In message <[email protected]>,
"Eric V. Smith" writes:
>On 06/04/2013 08:37 AM, termo meter wrote:
>> I have question on how SEC doing pattern matching.
>>
>> For example i have below logs from my firewall:
>>
>> 5-23-2013 4:10:03 PM UDP Traffic Received from 10.1.1.1:
>> <163>May 23 2011 15:59:45: %ASA-3-10614: Deny inbound icmp src
>> outside:10.10.0.63 dst outside:192.168.0.10 (type 8, code 0)
>> [...]
>> Let say i want to capture only denied logs, protocaol use icmp, and from
>> this IP address 10.10.0.63 only.
>>
>> When i use this conf:-
>>
>> type=Single
>> ptype=RegExp
>> pattern=Deny\s\S+ icmp
>> desc=$0
>> action=write output.txt $0
>>
>> it will capture this logs:-
>>
>> 5-23-2013 4:10:03 PM UDP Traffic Received from 10.1.1.1:
>> <163>May 23 2011 15:59:45: %ASA-3-10614: Deny inbound icmp src
>> outside:10.10.0.63 dst outside:192.168.0.10 (type 8, code 0)
>>
>> 5-23-2013 4:10:13 PM UDP Traffic Received from 10.1.1.1:
>> <163>May 23 2011 15:59:55: %ASA-3-10614: Deny inboundicmp src
>> outside:192.168.0.63 dst outside:192.168.0.10 (type 8, code 0)
>>
>> How i can set SEC to capture logs only from specifics IP address?
>
>Include the address in your regular expression. Something like (untested):
>
>pattern=Deny\s\S+ icmp.*outside:10\.10\.0\.63
If you have a lot of addresses or you need to change them on a regular
basis, you can create and delete contexts on the fly to make this more
dynamic.
pattern=Deny\s\S+ icmp.*outside:([0-9.]+)
context= report_host_$1
...
so by defining a context named:
report_host_10.10.0.63
this rule will trigger. If your list is relatively static, you can
define your contexts on sec startup using:
type = single
desc = startup security contexts
ptype= regexp
pattern= SEC_STARTUP|SEC_RESTART
context= SEC_INTERNAL_EVENT
action = create report_host_10.10.0.63; \
create report_host_10.10.0.64 ;\
create report_host_10.10.0.65
and start sec using the -intevents option to get the SEC_STARTUP or
SEC_RESTART events generated.
If you want to create/delete contexts on the fly see:
http://www.cs.umb.edu/~rouilj/sec/rulesets
The readme describes how to use a control file along with the
01control.sr file to dynamically change the existing contexts by
submitting evants/command like:
delete report_host_10.10.0.63
create report_host_10.10.0.63
using:
echo 'create report_host_10.10.0.63' >> control
to generate the events.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
