Thanks a lot Risto. This is helpful. I am also looking at the paper you have referenced.
Aashish On Thu, Apr 02, 2009 at 12:27:21PM +0300, Risto Vaarandi wrote: > Aashish, > > this task can be addressed by the following two rules -- the first does > the counting, but the second ensures by setting a context that each user > is counted only once. A similar ruleset (although somewhat more complex) > has been also described in the Hakin9 paper about SEC (see SEC homepage): > > type=SingleWithThreshold > continue=TakeNext > ptype=RegExp > pattern=Accepted publickey for (\S+) from (\S+) > context=!COUNTED_$1 > desc=Count distinct user logins for IP $2 > action=write - three distinct user logins from IP $2 > window=10 > thresh=3 > > type=Single > ptype=RegExp > pattern=Accepted publickey for (\S+) from \S+ > desc=Create "count once" context for user $1 > action=create COUNTED_$1 10 > > There is only one subtle caveat -- if the counting window needs to be > moved forward, it will moved to the next _distinct_ user login. However, > one could argue that if the first user tried to login repeatedly two > times without intervening logins from others, we should move the window > to the second such login -- but we can't, since we have suppressed this > event in the past with a context. Leaving that question about window > sliding correctness aside, I think this ruleset probably does what you want. > > br, > risto > > > Aashish Sharma wrote: > > Hello Josep: > > > > Thanks for your reply. I think with your rule, I will also get alert if > > same user logins into the system twice or more in the given window. > > > > I am looking for different users logging into the system from same IP > > address in a given window AND not alert for the same user. > > > > Hope I clarify my point, > > > > Thanks, > > Aashish > > > > On Thu, Apr 02, 2009 at 08:34:22AM +0200, Josep Abenza wrote: > >> Hi Asshish, > >> > >> IO think what you need is a SingleWithThreshold rule with the description > >> being: > >> 'Accepted publickey from IP $1' > >> > >> For example: > >> > >> type=SingleWithThreshold > >> ptype=RegExp > >> pattern=Accepted publickey for \S+ from (\S+) > >> desc=Login from IP $1 > >> action=write - two logins from IP $1 > >> window=10 > >> thresh=2 > >> > >> This way, since your description only includes the IP address, logins from > >> any user coming from the same IP will be correlated. > >> > >> Josep > >> > >> On Wed, Apr 1, 2009 at 11:56 PM, Aashish Sharma <[email protected]> wrote: > >> > >>> am trying to define a rule-set which alerts on multiple (> 1) user login > >>> from *same* IP address to one or more systems with in a certain duration. > >>> > >>> > >>> Apr 1 16:18:09 host-1 sshd[172120]: Accepted publickey for user1 from > >>> xx.yy.96.100 port 27640 ssh2 > >>> Apr 1 16:21:17 host-1 sshd[163958]: Accepted publickey for user2 from > >>> xx.yy.96.100 port 16361 ssh2 > >>> Apr 1 16:24:14 host-2 sshd[172142]: Accepted publickey for user1 from > >>> xx.yy.96.100 port 16362 ssh2 > >>> Apr 1 16:24:29 host-1 sshd[127194]: Accepted publickey for user3 from > >>> xx.yy.96.100 port 16363 ssh2 > >>> > >> > >> > >> -- > >> IMPORTANT: Aquest correu és només per el(s) destinatari(s) indicats a dalt > >> i > >> pot contenir informació confidencial o poc indicada per persones massa > >> susceptibles amb baixa auto-estima, sense sentit de l'humor o amb creences > >> religioses irracionals. Si no ets el destinatari correcte, la distribució o > >> còpia del correu és d'un mal gust irritant. > >> > >> No s'ha fet mal a animals en la transmissió d'aquest correu (però el gos > >> del > >> veí fa temps que té una pota al cementiri, la veritat). Per tranquil·litzar > >> els seguidors d'Iker J*m*n*z, sabeu que llegir aquest avís al revés no > >> revelarà cap missatge ocult. Ara bé, si feu un cercle de sal al voltant > >> vostre i de l'ordinador us evitareu qualsevol mal a vosaltres o els vostres > >> peixos de colors. > >> > >> Si has rebut aquest correu per error, si us plau afegeix nou moscada i tres > >> clares d'ou, mescla-ho tot i posa-ho al forn quaranta minuts. Deixa-ho > >> refredar i serveix-lo acompanyat d'emmental. > > > >> ------------------------------------------------------------------------------ > > > >> _______________________________________________ > >> Simple-evcorr-users mailing list > >> [email protected] > >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > Simple-evcorr-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
