Re: [Simple-evcorr-users] Correlation Upon Aggregation
Hi Risto Thanks a lot for detailed explanation! You are correct about aggregation and your suggestion clarified all the queries. (|) was a typo. I'll run the tests as suggested and also will check on cspawn and udpsock. Thanks again for promising sec Regards, Santhosh S On Mon, May 13, 2019, 20:13 Risto Vaarandi wrote: > hi Santhosh, > > since you are using SingleWithSuppress rule for aggregation, is my > understanding correct that the term "aggregation" means generating a syslog > message on the first matching event, suppressing the following matching > events during 300 seconds? If so, you don't need the PairWithWindow rule > but can accomplish your task with a SingleWithSuppress rule that you > already have in your rulebase. All you need to do is to set up a file which > contains IP addresses of interest, and load it when SEC starts or the file > is updated. Here is a simple ruleset that implements this task: > > type=Single > ptype=RegExp > pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$ > context=SEC_INTERNAL_EVENT > desc=load blacklist of bad IP addresses > action=delete BADIP; create BADIP; \ >lcall %o -> ( sub { $mtime = (stat("/tmp/badip.txt"))[9] } ); \ >cspawn BadIp cat /tmp/badip.txt > > type=Calendar > time=* * * * * > context= -> ( sub { my($temp) = (stat("/tmp/badip.txt"))[9]; \ > if (!defined($temp)) { return 0; } \ > if (!defined($mtime) || $temp != $mtime) \ > { $mtime = $temp; return 1; } \ > return 0; } ) > desc=reload updated blacklist of bad IP addresses > action=delete BADIP; create BADIP; cspawn BadIp cat /tmp/badip.txt > > type=Single > ptype=RegExp > pattern=^\s*((?:\d{1,3}\.){3}\d{1,3})\s*$ > context=BadIp > desc=set up a blacklist entry for IP address $1 > action=alias BADIP BADIP_$1 > > > Note that for reading the file with blacklist entries, I have used > 'cspawn' action, since it is more efficient and simple than combination of > 'lcall' and 'cevent' in your ruleset. > Also, I have included additional Calendar rule which checks the blacklist > file once a minute, and reloads the blacklist if file modification time has > changed (the modification time has been memorized in Perl $mtime global > variable). > > Once the blacklist has been loaded, you could use the following > SingleWithSuppress rules for reacting to first IDS event which is observed > for a specific combination of source IP address and attack name, and > suppress the following events for the same combination during 300 seconds: > > type=SingleWithSuppress > ptype=regexp > pattern=IDS.*src=([\d.]+).*attack_name=(\S+) > context=BADIP_$1 > desc=Security Alert $2 for blacklisted IP $1 > action=udpsock syslog01:514 <13>%.monstr %.mdaystr %.hmsstr myhost sec: %s > window=300 > > type=SingleWithSuppress > ptype=regexp > pattern=IDS.*src=([\d.]+).*attack_name=(\S+) > context=!BADIP_$1 > desc=Security Alert $2 for non-blacklisted IP $1 > action=udpsock syslog01:514 <13>%.monstr %.mdaystr %.hmsstr myhost sec: %s > window=300 > > Note that the 'pipe' action in your rule example has invalid syntax, since > there is no pipe (|) symbol between the event string and external command > line. Also, it is inefficient to fork a process each time an event needs to > be sent to central syslog server, and 'udpsock' action is a much better > alternative since it only sets up a single UDP socket for talking to server > (documentation of 'udpsock' action actually contains an example of > communicating with remote syslog server, and I have used it in above rules). > > I hope that above examples are helpful. > > kind regards, > risto > > Kontakt Santhosh Kumar () kirjutas kuupäeval > E, 13. mai 2019 kell 13:56: > >> Hi Risto >> >> >> >> Greetings..!! >> >> >> >> I would like to get your suggestions on event correlation upon >> aggregation. Below rule aggregate events with whitelisting criteria. >> >> >> >> >> --- >> >> type=Single >> >> ptype=RegExp >> >> pattern=(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART) >> >> desc=load blacklist >> >> action=logonly; delete WL; create WL; \ >> >> lcall %events -> (sub{scalar `cat >> /usr/local/bin/sec-rules/whitelist.txt`}); \ >> >> cevent Whitelist 0 %events >> >> >> >> type=Single >> >> ptype=RegExp >> >> pattern=. >> >> context=Whitelist >> >> desc=create a whitelist entry >> >> action=logonly; alias WL WL_$0 >> >> >> >> type=SingleWithSuppress >> >> ptype=regexp >> >> context=!WL_$2 >> >> pattern=IDS.*dst=([\d\.]+).*attack_name=([\w\:\-\/\.\()\s]+) >> >> desc=Suppressed $2 Security Alert towards $1 >> >> action= pipe '<5>$0' | nc syslog01 514 >> >> window=300 >> >> >> --- >> >> >> >> Now will "pairwithwindow" rule on top this helps me to achieve >> correlation based on Dst. IP($1) field from IDS logs with Threat Intel >> IP(which is
Re: [Simple-evcorr-users] Correlation Upon Aggregation
hi Santhosh, since you are using SingleWithSuppress rule for aggregation, is my understanding correct that the term "aggregation" means generating a syslog message on the first matching event, suppressing the following matching events during 300 seconds? If so, you don't need the PairWithWindow rule but can accomplish your task with a SingleWithSuppress rule that you already have in your rulebase. All you need to do is to set up a file which contains IP addresses of interest, and load it when SEC starts or the file is updated. Here is a simple ruleset that implements this task: type=Single ptype=RegExp pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$ context=SEC_INTERNAL_EVENT desc=load blacklist of bad IP addresses action=delete BADIP; create BADIP; \ lcall %o -> ( sub { $mtime = (stat("/tmp/badip.txt"))[9] } ); \ cspawn BadIp cat /tmp/badip.txt type=Calendar time=* * * * * context= -> ( sub { my($temp) = (stat("/tmp/badip.txt"))[9]; \ if (!defined($temp)) { return 0; } \ if (!defined($mtime) || $temp != $mtime) \ { $mtime = $temp; return 1; } \ return 0; } ) desc=reload updated blacklist of bad IP addresses action=delete BADIP; create BADIP; cspawn BadIp cat /tmp/badip.txt type=Single ptype=RegExp pattern=^\s*((?:\d{1,3}\.){3}\d{1,3})\s*$ context=BadIp desc=set up a blacklist entry for IP address $1 action=alias BADIP BADIP_$1 Note that for reading the file with blacklist entries, I have used 'cspawn' action, since it is more efficient and simple than combination of 'lcall' and 'cevent' in your ruleset. Also, I have included additional Calendar rule which checks the blacklist file once a minute, and reloads the blacklist if file modification time has changed (the modification time has been memorized in Perl $mtime global variable). Once the blacklist has been loaded, you could use the following SingleWithSuppress rules for reacting to first IDS event which is observed for a specific combination of source IP address and attack name, and suppress the following events for the same combination during 300 seconds: type=SingleWithSuppress ptype=regexp pattern=IDS.*src=([\d.]+).*attack_name=(\S+) context=BADIP_$1 desc=Security Alert $2 for blacklisted IP $1 action=udpsock syslog01:514 <13>%.monstr %.mdaystr %.hmsstr myhost sec: %s window=300 type=SingleWithSuppress ptype=regexp pattern=IDS.*src=([\d.]+).*attack_name=(\S+) context=!BADIP_$1 desc=Security Alert $2 for non-blacklisted IP $1 action=udpsock syslog01:514 <13>%.monstr %.mdaystr %.hmsstr myhost sec: %s window=300 Note that the 'pipe' action in your rule example has invalid syntax, since there is no pipe (|) symbol between the event string and external command line. Also, it is inefficient to fork a process each time an event needs to be sent to central syslog server, and 'udpsock' action is a much better alternative since it only sets up a single UDP socket for talking to server (documentation of 'udpsock' action actually contains an example of communicating with remote syslog server, and I have used it in above rules). I hope that above examples are helpful. kind regards, risto Kontakt Santhosh Kumar () kirjutas kuupäeval E, 13. mai 2019 kell 13:56: > Hi Risto > > > > Greetings..!! > > > > I would like to get your suggestions on event correlation upon > aggregation. Below rule aggregate events with whitelisting criteria. > > > > --- > > type=Single > > ptype=RegExp > > pattern=(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART) > > desc=load blacklist > > action=logonly; delete WL; create WL; \ > > lcall %events -> (sub{scalar `cat > /usr/local/bin/sec-rules/whitelist.txt`}); \ > > cevent Whitelist 0 %events > > > > type=Single > > ptype=RegExp > > pattern=. > > context=Whitelist > > desc=create a whitelist entry > > action=logonly; alias WL WL_$0 > > > > type=SingleWithSuppress > > ptype=regexp > > context=!WL_$2 > > pattern=IDS.*dst=([\d\.]+).*attack_name=([\w\:\-\/\.\()\s]+) > > desc=Suppressed $2 Security Alert towards $1 > > action= pipe '<5>$0' | nc syslog01 514 > > window=300 > > --- > > > > Now will "pairwithwindow" rule on top this helps me to achieve correlation > based on Dst. IP($1) field from IDS logs with Threat Intel IP(which is > stored in a file). > > > > Conditions to meet are, > > Condition 1: Need to forward Aggregated + Correlated log to external > syslog server. > > Condition 2: If Correlation is not matching, Just Aggregated log should be > forwarded to external syslog server. > > > > Please suggest me with best practices. > > > > Regards, > > Santhosh S > ___ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
[Simple-evcorr-users] Correlation Upon Aggregation
Hi Risto Greetings..!! I would like to get your suggestions on event correlation upon aggregation. Below rule aggregate events with whitelisting criteria. --- type=Single ptype=RegExp pattern=(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART) desc=load blacklist action=logonly; delete WL; create WL; \ lcall %events -> (sub{scalar `cat /usr/local/bin/sec-rules/whitelist.txt`}); \ cevent Whitelist 0 %events type=Single ptype=RegExp pattern=. context=Whitelist desc=create a whitelist entry action=logonly; alias WL WL_$0 type=SingleWithSuppress ptype=regexp context=!WL_$2 pattern=IDS.*dst=([\d\.]+).*attack_name=([\w\:\-\/\.\()\s]+) desc=Suppressed $2 Security Alert towards $1 action= pipe '<5>$0' | nc syslog01 514 window=300 --- Now will "pairwithwindow" rule on top this helps me to achieve correlation based on Dst. IP($1) field from IDS logs with Threat Intel IP(which is stored in a file). Conditions to meet are, Condition 1: Need to forward Aggregated + Correlated log to external syslog server. Condition 2: If Correlation is not matching, Just Aggregated log should be forwarded to external syslog server. Please suggest me with best practices. Regards, Santhosh S ___ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users