Risto,
The first solution is good. I have just integrate them !
I was playing with perl function, but i am not a perl developper. I
have change the code :
type=EventGroup
init=create COUNTING_$2
end=delete COUNTING_$2
ptype=perlfunc
pattern=sub { if ( $_[0] =~ /.* logger:
([^\t]*)\t([^\t-]*)\t([^\t]*)\t([^\t]*)/ ) { \
return ($1, lc($2)); } else { return 0;} }
context=!$1_COUNTED_FOR_$2
count=alias COUNTING_$2 $1_COUNTED_FOR_$2 ; \
write result/$2.ip %t $1 ;
desc=3 logins from different IPs for $2
action=pipe 'envoiMail' /root/sendMail10.pl $2 ;
window=3600
thresh=3
Is there a way, with context, to write result in result/$2.ip only
when we got 3 differents ip ?
I think i can do the same with this perl func (i have to learn more
about playing with perl) :
count=lcall %ret $2 $1 -> ( sub { use Data::Dumper;
$ucountsIP{$_[0]}->{$_[1]} = 1 ; print Dumper($ucountsIP{$_[0]}) ; } );
// This one is not a perl function ;)
end=lcall %ret $2 -> ( sub { foreach keys in $ucountsIP{$_[0]};
( write_to_file $keys ; ) } );
All i want to do, sec can do it, it's brilliant
Thanks a lot !
Ludovic.
Le 21/06/2011 16:35, Risto Vaarandi a écrit :
> Ludovic,
>
> if you are willing to tolerate a slight inaccuracy, the following fairly
> simple rule could do:
>
> type=EventGroup
> init=create COUNTING_$2
> end=delete COUNTING_$2
> ptype=RegExp
> pattern=([\d.]+) (\w+)
> context=!$1_COUNTED_FOR_$2
> count=alias COUNTING_$2 $1_COUNTED_FOR_$2
> desc=3 logins from different IPs for $2
> action=write - %s
> window=3600
> thresh=3
>
> This rule will trigger a counting operation for the user name when a
> login for it has been seen. The operation will produce an alert if for
> the same user name, three logins from different IPs have been observed.
> After a login from an IP has been seen for the given user name, the
> context name ipaddress_COUNTED_FOR_username will be created with the
> 'alias' action, and the presence of this context name will ensure that
> further login events for this IP will no longer match (because of
> context=!$1_COUNTED_FOR_$2). The context names created during event
> correlation are alias names to COUNTING_username context, which is
> created when operation is initialized, and removed when operation
> terminates.
>
> The inaccuracy I was talking about can happen when the window slides
> forward -- it will be moved to the next event matched by the operation,
> but there might have been events not matched due to the 'context' field.
> However, to be *entirely* precise, the window should be moved to such
> previously suppressed event instance.
>
> Of course, there is a way out, although somewhat more complex -- instead
> of setting up a context name, you could create an element in a Perl hash
> with the 'count' field, have 'multact' field set to 'yes', and run
> alerting action through Perl code. In the code, you can check the number
> of hash elements, and alert only if the number equals to the threshold.
>
> One thing that the future releases of SEC might have is an opportunity
> to do such simple branching (and perhaps looping) explicitly in the
> 'action' field, e.g.,
>
> action=eval %o (++$i == 10); if %o (write - %s)
>
> HTH,
> risto
>
>
> On 06/21/2011 03:03 PM, Ludovic Hutin wrote:
>> Hi,
>>
>> I got another problem with this simple exemple
>>
>> I got entry like that
>> 10.0.0.1 login
>> 10.0.0.2 login
>> 10.0.0.1 login
>> 10.0.0.6 login => Send a alert.
>> 1.1.1.1 login2
>> 2.2.2.2 login2 => do nothing.
>>
>> etc...
>>
>> I want to send a alert if a login is detected with 3 differents IP
>> in a windows of 1 hour.
>>
>> I try with 3 SingleWithSuppress but i don't know how to link the
>> differents rules.
>> i am sure i will have to write a small perlfunc :(
>>
>> Sorry for this (stupid ?) question,
>>
>> Ludovic.
>>
>> ------------------------------------------------------------------------------
>> EditLive Enterprise is the world's most technically advanced content
>> authoring tool. Experience the power of Track Changes, Inline Image
>> Editing and ensure content is compliant with Accessibility Checking.
>> http://p.sf.net/sfu/ephox-dev2dev
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Data protection magic?
Nope - It's vRanger. Get your free trial download today.
http://p.sf.net/sfu/quest-sfdev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
