Re: [Simple-evcorr-users] detecting LDAP authentication failures (long)

Don Faulkner Wed, 15 Apr 2009 09:12:01 -0700

This performs exactly as advertised (Thanks Rocky!) My syslog is now  
filled with lines that look like this:


Apr 15 10:48:16 ldaphost sec.pl[15505]: [conn=14943191] authentication  
succeeded from IP address 1.1.1.3 for user username1
Apr 15 10:48:16 ldaphost sec.pl[15505]: [conn=14943191] authentication  
succeeded from IP address 1.1.1.3 for user username1

The only problem remaining is that each event shows up in syslog  
twice. I can't figure out why. the logonly actions work correctly at  
stdout, but syslog sees two copies of the message. I'm including my  
current ruleset below for discussion.

(by way of explanation, LDAP_CONN_$1 indicates that a connection is  
detected. The LDAP_CONN_$1_UID context is set when an LDAP BIND with a  
uid is detected (i.e. the second rule). The intent is to prevent the  
success/failure rules from firing unless we're actually trying to  
authenticate (as opposed to search or something else)

=====
type=Single
continue=DontCont
ptype=RegExp
pattern=\[[^ ]+ .*\] conn=(\d+) .* LDAP connection from (\d{1,3}\. 
\d{1,3}\.\d{1,3}\.\d{1,3}) to
desc=[conn=$1] LDAP session opened from $3
action=create LDAP_CONN_$1 600;\
        add LDAP_CONN_$1 LDAP_CONN=$1;\
        add LDAP_CONN_$1 LDAP_IP=$2;\
        eval %ip_msg ( $ldap_conn{$1} = "from IP address $2"; return  
$ldap_conn{$1}; )

type=Single
continue=DontCont
ptype=RegExp
pattern=conn=(\d+) .*BIND dn=\"uid=(\w+),
context=LDAP_CONN_$1
desc=[conn=$1] LDAP session uid is $2
action=create LDAP_CONN_$1_UID;\
        add LDAP_CONN_$1 LDAP_UID=$2;\
        eval %uid_msg ( $ldap_conn{$1} .= " for user $2 "; return  
$ldap_conn{$1}; )

type=Single
continue=TakeNext
ptype=RegExp
pattern=conn=(\d+)
context=LDAP_CONN_$1
desc=[conn=$1] LDAP session event for $1
action=none

type=Single
ptype=RegExp
pattern=conn=(\d+).*RESULT err=49
context=LDAP_CONN_$1_UID
desc=[conn=$1] LDAP authentication failed
action=add LDAP_CONN_$1 LDAP_RESULT=failed;\
        eval %failure_msg ( my $msg = "[conn=$1] (sec) authentication  
failed $ldap_conn{$1}"; delete $ldap_conn{$1}; return $msg; );\
        logonly;\
        delete LDAP_CONN_$1; delete LDAP_CONN_$1_UID

type=Single
ptype=RegExp
pattern=conn=(\d+).*RESULT err=0
context=LDAP_CONN_$1_UID
desc=[conn=$1] LDAP authentication succeded
action=add LDAP_CONN_$1 LDAP_RESULT=succeeded;\
        eval %success_msg ( my $msg = "[conn=$1] (sec) authentication  
succeeded $ldap_conn{$1}"; delete $ldap_conn{$1}; return $msg; );\
        logonly;\
        delete LDAP_CONN_$1; delete LDAP_CONN_$1_UID

type=Single
ptype=RegExp
pattern=conn=(\d+) .* - closing -
context=LDAP_CONN_$1
desc=[conn=$1] LDAP session closed
action=delete LDAP_CONN_$1; delete LDAP_CONN_$1_UID



-- 
Don Faulkner
[email protected]

On Apr 15, 2009, at 9:34 AM, Mills, Rocky wrote:

> Instead of adding values to a context you could save the values in a  
> perl hash formatting as you go along.
>
> For example (not tested):
>
> Rule action collecting IP per connection:
>   action=eval %ip_msg ($ldap_conn{$1} = “from IP address $2”; return  
> $ldap_conn{$1}; )
>
> Rule action collecting UID per connection (notice concatenation  
> period before ‘=’ sign):
>   action=eval %uid_msg ($ldap_conn{$1} .= “ per user $2”; return  
> $ldap_conn{$1}; )
>
> Success rule action:
>   action=eval %success_msg (my $msg = “conn=$1 authentication  
> succeeded $ldap_conn{$1}”;  delete $ldap_conn{$1}; return $msg;)
>
> Failure rule action:
>   action=eval %failure_msg (my $msg = “conn=$1 authentication failed  
> $ldap_conn{$1}”;  delete $ldap_conn{$1}; return $msg;)
>
> You’d save the preferred log’s timestamp somewhere in there.
>
> Regards,
> Rock
>
>
> From: Don Faulkner [mailto:[email protected]]
> Sent: Monday, April 13, 2009 12:58 PM
> To: [email protected]
> Subject: [Simple-evcorr-users] detecting LDAP authentication  
> failures (long)
>
> Good morning all.
>
> I'm working with an older version of an LDAP server that doesn't  
> support syslog in any form. As a result I'm having to read through  
> the LDAP server's access logs. I'm trying to detect successful &  
> failed authentication attempts and then write an event to syslog (so  
> our central loghost can read it).
>
> What I want out are syslog entries that look more or less like this:
>
> Mar 7 04:30:50 ldap-server ldap: [conn=14758663] Authentication  
> succeeded for username1 from 1.1.1.2
> Mar 7 04:43:43 ldap-server ldap: [conn=14758706] Authentication  
> failed for username2 from 1.1.1.3
>
>
> Here's my problem. I can find the conn#, the ip, the username, and  
> detect success/failure. I'm currently doing that by dumping all that  
> info into a context in NAME=value pairs. To write it out, I've had  
> to call an external perl script to parse the context dump and return  
> a reasonable one-line string. There has to be a better way.
>
> I'd appreciate any advice.  Below, I've listed a sample success &  
> failure, as well as the rules I'm currently using.
>
> ======
>
>
> Here's a successful authentication (note that err=0):
> [07/Mar/2009:04:31:50 -0600] conn=14758663 op=-1 msgId=-1 - fd=53  
> slot=53 LDAP connection from 1.1.1.2 to 1.1.1.1
> [07/Mar/2009:04:31:50 -0600] conn=14758663 op=0 msgId=1 - BIND dn=""  
> method=128 version=3
> [07/Mar/2009:04:31:50 -0600] conn=14758663 op=0 msgId=1 - RESULT  
> err=0 tag=97 nentries=0 etime=0 dn=""
> [07/Mar/2009:04:31:50 -0600] conn=14758663 op=1 msgId=2 - SRCH  
> base="ou=myou,o=domain.com" scope=2 filter="(uid=username1)" attrs=ALL
> [07/Mar/2009:04:31:50 -0600] conn=14758663 op=1 msgId=2 - RESULT  
> err=0 tag=101 nentries=1 etime=0
> [07/Mar/2009:04:31:50 -0600] conn=14758663 op=2 msgId=3 - ABANDON  
> targetop=NOTFOUND msgid=2
> [07/Mar/2009:04:31:50 -0600] conn=14758663 op=3 msgId=4 - BIND  
> dn="uid=username1,ou=myou,o=domain.com" method=128 version=3
> [07/Mar/2009:04:31:50 -0600] conn=14758663 op=3 msgId=4 - RESULT  
> err=0 tag=97 nentries=0 etime=0  
> dn="uid=username1,ou=myou,o=domain.com"
> [07/Mar/2009:04:31:50 -0600] conn=14758663 op=4 msgId=5 - UNBIND
> [07/Mar/2009:04:31:50 -0600] conn=14758663 op=4 msgId=-1 - closing -  
> U1
> [07/Mar/2009:04:31:50 -0600] conn=14758663 op=-1 msgId=-1 - closed.
>
> Here's an unsuccessful authentication (note that err=49):
> [07/Mar/2009:04:43:43 -0600] conn=14758706 op=-1 msgId=-1 - fd=91  
> slot=91 LDAP connection from 1.1.1.3 to 1.1.1.1
> [07/Mar/2009:04:43:43 -0600] conn=14758706 op=0 msgId=1 - BIND dn=""  
> method=128 version=3
> [07/Mar/2009:04:43:43 -0600] conn=14758706 op=0 msgId=1 - RESULT  
> err=0 tag=97 nentries=0 etime=0 dn=""
> [07/Mar/2009:04:43:43 -0600] conn=14758706 op=1 msgId=2 - SRCH  
> base="ou=myou,o=domain.com" scope=2 filter="(uid=username2)" attrs=ALL
> [07/Mar/2009:04:43:43 -0600] conn=14758706 op=1 msgId=2 - RESULT  
> err=0 tag=101 nentries=1 etime=0
> [07/Mar/2009:04:43:43 -0600] conn=14758706 op=2 msgId=3 - ABANDON  
> targetop=NOTFOUND msgid=2
> [07/Mar/2009:04:43:43 -0600] conn=14758706 op=3 msgId=4 - BIND  
> dn="uid=username2,ou=myou,o=domain.com" method=128 version=3
> [07/Mar/2009:04:43:43 -0600] conn=14758706 op=3 msgId=4 - RESULT  
> err=49 tag=97 nentries=0 etime=0
> [07/Mar/2009:04:43:43 -0600] conn=14758706 op=4 msgId=5 - UNBIND
> [07/Mar/2009:04:43:43 -0600] conn=14758706 op=4 msgId=-1 - closing -  
> U1
> [07/Mar/2009:04:43:43 -0600] conn=14758706 op=-1 msgId=-1 - closed.
>
>
> I've almost got this. Here's the ruleset so far:
>
> # notice the beginning of a connection.
> # create a context named for the conn#, add timestamp and source ip.
> type=single
> continue=takenext
> ptype=regexp
> pattern=\[([^ ]+) .*\] conn=(\d+) .* LDAP connection from (\d{1,3}\. 
> \d{1,3}\.\d{1,3}\.\d{1,3}) to
> desc=LDAP session opened from $3
> action=create ldap_conn_$2;\
>             add ldap_conn_$2 LDAP_STAMP=$1;\
>             add ldap_conn_$2 LDAP_IP=$3;
>
> # notice the bind attempt, add the uid to the context.
> type=single
> continue=takenext
> ptype=regexp
> pattern=conn=(\d+) .*BIND dn=\"uid=(\w+),
> context=ldap_conn_$1
> desc=LDAP session $1 uid is $2
> action=add ldap_conn_$1 LDAP_UID=$2;
>
> # catch an authentication failure.
> type=single
> continue=takenext
> ptype=regexp
> pattern=conn=(\d+).*RESULT err=49
> context=ldap_conn_$1
> desc=LDAP connection $1 has bad credentials
> action=report ldap_conn_$1 $HOME/bin/ldap-bad-auth.pl
>
>
> # catch the rest
> type=single
> continue=takenext
> ptype=regexp
> pattern=conn=(\d+)
> context=ldap_conn_$1
> desc=LDAP session event for $1
> action=none
>
> # catch the end of the connection. delete the context
> type=single
> ptype=regexp
> pattern=conn=(\d+) .* - closing -
> context=ldap_conn_$1
> desc=LDAP session closed for $1
> action=delete ldap_conn_$1
>
>
> -- 
> Don Faulkner
> [email protected]
>
> *****
>
> The information transmitted is intended only for the person or  
> entity to which it is addressed and may contain confidential,  
> proprietary, and/or privileged material. Any review, retransmission,  
> dissemination or other use of, or taking of any action in reliance  
> upon this information by persons or entities other than the intended  
> recipient is prohibited. If you received this in error, please  
> contact the sender and delete the material from all computers. GA623
>


------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Re: [Simple-evcorr-users] detecting LDAP authentication failures (long)

Reply via email to