hi Savakh,
if your intention is to detect this particular event sequence, the use of
contexts is indeed one opportunity. To illustrate how contexts can be
employed, lets assume that consecutive events can be separated by at most
60 seconds. Also, the event matching patterns have been written for Linux
netfilter firewall and sshd:
type=Single
ptype=RegExp
pattern=kernel: .* SRC=([\d.]+) .* PROTO=TCP .* DPT=22\b
desc=SSH traffic from host $1
action=create SSH_TRAFFIC_$1 60
type=Single
ptype=RegExp
pattern=sshd\[\d+\]: Failed \S+ for \S+ from ([\d.]+) port \d+ ssh2
context=SSH_TRAFFIC_$1
desc=SSH login failure from client host $1
action=create SSH_LOGIN_FAILED_$1 60
type=Single
ptype=RegExp
pattern=sshd\[\d+\]: Accepted \S+ for \S+ from ([\d.]+) port \d+ ssh2
context=SSH_LOGIN_FAILED_$1
desc=SSH login from client host $1
action=write - SSH_traffic->login_failure->successful_login event sequence
detected for IP $1
The first rule creates a context with the lifetime of 60 seconds for an IP
address if SSH traffic is observed from this client IP. The second rule
matches an SSH login failure event if the SSH traffic context has been
previously created for the client IP address. After the match, the second
rule will create a context which denotes the login failure for the client
IP. Finally, the third rule will match a successful login event if there is
a context that indicates previous login failure for the same client IP
address.
Also, you can use the context-based strategy to combine Single and Pair (or
PairWithWindow) rules. For instance, the following ruleset will create two
different output events for SSH login failure that was not followed by
successful login within 60 seconds for the same user, and for login failure
that was followed by successful login:
type=Single
ptype=RegExp
pattern=kernel: .* SRC=([\d.]+) .* PROTO=TCP .* DPT=22\b
desc=SSH traffic from host $1
action=create SSH_TRAFFIC_$1 60
type=PairWithWindow
ptype=RegExp
pattern=sshd\[\d+\]: Failed \S+ for (\S+) from ([\d.]+) port \d+ ssh2
context=SSH_TRAFFIC_$2
desc=SSH login failed for user $1 from $2
action=write - User $1 from $2 has not managed to login within 60 seconds
ptype2=RegExp
pattern2=sshd\[\d+\]: Accepted \S+ for $1 from $2 port \d+ ssh2
desc2=SSH login successful for user %1 from %2
action2=write - User %1 from %2 logged in after initial failure
window=60
The second rule matches the SSH login failure event only if the
SSH_TRAFFIC_* context exists for the client IP address. After matching the
login failure, the second rule will also start an event correlation
operation which waits for the successful login event for the same user and
same client IP address. If the successful login event appears as expected,
a string "User <username> from <IPaddress> logged in after initial failure"
is written to standard output. However, if the successful login will not be
observed within 60 second, the event correlation operation produces an
output string "User <username> from <IPaddress> has not managed to login
within 60 seconds".
I hope these examples provide some insights how rules can be joined with
the proper use of contexts.
kind regards,
risto
2016-08-12 15:44 GMT+03:00 Savakh S <[email protected]>:
> Hello all,
>
> I have two different kind of logs: one from a firewall and one from a ssh
> hosts.
> I'd like to write a rule that :
> firstly match when I recognize a ssh flow into the firewall logs, secondly
> when a user enter failed password, finaly when he succeed to login and all
> for the same IP address for the ssh host.
> "Pair" works for 2 elements, what about 3 or more ? Have I to use context ?
>
> Thanks
>
> ------------------------------------------------------------
> ------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. http://sdm.link/zohodev2dev
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
