hi Santhosh,
since you are using SingleWithSuppress rule for aggregation, is my
understanding correct that the term "aggregation" means generating a syslog
message on the first matching event, suppressing the following matching
events during 300 seconds? If so, you don't need the PairWithWindow rule
but can accomplish your task with a SingleWithSuppress rule that you
already have in your rulebase. All you need to do is to set up a file which
contains IP addresses of interest, and load it when SEC starts or the file
is updated. Here is a simple ruleset that implements this task:
type=Single
ptype=RegExp
pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
context=SEC_INTERNAL_EVENT
desc=load blacklist of bad IP addresses
action=delete BADIP; create BADIP; \
lcall %o -> ( sub { $mtime = (stat("/tmp/badip.txt"))[9] } ); \
cspawn BadIp cat /tmp/badip.txt
type=Calendar
time=* * * * *
context= -> ( sub { my($temp) = (stat("/tmp/badip.txt"))[9]; \
if (!defined($temp)) { return 0; } \
if (!defined($mtime) || $temp != $mtime) \
{ $mtime = $temp; return 1; } \
return 0; } )
desc=reload updated blacklist of bad IP addresses
action=delete BADIP; create BADIP; cspawn BadIp cat /tmp/badip.txt
type=Single
ptype=RegExp
pattern=^\s*((?:\d{1,3}\.){3}\d{1,3})\s*$
context=BadIp
desc=set up a blacklist entry for IP address $1
action=alias BADIP BADIP_$1
Note that for reading the file with blacklist entries, I have used 'cspawn'
action, since it is more efficient and simple than combination of 'lcall'
and 'cevent' in your ruleset.
Also, I have included additional Calendar rule which checks the blacklist
file once a minute, and reloads the blacklist if file modification time has
changed (the modification time has been memorized in Perl $mtime global
variable).
Once the blacklist has been loaded, you could use the following
SingleWithSuppress rules for reacting to first IDS event which is observed
for a specific combination of source IP address and attack name, and
suppress the following events for the same combination during 300 seconds:
type=SingleWithSuppress
ptype=regexp
pattern=IDS.*src=([\d.]+).*attack_name=(\S+)
context=BADIP_$1
desc=Security Alert $2 for blacklisted IP $1
action=udpsock syslog01:514 <13>%.monstr %.mdaystr %.hmsstr myhost sec: %s
window=300
type=SingleWithSuppress
ptype=regexp
pattern=IDS.*src=([\d.]+).*attack_name=(\S+)
context=!BADIP_$1
desc=Security Alert $2 for non-blacklisted IP $1
action=udpsock syslog01:514 <13>%.monstr %.mdaystr %.hmsstr myhost sec: %s
window=300
Note that the 'pipe' action in your rule example has invalid syntax, since
there is no pipe (|) symbol between the event string and external command
line. Also, it is inefficient to fork a process each time an event needs to
be sent to central syslog server, and 'udpsock' action is a much better
alternative since it only sets up a single UDP socket for talking to server
(documentation of 'udpsock' action actually contains an example of
communicating with remote syslog server, and I have used it in above rules).
I hope that above examples are helpful.
kind regards,
risto
Kontakt Santhosh Kumar (<santhoshkmrre...@gmail.com>) kirjutas kuupƤeval E,
13. mai 2019 kell 13:56:
> Hi Risto
>
>
>
> Greetings..!!
>
>
>
> I would like to get your suggestions on event correlation upon
> aggregation. Below rule aggregate events with whitelisting criteria.
>
>
>
> ---------------------------------------------------------------------------
>
> type=Single
>
> ptype=RegExp
>
> pattern=(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)
>
> desc=load blacklist
>
> action=logonly; delete WL; create WL; \
>
> lcall %events -> (sub{scalar `cat
> /usr/local/bin/sec-rules/whitelist.txt`}); \
>
> cevent Whitelist 0 %events
>
>
>
> type=Single
>
> ptype=RegExp
>
> pattern=.
>
> context=Whitelist
>
> desc=create a whitelist entry
>
> action=logonly; alias WL WL_$0
>
>
>
> type=SingleWithSuppress
>
> ptype=regexp
>
> context=!WL_$2
>
> pattern=IDS.*dst=([\d\.]+).*attack_name=([\w\:\-\/\.\()\s]+)
>
> desc=Suppressed $2 Security Alert towards $1
>
> action= pipe '<5>$0' | nc syslog01 514
>
> window=300
>
> ---------------------------------------------------------------------------
>
>
>
> Now will "pairwithwindow" rule on top this helps me to achieve correlation
> based on Dst. IP($1) field from IDS logs with Threat Intel IP(which is
> stored in a file).
>
>
>
> Conditions to meet are,
>
> Condition 1: Need to forward Aggregated + Correlated log to external
> syslog server.
>
> Condition 2: If Correlation is not matching, Just Aggregated log should be
> forwarded to external syslog server.
>
>
>
> Please suggest me with best practices.
>
>
>
> Regards,
>
> Santhosh S
>
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
