Re: [Simple-evcorr-users] Correlation Upon Aggregation
Hi Risto
Thanks a lot for detailed explanation!
You are correct about aggregation and your suggestion clarified all the
queries. (|) was a typo. I'll run the tests as suggested and also will
check on cspawn and udpsock. Thanks again for promising sec
Regards,
Santhosh S
On Mon, May 13, 2019, 20:13 Risto Vaarandi wrote:
> hi Santhosh,
>
> since you are using SingleWithSuppress rule for aggregation, is my
> understanding correct that the term "aggregation" means generating a syslog
> message on the first matching event, suppressing the following matching
> events during 300 seconds? If so, you don't need the PairWithWindow rule
> but can accomplish your task with a SingleWithSuppress rule that you
> already have in your rulebase. All you need to do is to set up a file which
> contains IP addresses of interest, and load it when SEC starts or the file
> is updated. Here is a simple ruleset that implements this task:
>
> type=Single
> ptype=RegExp
> pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
> context=SEC_INTERNAL_EVENT
> desc=load blacklist of bad IP addresses
> action=delete BADIP; create BADIP; \
>lcall %o -> ( sub { $mtime = (stat("/tmp/badip.txt"))[9] } ); \
>cspawn BadIp cat /tmp/badip.txt
>
> type=Calendar
> time=* * * * *
> context= -> ( sub { my($temp) = (stat("/tmp/badip.txt"))[9]; \
> if (!defined($temp)) { return 0; } \
> if (!defined($mtime) || $temp != $mtime) \
> { $mtime = $temp; return 1; } \
> return 0; } )
> desc=reload updated blacklist of bad IP addresses
> action=delete BADIP; create BADIP; cspawn BadIp cat /tmp/badip.txt
>
> type=Single
> ptype=RegExp
> pattern=^\s*((?:\d{1,3}\.){3}\d{1,3})\s*$
> context=BadIp
> desc=set up a blacklist entry for IP address $1
> action=alias BADIP BADIP_$1
>
>
> Note that for reading the file with blacklist entries, I have used
> 'cspawn' action, since it is more efficient and simple than combination of
> 'lcall' and 'cevent' in your ruleset.
> Also, I have included additional Calendar rule which checks the blacklist
> file once a minute, and reloads the blacklist if file modification time has
> changed (the modification time has been memorized in Perl $mtime global
> variable).
>
> Once the blacklist has been loaded, you could use the following
> SingleWithSuppress rules for reacting to first IDS event which is observed
> for a specific combination of source IP address and attack name, and
> suppress the following events for the same combination during 300 seconds:
>
> type=SingleWithSuppress
> ptype=regexp
> pattern=IDS.*src=([\d.]+).*attack_name=(\S+)
> context=BADIP_$1
> desc=Security Alert $2 for blacklisted IP $1
> action=udpsock syslog01:514 <13>%.monstr %.mdaystr %.hmsstr myhost sec: %s
> window=300
>
> type=SingleWithSuppress
> ptype=regexp
> pattern=IDS.*src=([\d.]+).*attack_name=(\S+)
> context=!BADIP_$1
> desc=Security Alert $2 for non-blacklisted IP $1
> action=udpsock syslog01:514 <13>%.monstr %.mdaystr %.hmsstr myhost sec: %s
> window=300
>
> Note that the 'pipe' action in your rule example has invalid syntax, since
> there is no pipe (|) symbol between the event string and external command
> line. Also, it is inefficient to fork a process each time an event needs to
> be sent to central syslog server, and 'udpsock' action is a much better
> alternative since it only sets up a single UDP socket for talking to server
> (documentation of 'udpsock' action actually contains an example of
> communicating with remote syslog server, and I have used it in above rules).
>
> I hope that above examples are helpful.
>
> kind regards,
> risto
>
> Kontakt Santhosh Kumar () kirjutas kuupäeval
> E, 13. mai 2019 kell 13:56:
>
>> Hi Risto
>>
>>
>>
>> Greetings..!!
>>
>>
>>
>> I would like to get your suggestions on event correlation upon
>> aggregation. Below rule aggregate events with whitelisting criteria.
>>
>>
>>
>>
>> ---
>>
>> type=Single
>>
>> ptype=RegExp
>>
>> pattern=(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)
>>
>> desc=load blacklist
>>
>> action=logonly; delete WL; create WL; \
>>
>> lcall %events -> (sub{scalar `cat
>> /usr/local/bin/sec-rules/whitelist.txt`}); \
>>
>> cevent Whitelist 0 %events
>>
>>
>>
>> type=Single
>>
>> ptype=RegExp
>>
>> pattern=.
>>
>> context=Whitelist
>>
>> desc=create a whitelist entry
>>
>> action=logonly; alias WL WL_$0
>>
>>
>>
>> type=SingleWithSuppress
>>
>> ptype=regexp
>>
>> context=!WL_$2
>>
>> pattern=IDS.*dst=([\d\.]+).*attack_name=([\w\:\-\/\.\()\s]+)
>>
>> desc=Suppressed $2 Security Alert towards $1
>>
>> action= pipe '<5>$0' | nc syslog01 514
>>
>> window=300
>>
>>
>> ---
>>
>>
>>
>> Now will "pairwithwindow" rule on top this helps me to achieve
>> correlation based on Dst. IP($1) field from IDS logs with Threat Intel
>> IP(which is
Re: [Simple-evcorr-users] Correlation Upon Aggregation
hi Santhosh,
since you are using SingleWithSuppress rule for aggregation, is my
understanding correct that the term "aggregation" means generating a syslog
message on the first matching event, suppressing the following matching
events during 300 seconds? If so, you don't need the PairWithWindow rule
but can accomplish your task with a SingleWithSuppress rule that you
already have in your rulebase. All you need to do is to set up a file which
contains IP addresses of interest, and load it when SEC starts or the file
is updated. Here is a simple ruleset that implements this task:
type=Single
ptype=RegExp
pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
context=SEC_INTERNAL_EVENT
desc=load blacklist of bad IP addresses
action=delete BADIP; create BADIP; \
lcall %o -> ( sub { $mtime = (stat("/tmp/badip.txt"))[9] } ); \
cspawn BadIp cat /tmp/badip.txt
type=Calendar
time=* * * * *
context= -> ( sub { my($temp) = (stat("/tmp/badip.txt"))[9]; \
if (!defined($temp)) { return 0; } \
if (!defined($mtime) || $temp != $mtime) \
{ $mtime = $temp; return 1; } \
return 0; } )
desc=reload updated blacklist of bad IP addresses
action=delete BADIP; create BADIP; cspawn BadIp cat /tmp/badip.txt
type=Single
ptype=RegExp
pattern=^\s*((?:\d{1,3}\.){3}\d{1,3})\s*$
context=BadIp
desc=set up a blacklist entry for IP address $1
action=alias BADIP BADIP_$1
Note that for reading the file with blacklist entries, I have used 'cspawn'
action, since it is more efficient and simple than combination of 'lcall'
and 'cevent' in your ruleset.
Also, I have included additional Calendar rule which checks the blacklist
file once a minute, and reloads the blacklist if file modification time has
changed (the modification time has been memorized in Perl $mtime global
variable).
Once the blacklist has been loaded, you could use the following
SingleWithSuppress rules for reacting to first IDS event which is observed
for a specific combination of source IP address and attack name, and
suppress the following events for the same combination during 300 seconds:
type=SingleWithSuppress
ptype=regexp
pattern=IDS.*src=([\d.]+).*attack_name=(\S+)
context=BADIP_$1
desc=Security Alert $2 for blacklisted IP $1
action=udpsock syslog01:514 <13>%.monstr %.mdaystr %.hmsstr myhost sec: %s
window=300
type=SingleWithSuppress
ptype=regexp
pattern=IDS.*src=([\d.]+).*attack_name=(\S+)
context=!BADIP_$1
desc=Security Alert $2 for non-blacklisted IP $1
action=udpsock syslog01:514 <13>%.monstr %.mdaystr %.hmsstr myhost sec: %s
window=300
Note that the 'pipe' action in your rule example has invalid syntax, since
there is no pipe (|) symbol between the event string and external command
line. Also, it is inefficient to fork a process each time an event needs to
be sent to central syslog server, and 'udpsock' action is a much better
alternative since it only sets up a single UDP socket for talking to server
(documentation of 'udpsock' action actually contains an example of
communicating with remote syslog server, and I have used it in above rules).
I hope that above examples are helpful.
kind regards,
risto
Kontakt Santhosh Kumar () kirjutas kuupäeval E,
13. mai 2019 kell 13:56:
> Hi Risto
>
>
>
> Greetings..!!
>
>
>
> I would like to get your suggestions on event correlation upon
> aggregation. Below rule aggregate events with whitelisting criteria.
>
>
>
> ---
>
> type=Single
>
> ptype=RegExp
>
> pattern=(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)
>
> desc=load blacklist
>
> action=logonly; delete WL; create WL; \
>
> lcall %events -> (sub{scalar `cat
> /usr/local/bin/sec-rules/whitelist.txt`}); \
>
> cevent Whitelist 0 %events
>
>
>
> type=Single
>
> ptype=RegExp
>
> pattern=.
>
> context=Whitelist
>
> desc=create a whitelist entry
>
> action=logonly; alias WL WL_$0
>
>
>
> type=SingleWithSuppress
>
> ptype=regexp
>
> context=!WL_$2
>
> pattern=IDS.*dst=([\d\.]+).*attack_name=([\w\:\-\/\.\()\s]+)
>
> desc=Suppressed $2 Security Alert towards $1
>
> action= pipe '<5>$0' | nc syslog01 514
>
> window=300
>
> ---
>
>
>
> Now will "pairwithwindow" rule on top this helps me to achieve correlation
> based on Dst. IP($1) field from IDS logs with Threat Intel IP(which is
> stored in a file).
>
>
>
> Conditions to meet are,
>
> Condition 1: Need to forward Aggregated + Correlated log to external
> syslog server.
>
> Condition 2: If Correlation is not matching, Just Aggregated log should be
> forwarded to external syslog server.
>
>
>
> Please suggest me with best practices.
>
>
>
> Regards,
>
> Santhosh S
>
___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
[Simple-evcorr-users] Correlation Upon Aggregation
Hi Risto
Greetings..!!
I would like to get your suggestions on event correlation upon aggregation.
Below rule aggregate events with whitelisting criteria.
---
type=Single
ptype=RegExp
pattern=(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)
desc=load blacklist
action=logonly; delete WL; create WL; \
lcall %events -> (sub{scalar `cat
/usr/local/bin/sec-rules/whitelist.txt`}); \
cevent Whitelist 0 %events
type=Single
ptype=RegExp
pattern=.
context=Whitelist
desc=create a whitelist entry
action=logonly; alias WL WL_$0
type=SingleWithSuppress
ptype=regexp
context=!WL_$2
pattern=IDS.*dst=([\d\.]+).*attack_name=([\w\:\-\/\.\()\s]+)
desc=Suppressed $2 Security Alert towards $1
action= pipe '<5>$0' | nc syslog01 514
window=300
---
Now will "pairwithwindow" rule on top this helps me to achieve correlation
based on Dst. IP($1) field from IDS logs with Threat Intel IP(which is
stored in a file).
Conditions to meet are,
Condition 1: Need to forward Aggregated + Correlated log to external syslog
server.
Condition 2: If Correlation is not matching, Just Aggregated log should be
forwarded to external syslog server.
Please suggest me with best practices.
Regards,
Santhosh S
___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
