hi Antonio,
as I understand, you would like to process lines that represent ICMP echo
reply packets, but can you be more specific what event pattern do you
actually want to detect? You have mentioned that you want to detect lines
where source IP address is the same, but I didn't quite understand
additional conditions. Could you provide some examples what sec should
detect when your sample input events are provided?
kind regards,
risto
2016-05-10 22:44 GMT+03:00 Antonio Cuesta García <
antoniocuest...@hotmail.com>:
> Hi, I'm student and newbie with sec . How would be a rule which detects me
> are making multiple responses of ICMP from the same IP in which there are
> diferent IPs?
>
>
>
> A sample file:
>
>
>
> 05/10-16:36:30.859038 216.58.201.131 -> 192.168.20.151
>
> ICMP TTL:128 TOS:0x0 ID:33169 IpLen:20 DgmLen:84
>
> Type:0 Code:0 ID:20089 Seq:2 ECHO REPLY
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
> 05/10-16:36:31.861001 216.58.201.131 -> 192.168.20.151
>
> ICMP TTL:128 TOS:0x0 ID:33170 IpLen:20 DgmLen:84
>
> Type:0 Code:0 ID:20089 Seq:3 ECHO REPLY
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
> 05/10-16:36:32.862880 216.58.201.131 -> 192.168.20.151
>
> ICMP TTL:128 TOS:0x0 ID:33171 IpLen:20 DgmLen:84
>
> Type:0 Code:0 ID:20089 Seq:4 ECHO REPLY
>
>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
> 05/10-16:36:33.864879 216.58.201.20 -> 192.168.20.151
>
> ICMP TTL:128 TOS:0x0 ID:33172 IpLen:20 DgmLen:84
>
> Type:0 Code:0 ID:20089 Seq:5 ECHO REPLY
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
> 05/10-16:36:34.866876 216.58.201.20 -> 192.168.20.151
>
> ICMP TTL:128 TOS:0x0 ID:33173 IpLen:20 DgmLen:84
>
> Type:0 Code:0 ID:20089 Seq:6 ECHO REPLY
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
> 05/10-16:36:35.868668 216.58.201.131 -> 192.168.20.151
>
> ICMP TTL:128 TOS:0x0 ID:33174 IpLen:20 DgmLen:84
>
> Type:0 Code:0 ID:20089 Seq:7 ECHO REPLY
>
>
>
>
> I had thought of a rule " SingleWithThreshold " but I don’t knw if I
> have to use contexts.
>
>
>
> Sorry for the translation. I’m Spanish.
>
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
