Many thanks Risto for your exhaustive response! You answered exactly my question.
Sav 2016-08-12 21:38 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>: > hi Savakh, > if your intention is to detect this particular event sequence, the use of > contexts is indeed one opportunity. To illustrate how contexts can be > employed, lets assume that consecutive events can be separated by at most > 60 seconds. Also, the event matching patterns have been written for Linux > netfilter firewall and sshd: > > type=Single > ptype=RegExp > pattern=kernel: .* SRC=([\d.]+) .* PROTO=TCP .* DPT=22\b > desc=SSH traffic from host $1 > action=create SSH_TRAFFIC_$1 60 > > type=Single > ptype=RegExp > pattern=sshd\[\d+\]: Failed \S+ for \S+ from ([\d.]+) port \d+ ssh2 > context=SSH_TRAFFIC_$1 > desc=SSH login failure from client host $1 > action=create SSH_LOGIN_FAILED_$1 60 > > type=Single > ptype=RegExp > pattern=sshd\[\d+\]: Accepted \S+ for \S+ from ([\d.]+) port \d+ ssh2 > context=SSH_LOGIN_FAILED_$1 > desc=SSH login from client host $1 > action=write - SSH_traffic->login_failure->successful_login event > sequence detected for IP $1 > > The first rule creates a context with the lifetime of 60 seconds for an IP > address if SSH traffic is observed from this client IP. The second rule > matches an SSH login failure event if the SSH traffic context has been > previously created for the client IP address. After the match, the second > rule will create a context which denotes the login failure for the client > IP. Finally, the third rule will match a successful login event if there is > a context that indicates previous login failure for the same client IP > address. > > Also, you can use the context-based strategy to combine Single and Pair > (or PairWithWindow) rules. For instance, the following ruleset will create > two different output events for SSH login failure that was not followed by > successful login within 60 seconds for the same user, and for login failure > that was followed by successful login: > > type=Single > ptype=RegExp > pattern=kernel: .* SRC=([\d.]+) .* PROTO=TCP .* DPT=22\b > desc=SSH traffic from host $1 > action=create SSH_TRAFFIC_$1 60 > > type=PairWithWindow > ptype=RegExp > pattern=sshd\[\d+\]: Failed \S+ for (\S+) from ([\d.]+) port \d+ ssh2 > context=SSH_TRAFFIC_$2 > desc=SSH login failed for user $1 from $2 > action=write - User $1 from $2 has not managed to login within 60 seconds > ptype2=RegExp > pattern2=sshd\[\d+\]: Accepted \S+ for $1 from $2 port \d+ ssh2 > desc2=SSH login successful for user %1 from %2 > action2=write - User %1 from %2 logged in after initial failure > window=60 > > The second rule matches the SSH login failure event only if the > SSH_TRAFFIC_* context exists for the client IP address. After matching the > login failure, the second rule will also start an event correlation > operation which waits for the successful login event for the same user and > same client IP address. If the successful login event appears as expected, > a string "User <username> from <IPaddress> logged in after initial failure" > is written to standard output. However, if the successful login will not be > observed within 60 second, the event correlation operation produces an > output string "User <username> from <IPaddress> has not managed to login > within 60 seconds". > > I hope these examples provide some insights how rules can be joined with > the proper use of contexts. > > kind regards, > risto > > > 2016-08-12 15:44 GMT+03:00 Savakh S <sova...@gmail.com>: > >> Hello all, >> >> I have two different kind of logs: one from a firewall and one from a ssh >> hosts. >> I'd like to write a rule that : >> firstly match when I recognize a ssh flow into the firewall logs, >> secondly when a user enter failed password, finaly when he succeed to login >> and all for the same IP address for the ssh host. >> "Pair" works for 2 elements, what about 3 or more ? Have I to use context >> ? >> >> Thanks >> >> ------------------------------------------------------------ >> ------------------ >> What NetFlow Analyzer can do for you? Monitors network bandwidth and >> traffic >> patterns at an interface-level. Reveals which users, apps, and protocols >> are >> consuming the most bandwidth. Provides multi-vendor support for NetFlow, >> J-Flow, sFlow and other flows. Make informed decisions using capacity >> planning reports. http://sdm.link/zohodev2dev >> _______________________________________________ >> Simple-evcorr-users mailing list >> Simple-evcorr-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >> >> >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
