Hi Risto
Thanks a lot for detailed explanation!
You are correct about aggregation and your suggestion clarified all the
queries. (|) was a typo. I'll run the tests as suggested and also will
check on cspawn and udpsock. Thanks again for promising sec🙂
Regards,
Santhosh S
On Mon, May 13, 2019, 20:13 Risto Vaarandi <risto.vaara...@gmail.com> wrote:
> hi Santhosh,
>
> since you are using SingleWithSuppress rule for aggregation, is my
> understanding correct that the term "aggregation" means generating a syslog
> message on the first matching event, suppressing the following matching
> events during 300 seconds? If so, you don't need the PairWithWindow rule
> but can accomplish your task with a SingleWithSuppress rule that you
> already have in your rulebase. All you need to do is to set up a file which
> contains IP addresses of interest, and load it when SEC starts or the file
> is updated. Here is a simple ruleset that implements this task:
>
> type=Single
> ptype=RegExp
> pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
> context=SEC_INTERNAL_EVENT
> desc=load blacklist of bad IP addresses
> action=delete BADIP; create BADIP; \
> lcall %o -> ( sub { $mtime = (stat("/tmp/badip.txt"))[9] } ); \
> cspawn BadIp cat /tmp/badip.txt
>
> type=Calendar
> time=* * * * *
> context= -> ( sub { my($temp) = (stat("/tmp/badip.txt"))[9]; \
> if (!defined($temp)) { return 0; } \
> if (!defined($mtime) || $temp != $mtime) \
> { $mtime = $temp; return 1; } \
> return 0; } )
> desc=reload updated blacklist of bad IP addresses
> action=delete BADIP; create BADIP; cspawn BadIp cat /tmp/badip.txt
>
> type=Single
> ptype=RegExp
> pattern=^\s*((?:\d{1,3}\.){3}\d{1,3})\s*$
> context=BadIp
> desc=set up a blacklist entry for IP address $1
> action=alias BADIP BADIP_$1
>
>
> Note that for reading the file with blacklist entries, I have used
> 'cspawn' action, since it is more efficient and simple than combination of
> 'lcall' and 'cevent' in your ruleset.
> Also, I have included additional Calendar rule which checks the blacklist
> file once a minute, and reloads the blacklist if file modification time has
> changed (the modification time has been memorized in Perl $mtime global
> variable).
>
> Once the blacklist has been loaded, you could use the following
> SingleWithSuppress rules for reacting to first IDS event which is observed
> for a specific combination of source IP address and attack name, and
> suppress the following events for the same combination during 300 seconds:
>
> type=SingleWithSuppress
> ptype=regexp
> pattern=IDS.*src=([\d.]+).*attack_name=(\S+)
> context=BADIP_$1
> desc=Security Alert $2 for blacklisted IP $1
> action=udpsock syslog01:514 <13>%.monstr %.mdaystr %.hmsstr myhost sec: %s
> window=300
>
> type=SingleWithSuppress
> ptype=regexp
> pattern=IDS.*src=([\d.]+).*attack_name=(\S+)
> context=!BADIP_$1
> desc=Security Alert $2 for non-blacklisted IP $1
> action=udpsock syslog01:514 <13>%.monstr %.mdaystr %.hmsstr myhost sec: %s
> window=300
>
> Note that the 'pipe' action in your rule example has invalid syntax, since
> there is no pipe (|) symbol between the event string and external command
> line. Also, it is inefficient to fork a process each time an event needs to
> be sent to central syslog server, and 'udpsock' action is a much better
> alternative since it only sets up a single UDP socket for talking to server
> (documentation of 'udpsock' action actually contains an example of
> communicating with remote syslog server, and I have used it in above rules).
>
> I hope that above examples are helpful.
>
> kind regards,
> risto
>
> Kontakt Santhosh Kumar (<santhoshkmrre...@gmail.com>) kirjutas kuupäeval
> E, 13. mai 2019 kell 13:56:
>
>> Hi Risto
>>
>>
>>
>> Greetings..!!
>>
>>
>>
>> I would like to get your suggestions on event correlation upon
>> aggregation. Below rule aggregate events with whitelisting criteria.
>>
>>
>>
>>
>> ---------------------------------------------------------------------------
>>
>> type=Single
>>
>> ptype=RegExp
>>
>> pattern=(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)
>>
>> desc=load blacklist
>>
>> action=logonly; delete WL; create WL; \
>>
>> lcall %events -> (sub{scalar `cat
>> /usr/local/bin/sec-rules/whitelist.txt`}); \
>>
>> cevent Whitelist 0 %events
>>
>>
>>
>> type=Single
>>
>> ptype=RegExp
>>
>> pattern=.
>>
>> context=Whitelist
>>
>> desc=create a whitelist entry
>>
>> action=logonly; alias WL WL_$0
>>
>>
>>
>> type=SingleWithSuppress
>>
>> ptype=regexp
>>
>> context=!WL_$2
>>
>> pattern=IDS.*dst=([\d\.]+).*attack_name=([\w\:\-\/\.\()\s]+)
>>
>> desc=Suppressed $2 Security Alert towards $1
>>
>> action= pipe '<5>$0' | nc syslog01 514
>>
>> window=300
>>
>>
>> ---------------------------------------------------------------------------
>>
>>
>>
>> Now will "pairwithwindow" rule on top this helps me to achieve
>> correlation based on Dst. IP($1) field from IDS logs with Threat Intel
>> IP(which is stored in a file).
>>
>>
>>
>> Conditions to meet are,
>>
>> Condition 1: Need to forward Aggregated + Correlated log to external
>> syslog server.
>>
>> Condition 2: If Correlation is not matching, Just Aggregated log should
>> be forwarded to external syslog server.
>>
>>
>>
>> Please suggest me with best practices.
>>
>>
>>
>> Regards,
>>
>> Santhosh S
>>
>
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
