Hi Risto Thanks a lot for detailed explanation!
You are correct about aggregation and your suggestion clarified all the queries. (|) was a typo. I'll run the tests as suggested and also will check on cspawn and udpsock. Thanks again for promising sec🙂 Regards, Santhosh S On Mon, May 13, 2019, 20:13 Risto Vaarandi <risto.vaara...@gmail.com> wrote: > hi Santhosh, > > since you are using SingleWithSuppress rule for aggregation, is my > understanding correct that the term "aggregation" means generating a syslog > message on the first matching event, suppressing the following matching > events during 300 seconds? If so, you don't need the PairWithWindow rule > but can accomplish your task with a SingleWithSuppress rule that you > already have in your rulebase. All you need to do is to set up a file which > contains IP addresses of interest, and load it when SEC starts or the file > is updated. Here is a simple ruleset that implements this task: > > type=Single > ptype=RegExp > pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$ > context=SEC_INTERNAL_EVENT > desc=load blacklist of bad IP addresses > action=delete BADIP; create BADIP; \ > lcall %o -> ( sub { $mtime = (stat("/tmp/badip.txt"))[9] } ); \ > cspawn BadIp cat /tmp/badip.txt > > type=Calendar > time=* * * * * > context= -> ( sub { my($temp) = (stat("/tmp/badip.txt"))[9]; \ > if (!defined($temp)) { return 0; } \ > if (!defined($mtime) || $temp != $mtime) \ > { $mtime = $temp; return 1; } \ > return 0; } ) > desc=reload updated blacklist of bad IP addresses > action=delete BADIP; create BADIP; cspawn BadIp cat /tmp/badip.txt > > type=Single > ptype=RegExp > pattern=^\s*((?:\d{1,3}\.){3}\d{1,3})\s*$ > context=BadIp > desc=set up a blacklist entry for IP address $1 > action=alias BADIP BADIP_$1 > > > Note that for reading the file with blacklist entries, I have used > 'cspawn' action, since it is more efficient and simple than combination of > 'lcall' and 'cevent' in your ruleset. > Also, I have included additional Calendar rule which checks the blacklist > file once a minute, and reloads the blacklist if file modification time has > changed (the modification time has been memorized in Perl $mtime global > variable). > > Once the blacklist has been loaded, you could use the following > SingleWithSuppress rules for reacting to first IDS event which is observed > for a specific combination of source IP address and attack name, and > suppress the following events for the same combination during 300 seconds: > > type=SingleWithSuppress > ptype=regexp > pattern=IDS.*src=([\d.]+).*attack_name=(\S+) > context=BADIP_$1 > desc=Security Alert $2 for blacklisted IP $1 > action=udpsock syslog01:514 <13>%.monstr %.mdaystr %.hmsstr myhost sec: %s > window=300 > > type=SingleWithSuppress > ptype=regexp > pattern=IDS.*src=([\d.]+).*attack_name=(\S+) > context=!BADIP_$1 > desc=Security Alert $2 for non-blacklisted IP $1 > action=udpsock syslog01:514 <13>%.monstr %.mdaystr %.hmsstr myhost sec: %s > window=300 > > Note that the 'pipe' action in your rule example has invalid syntax, since > there is no pipe (|) symbol between the event string and external command > line. Also, it is inefficient to fork a process each time an event needs to > be sent to central syslog server, and 'udpsock' action is a much better > alternative since it only sets up a single UDP socket for talking to server > (documentation of 'udpsock' action actually contains an example of > communicating with remote syslog server, and I have used it in above rules). > > I hope that above examples are helpful. > > kind regards, > risto > > Kontakt Santhosh Kumar (<santhoshkmrre...@gmail.com>) kirjutas kuupäeval > E, 13. mai 2019 kell 13:56: > >> Hi Risto >> >> >> >> Greetings..!! >> >> >> >> I would like to get your suggestions on event correlation upon >> aggregation. Below rule aggregate events with whitelisting criteria. >> >> >> >> >> --------------------------------------------------------------------------- >> >> type=Single >> >> ptype=RegExp >> >> pattern=(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART) >> >> desc=load blacklist >> >> action=logonly; delete WL; create WL; \ >> >> lcall %events -> (sub{scalar `cat >> /usr/local/bin/sec-rules/whitelist.txt`}); \ >> >> cevent Whitelist 0 %events >> >> >> >> type=Single >> >> ptype=RegExp >> >> pattern=. >> >> context=Whitelist >> >> desc=create a whitelist entry >> >> action=logonly; alias WL WL_$0 >> >> >> >> type=SingleWithSuppress >> >> ptype=regexp >> >> context=!WL_$2 >> >> pattern=IDS.*dst=([\d\.]+).*attack_name=([\w\:\-\/\.\()\s]+) >> >> desc=Suppressed $2 Security Alert towards $1 >> >> action= pipe '<5>$0' | nc syslog01 514 >> >> window=300 >> >> >> --------------------------------------------------------------------------- >> >> >> >> Now will "pairwithwindow" rule on top this helps me to achieve >> correlation based on Dst. IP($1) field from IDS logs with Threat Intel >> IP(which is stored in a file). >> >> >> >> Conditions to meet are, >> >> Condition 1: Need to forward Aggregated + Correlated log to external >> syslog server. >> >> Condition 2: If Correlation is not matching, Just Aggregated log should >> be forwarded to external syslog server. >> >> >> >> Please suggest me with best practices. >> >> >> >> Regards, >> >> Santhosh S >> >
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users