I am trying to instrument sections on our network where various protocol
chat dialog is missing. In the atttached example case, I am looking at
DHCP, and the transition between the broadcast discovery and the actual
leasing. That is to say, the client did hear an OFFER and emit a REQUEST.
I am trying to trigger or arm a notice once the loss becomes greater
than say 20 losses within an hour for a particular server/ip/mac tuple,
and disarm once there have been zero losses within an hour.
I wrote a config and something seems wrong. It takes about 40-50 some
events to trigger the 'repeated loss' event within an hour. The whole
process seems spongy. I send in 20 events rapid fire, and I receive 12
events signalling loss. Can you all recommend a config that would be
more responsive and more deterministic?
--
Tim Peiffer
Network Support Engineer
Office of Information Technology
University of Minnesota/NorthernLights GigaPOP
+1 612 626-7884 (desk)
# DNS Intercepts are inserted using 'iblox-dns'. The 'iblox-dns' creates
# the authoritative DNS servers and forwarding maps for the recursive servers.
# When a zone is inserted, the comment contains the agreed upon date for
# expiration, and a ticket number for the incident that caused the insertion.
#
# //
# // DNS Intercept expire 11/17/2010 IM195950
# zone "accountupdate2009.com" {
# type forward;
# forward only;
# forwarders {
# 128.101.101.1; //ns-auth-1.umn.edu
# 128.101.101.9; //ns-auth-2.umn.edu
# };
# };
#
# Use the Calendar rule to extract zones that are expiring today and next week.
# The Spawn action places STDOUT onto the event stream.
#
type=Calendar
time=0 3 * * *
desc=zone expirations
action=spawn /usr/local/nts/sec/bin/ZoneExpire
#
# The zones that expire today are notified. We could use the iblox-dns command
# to delete, but for now we just notify.
#
# If you want to use the iblox-dns to delete, you need to have your credentials
# arranged, either in .netrc, or pass via commandline..
# action=spawn /usr/local/nts/bin/iblox-dns -delete -name $3 <credentials>
#
type=Single
ptype=RegExp
pattern=expires today (\S+) incident (\S+) zone (\S+)
desc=zone expires today
action=logonly %s $1 incident $2 zone $3 ; \
spawn /home/peiffer/ghome/sec-2.4.2/TIM/SCNotify \
-name "peiffer\@umn.edu" \
-contact "peiffer\@umn.edu" \
-title "DNS intercepts expired " \
-text "DNS Zone $3 was installed by ticket $2 and has been expired.
Please delete $3"
#
# The zones that expire next week notified. OITSec has one week to reset the
# expiration date.
#
type=Single
ptype=RegExp
pattern=expires nextweek (\S+) incident (\S+) zone (\S+)
desc=zone expires nextweek
action=logonly %s $1 incident $2 zone $3 ; \
spawn /home/peiffer/ghome/sec-2.4.2/TIM/SCNotify \
-name "abuse\@umn.edu" \
-contact "peiffer\@umn.edu" \
-title "DNS intercepts expiring " \
-text "DNS Zone $3 was installed by ticket $2 and is expiring next
week. Please confirm whether the intercept is still required. If so, please
adjust the expiration date. If no action is done to change the date, the
intercept will be deleted by the close of business on the assigned date (7 days
from now)."
------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
