[Simple-evcorr-users] Whitelisting or Blacklisting

Tue, 10 Jul 2018 00:27:02 -0700 

Hi Risto

I recently come across this wonderful product and researching about its 
utilization on security events. Query on whitelisting or blacklisting. Need 
your inputs as I couldn’t find any topic specific to this. I’m suppressing 
security alerts based on its name and IP address. But looking for a best way to 
perform whitelist or blacklist specific attacks.

Ideally the goal is to maintain a separate list of Attack Name’s, so the 
suppress rule will ignore or consider it as out of scope.

Tried something like this but no luck. Can you please check and help me with 
the below scenario,
---------------------------------------------------------------------------------------------------------------------------------------
# Suppress Duplicate Alerts Based on Attack Name and Source & Destination IP 
for 24hrs except SQLI
type=SingleWithScript
ptype=RegExp
pattern=Attack Name.*([\w:\s\-\/]+).*dst":"([\d\.]+).*src":"([\d\.]+)
script=/usr/bin/python /usr/bin/sec-rules/whitelist.py $1
continue=takenext
desc=Suppressed Alert $0
action= logonly; event %s

type=SingleWithSuppress
ptype=regexp
pattern=Suppressed Alert.*Attack 
Name.*([\w:\s\-\/]+).*dst":"([\d\.]+).*src":"([\d\.]+)
continue=dontcont
desc=[SEC][Critical]Suppressed $1 Security Alert towards $2
action = logonly; pipe '$0' | nc test.com 80
window = 86400
---------------------------------------------------------------------------------------------------------------------------------------
whitelist.py

#! /usr/bin/python

import sys
import urllib2

IP = sys.argv[1]
TI1 = [sql injection, xss attack, bruteforce attempt]

if IP in TI1:
        sys.exit(1)
else:
        sys.exit(0)
---------------------------------------------------------------------------------------------------------------------------------------------------------------

Regards,
Santosh.S


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to