hi Antonio,
if you would like to detect cases where 20 echo reply packets are received
from the same source IP address within 60 seconds, the following rule can
be used:
type=SingleWithThreshold
ptype=RegExp3
pattern=^\d{2}\/\d{2}-\d{2}:\d{2}:\d{2}\.\d+ ((?:\d{1,3}\.){3}\d{1,3}) ->
(?:\d{1,3}\.){3}\d{1,3}.*?\nICMP.*?\nType:0\s+Code:0\s+ID:\d+\s+Seq:\d+\s+ECHO
REPLY
desc=20 ECHO REPLY packets from host $1
action=write - %s
thresh=20
window=60
Note that you have to use the RegExp3 pattern, since your input events are
wrapped over three lines. For this reason, there are also two "\n"
constructs in the regular expression which match the newline characters in
the multiline input. Note that you can make this regular expression a bit
simpler -- for example, if you don't care for matching all keyword-value
pairs in the third line you can also write
pattern=^\d{2}\/\d{2}-\d{2}:\d{2}:\d{2}\.\d+ ((?:\d{1,3}\.){3}\d{1,3}) ->
(?:\d{1,3}\.){3}\d{1,3}.*?\nICMP.*?\n.*?ECHO REPLY
The above rule writes a message "20 ECHO REPLY packets from host
<ipaddress>" to standard output if 20 echo reply packets have been seen
from the same host. If you want to execute a different output action, you
have to modify the 'action' field of the rule accordingly.
hope this helps,
risto
2016-05-11 0:14 GMT+03:00 Antonio Cuesta García <[email protected]
>:
> I recive different IPS echos and if I recive 20 echos of same Ip in less
> than 60 seconds detect this.
>
> El 10 may 2016, a las 10:40 p. m., Risto Vaarandi <
> [email protected]> escribió:
>
> hi Antonio,
>
> as I understand, you would like to process lines that represent ICMP echo
> reply packets, but can you be more specific what event pattern do you
> actually want to detect? You have mentioned that you want to detect lines
> where source IP address is the same, but I didn't quite understand
> additional conditions. Could you provide some examples what sec should
> detect when your sample input events are provided?
>
> kind regards,
> risto
>
> 2016-05-10 22:44 GMT+03:00 Antonio Cuesta García <
> [email protected]>:
>
>> Hi, I'm student and newbie with sec . How would be a rule which detects
>> me are making multiple responses of ICMP from the same IP in which there
>> are diferent IPs?
>>
>>
>>
>> A sample file:
>>
>>
>>
>> 05/10-16:36:30.859038 216.58.201.131 -> 192.168.20.151
>>
>> ICMP TTL:128 TOS:0x0 ID:33169 IpLen:20 DgmLen:84
>>
>> Type:0 Code:0 ID:20089 Seq:2 ECHO REPLY
>>
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>>
>>
>>
>> 05/10-16:36:31.861001 216.58.201.131 -> 192.168.20.151
>>
>> ICMP TTL:128 TOS:0x0 ID:33170 IpLen:20 DgmLen:84
>>
>> Type:0 Code:0 ID:20089 Seq:3 ECHO REPLY
>>
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>>
>>
>>
>> 05/10-16:36:32.862880 216.58.201.131 -> 192.168.20.151
>>
>> ICMP TTL:128 TOS:0x0 ID:33171 IpLen:20 DgmLen:84
>>
>> Type:0 Code:0 ID:20089 Seq:4 ECHO REPLY
>>
>>
>>
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>>
>>
>>
>> 05/10-16:36:33.864879 216.58.201.20 -> 192.168.20.151
>>
>> ICMP TTL:128 TOS:0x0 ID:33172 IpLen:20 DgmLen:84
>>
>> Type:0 Code:0 ID:20089 Seq:5 ECHO REPLY
>>
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>>
>>
>>
>> 05/10-16:36:34.866876 216.58.201.20 -> 192.168.20.151
>>
>> ICMP TTL:128 TOS:0x0 ID:33173 IpLen:20 DgmLen:84
>>
>> Type:0 Code:0 ID:20089 Seq:6 ECHO REPLY
>>
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>>
>>
>>
>> 05/10-16:36:35.868668 216.58.201.131 -> 192.168.20.151
>>
>> ICMP TTL:128 TOS:0x0 ID:33174 IpLen:20 DgmLen:84
>>
>> Type:0 Code:0 ID:20089 Seq:7 ECHO REPLY
>>
>>
>>
>>
>> I had thought of a rule " SingleWithThreshold " but I don’t knw if I
>> have to use contexts.
>>
>>
>>
>> Sorry for the translation. I’m Spanish.
>>
>>
>> ------------------------------------------------------------------------------
>> Mobile security can be enabling, not merely restricting. Employees who
>> bring their own devices (BYOD) to work are irked by the imposition of MDM
>> restrictions. Mobile Device Manager Plus allows you to control only the
>> apps on BYO-devices by containerizing them, leaving personal data
>> untouched!
>> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>>
>
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
