hi all,
I'd like to return to a topic recently discussed in the mailing list.
I am in the process of implementing a pattern match caching for SEC, and
it is really hard to decide which way is the best one. Currently, I have
already implemented a separate Parse rule for this purpose. For example,
type=Parse
ptype=RegExp
pattern=sshd\[(?'pid'\d+)\]: Failed (?'auth'\w+) for (?'user'[\w.-]+)
from (?'ip'[\d.]+)
continue=TakeNext
dpat=sshd-login-failure
would create a new dynamic pattern sshd-login-failure, and this pattern
could be reused by the following rules:
type=SingleWithThreshold
ptype=dynamic
pattern=sshd-login-failure
continue=TakeNext
desc=3 login failures for user $+{user}
action=write - %s
thresh=3
window=60
type=SingleWithThreshold
ptype=dynamic
pattern=sshd-login-failure
continue=TakeNext
desc=3 login failures from IP address $+{ip}
action=write - %s
thresh=3
window=60
The above two rules would only look into a pattern match cache that is
reinitialized each time a new line is read from input. If an entity with
a given name is found in the match cache, the rule pattern matches and
match variables from the cache are used.
However, there are also different scenarios to consider:
2) implement a separate parameter for the 'varmap' field, e.g.,
varmap=sshd-login-failure;pid=1;auth=2;user=3;ip=4
would create an entity sshd-login-failure in the match cache with given
match variables. An advantage of this approach is that no separate Parse
rule is needed. On the other hand, a separate rule makes things clearer.
Also, 'varmap' would create a cache entity even if the rule context
expression evaluates false -- which is sometimes beneficial, but
sometimes might be confusing.
3) use a separate action -- however, actions can also be triggered by
system clock and not by input line, thus there are no match variables as
such to cache. Even more, the next input line would immediately
reinitialize the cache which is again somewhat confusing.
I'd like to hear opinions of other list members which way (and why) is
the clearest one and easiest to use.
kind regards,
risto
On 01/21/2011 01:25 AM, Mark D. Nagel wrote:
> On 1/20/2011 12:40 PM, Morris, Patrick wrote:
>> On 1/20/2011 11:26 AM, Morris, Christopher wrote:
>>>
>>>
>>> type=SingleWithThreshold
>>>
>>> continue=takenext
>>>
>>> ptype=RegExp
>>>
>>> pattern=:\d\d \S+ .*Liberty app at (\S+) (.*)
>>>
>>> desc=Liberty at host:port $1 reporting $2
>>>
>>> action=report liberty_$1 /usr/bin/mailx -s "%s" [email protected]
>>> [email protected]; \
>>>
>>> delete liberty_$1
>>>
>>> window=21600
>>>
>>> thresh=20
>>>
>>> type=single
>>>
>>> ptype=regexp
>>>
>>> pattern=:\d\d \S+ .*Liberty app at (\S+) (.*)
>>>
>>> desc=Liberty error messages
>>>
>>> action=add liberty_$1 $0
>>>
>>
>> I may be missing something, but I don't see that you're actually doing
>> anything with the context you're adding to in rule #2. If it's not
>> used for anything, then you're right: it's redundant. It looks to me
>> like all your work's being done in the first rule, and the second is
>> just saving a value that's never used anywhere.
>
> No, it is used -- the first rule reports and removes the context when
> the threshold condition is met, and the second is an accumulator. I
> have similar rule pairs in our rulesets and I don't think you have much
> of a choice. You need one rule to keep adding the data and one to
> report it. If there is way to do that all in one to avoid repeating the
> pattern, love to hear how!
>
> Mark
>
> --
> Mark D. Nagel, CCIE #3177<[email protected]>
> Principal Consultant, Willing Minds LLC (http://www.willingminds.com)
> cell: 949-279-5817, desk: 714-495-4001, fax: 949-623-9854
>
> *** Please send support requests [email protected]! ***
>
>
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
>
>
>
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business
insights. http://p.sf.net/sfu/splunk-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
