Hi David,
Last night I only tested for a single event with a matching follow up event.
This morning I tested with two different events for the first pattern and two
correlating events to follow. I was missing the proper event correlation
(desc) and (desc2) to line up the first event with the matching follow up event.
Here's my update that seems to work (notice the use of $1 and $2 in pattern2
and the use of %1, %2 and %3 in desc2):
type=pair
ptype=regexp
pattern=User <([^\s]+)>.+IP
<([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})>.+IPv4 Address
<([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})>
desc=Get Name $1 - Global Address $2 - Local Address $3
action=write - tcpsock 10.3.0.85:514 LzEC VPN Address Mapping - User="$1" -
Global Address ="$2" - Local Address = "$3"%{.nl}
ptype2=regexp
pattern2=Username = $1.+IP = $2.+Duration:
([0-9]{1,2}h:[0-9]{1,2}m:[0-9]{1,2}s).+xmt: ([0-9]+).+rcv: ([0-9]+)
desc2=Name %1 - Global Address %2 - Add Local Address To Disconnect Message %3
action2=write - tcpsock 10.3.0.85:514 LzEC VPN Disconnect - User="%1" Global
Address="%2" Local Address="%3" Duration="$1" Xmit Bytes="$2 Rcv
Bytes="$3"%{.nl}
If you go this route, then you'll need to further test. Since once again I
only tested with a minimal set of test data of my own concoction.
Regards,
Rock
From: MILLS, ROCKY
Sent: Thursday, October 03, 2019 6:50 PM
To: 'simple-evcorr-users@lists.sourceforge.net'
<simple-evcorr-users@lists.sourceforge.net>
Subject: Re: [Simple-evcorr-users] Accessing A Perl Hash From Pattern1 In
Pattern 2
***Security Advisory: This Message Originated Outside of AT&T ***
Reference http://cso.att.com/EmailSecurity/IDSP.html for more information.
Hi David,
Here's your same rule and same regular expressions using ptype=regexp instead
of using perlfunc:
type=pair
ptype=regexp
pattern=User <([^\s]+)>.+IP
<([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})>.+IPv4 Address
<([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})>
desc=Get Name - Global Address - Local Address
action=tcpsock 10.3.0.85:514 LzEC VPN Address Mapping - User="$1" - Global
Address ="$2" - Local Address = "$3"%{.nl};
ptype2=regexp
pattern2=Username = ($1).+IP = ($2).+Duration:
([0-9]{1,2}h:[0-9]{1,2}m:[0-9]{1,2}s).+xmt: ([0-9]+).+rcv: ([0-9]+)
desc2=Add Local Address To Disconnect Message
action2=tcpsock 10.3.0.85:514 LzEC VPN Disconnect - User="$1" Global
Address="$2" Local Address="%3" Duration="$3" Xmit Bytes="$4 Rcv
Bytes="$5"%{.nl};
Notice action2 with local address from the first pattern as %3, and for the
second pattern, $3 is used for Duration.
Regards,
Rock
From: David Thomas [mailto:dtho...@kwiktrip.com]
Sent: Thursday, October 03, 2019 3:35 PM
To:
simple-evcorr-users@lists.sourceforge.net<mailto:simple-evcorr-users@lists.sourceforge.net>
Subject: [Simple-evcorr-users] Accessing A Perl Hash From Pattern1 In Pattern 2
I'm running into an issue with a correlation I'm trying to implement and I'm
hoping you can help.
Event 1 happens when a user logs into a vpn. It has the user's name the global
address and the local address assigned by the vpn.
Event 2 happens when the user logs off the vpn. It has the user's name, the
global address, the duration and amount of traffic.
My objective is to get the local address from event 1 and combine it with the
information from event 2.
I'm using a hash to get the name and both addresses from event 1. Then in
pattern 2 I reference that to see if the user name and global address match and
add the local address from the hash. What I'm trying now is below.
I'm getting messages from action2 tcp sock so it seems like I'm matching the
pattern but the values of the hash keys that come from pattern 1 are empty.
Here is an example of what I'm getting:
VPN Disconnect - User="" Global Address="" Local Address=""
Duration="0h:03m:07s" Xmit Bytes="1689622 Rcv Bytes="34370"
Here is the .sec file I'm currently using. I'm hoping someone can point out
what I'm doing wrong. Thanks!
type=pair
ptype=PerlFunc
pattern=sub { my(%var); \
if ($_[0] !~ /User <([^\s]+)>.+IP
<([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})>.+IPv4 Address
<([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})>/) { return 0; } \
$var{"user"} = $1; \
$var{"global_address"} = $2; \
$var{"local_address"} = $3; \
return \%var; }
desc=Get Name - Global Address - Local Address
action=tcpsock 10.3.0.85:514 LzEC VPN Address Mapping - User="$+{user}" -
Global Address ="$+{global_address}" - Local Address =
"$+{local_address}"%{.nl};
ptype2=PerlFunc
pattern2=sub { my(%var); \
if ($_[0] !~ /Username = $+{user}.+IP = $+{global_address}.+Duration:
([0-9]{1,2}h:[0-9]{1,2}m:[0-9]{1,2}s).+xmt: ([0-9]+).+rcv: ([0-9]+)/) { return
0; } \
$var{"duration"} = $1; \
$var{"xmit_bytes"} = $2; \
$var{"rcv_bytes"} = $3; \
return \%var; }
desc2=Add Local Address To Disconnect Message
action2=tcpsock 10.3.0.85:514 LzEC VPN Disconnect - User="$+{user}" Global
Address="$+{global_address}" Local Address="$+{local_address}"
Duration="$+{duration}" Xmit Bytes="$+{xmit_bytes} Rcv
Bytes="$+{rcv_bytes}"%{.nl};
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
