>> 2015-11-18 11:30 GMT+02:00 Jaren Peich <burkol...@gmail.com>:
>>
>>> Hi,
>>>
>>> Thanks for your answer. I thought a different way. What do you think?
>>>
>>> type=Calendar
>>> time=0 * * * *
>>> desc=drop byte counters
>>> action=lcall %o -> ( sub { %ip = () } )
>>>
>>> type=Single
>>> ptype=RegExp
>>> pattern=.{16}:[^\s]*\s([^\s]*)\s([^\s]*)
>>> desc=$0
>>> context=$1 $2 -> ( sub { $ip{$_[1]} = $_[0];\
>>> Here load the hash table, insert the data and compare the elements. In
>>> case is it true create an event to generate an alert.
>>> })
>>> action=none
>>>
>>> Another doubt is i tried to have this code in splitted files. I use the
>>> external variables from ParserUser file in AlertaUser file to fill the data
>>> into the hash table and makes me an error and i don´t know how to solve. Is
>>> it possible to do that?Fill a hash table with external variables?
>>>
>>> ____________________________________________________________________
>>>
>>> ParserUser
>>> ____________________________________________________________________
>>>
>>> type=Calendar
>>> time=0 * * * *
>>> desc=drop byte counters
>>> action=lcall %o -> ( sub { %ip = () } )
>>>
>>> type=Single
>>> ptype=RegExp
>>> pattern=.{16}:[^\s]*\s([^\s]*)\s([^\s]*)
>>> desc=$0
>>> varmap = proxyUser;log=0;ip=1;user=2
>>> action =none
>>>
>>> ____________________________________________________________________
>>>
>>> AlertaUser
>>> ____________________________________________________________________
>>>
>>> type = Single
>>> continue= takenext
>>> desc = -
>>> ptype = regexp
>>> pattern = SEC_STARTUP|SEC_RESTART()
>>> action = event loadHash;
>>>
>>> type=Single
>>> desc=load hash list
>>> ptype=SubStr
>>> pattern=loadHash
>>> action=lcall %o -> ( sub { %ip = () } )
>>>
>>> type=Single
>>> ptype=Cached
>>> pattern=proxyUser
>>> desc=User_$+{user}
>>> action=eval %o ( $ip{$+{user}} = $+{ip};\
>>> print "######################\n";\
>>> $counter = keys %ip;\
>>> print "Number of keys: $counter \n";\
>>> )
>>>
>>>
>>> Kindly regards. Thanks for your help again.
>>>
>>>
>>> 2015-11-18 7:50 GMT+01:00 John P. Rouillard <rou...@cs.umb.edu>:
>>>
>>>>
>>>> Hello Mr. Peich:
>>>>
>>>> In message
>>>> <cact5sexby3phgblkpkyvkdm5xu06skpq4sn2-0zbsoogaua...@mail.gmail.com>,
>>>> Jaren Peich writes:
>>>> >I tried to create an alert that detects a user connecting to a device
>>>> >throught 5 diferent ip address if this happends create an alert.
>>>> >I don´t know how to detect the differences. with desc i can group by
>>>> user
>>>> >but i don´t know how to detect the differences between the ip
>>>> addresses.
>>>> >Another doubt, Can you read the context names that the alert is
>>>> managing at
>>>> >the same time? List or something of it.
>>>> >
>>>> >Log file
>>>> >
>>>> >29/09/2015 10:14:POST 132.56.96.123 Korsakof
>>>> >29/09/2015 10:14:POST 132.56.96.124 Korsakof
>>>>
>>>>
>>>> I assume you want to alert if you see the same user from 5 different
>>>> addresses within an hour.
>>>>
>>>> Assume you have the following 5 log lines:
>>>>
>>>> 29/09/2015 10:14:POST 132.56.96.123 Korsakof
>>>> 29/09/2015 10:14:POST 132.56.96.124 Korsakof
>>>> 29/09/2015 10:14:POST 132.56.96.125 Korsakof
>>>> 29/09/2015 10:14:POST 132.56.96.126 Korsakof
>>>> 29/09/2015 10:14:POST 132.56.96.127 Korsakof
>>>>
>>>> Since you want to count over some time period, you can use a Single
>>>> With Threshold rule like:
>>>>
>>>> type = SingleWithThreshold
>>>> takenext = continue
>>>> desc = Check for connection by $2 not from $1
>>>> ptype = regexp
>>>> rem = $1 is ip address, $2 is user
>>>> pattern = POST ([0-9.]+) (.*)
>>>> context = ! seen_connection_from_$2_at_$1
>>>> action = write 'user $2 logged in from 5 different ips';
>>>> delete seen_connection_from_$2
>>>> window=3600
>>>> threshold=5
>>>>
>>>> type = Single
>>>> desc = Record connection by $2 from $1 for 1 hour
>>>> ptype = regexp
>>>> rem = $1 is ip address, $2 is user
>>>> pattern = POST ([0-9.]+) (.*)
>>>> context = ! seen_connection_from_$2_at_$1
>>>> action = create seen_connection_from_$2 3600;
>>>> alias seen_connection_from_$2 seen_connection_from_$2_at_$1
>>>>
>>>> The idea is to use the context as a filter.
>>>>
>>>> When:
>>>>
>>>> 29/09/2015 10:14:POST 132.56.96.123 Korsakof
>>>>
>>>> is seen, the threshold rule files and counts 1. This same event is
>>>> then passed to the single rule (because of takenext=continue on the
>>>> threshold rule). The single rule then creates the context:
>>>>
>>>> seen_connection_from_Korsakof_at_132.56.96.123
>>>>
>>>> if another event:
>>>>
>>>> 29/09/2015 10:14:POST 132.56.96.123 Korsakof
>>>>
>>>> comes through, the threshold rule see it, but the context check
>>>> requires that the context:
>>>>
>>>> seen_connection_from_Korsakof_at_132.56.96.123
>>>>
>>>> does not exist. However it does exit for 1 hour, so the even is not
>>>> counted.
>>>>
>>>> When
>>>>
>>>> 29/09/2015 10:14:POST 132.56.96.124 Korsakof
>>>>
>>>> comes in, the context:
>>>>
>>>> seen_connection_from_Korsakof_at_132.56.96.124
>>>>
>>>> does not exist yet, so it is counted. Then that context is created by
>>>> the following single rule so it won't be counted again in the hour.
>>>>
>>>> The time window, threshold etc can be changed but this is what I would
>>>> use to do this.
>>>>
>>>> There are some actions that should clear out the old contexts, reset
>>>> on trigger etc. but this should get you started.
>>>>
>>>> (Note I am working from memory, so the rules may need to be changed
>>>> but I think the idea is correct.)
>>>>
>>>> --
>>>> -- rouilj
>>>> John Rouillard
>>>>
>>>> ===========================================================================
>>>> My employers don't acknowledge my existence much less my opinions.
>>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Simple-evcorr-users mailing list
>>> Simple-evcorr-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>
>>>
>>
>
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
