Re: [Simple-evcorr-users] (no subject)

Mon, 26 Aug 2019 18:57:53 -0700 

Hello Risto


I’ve been running tests on SEC for a while and stuck with below points. I’m
not familiar with Perl though I tried to find a solution from sec mail
bucket but no luck, please suggest if this can be achieved with high
performance,



   1. I could see a log drops when I tested with the event rate of 15000
   logs/sec. A simple SEC rule to receive and forward all the logs to a
   destination. The output shows relatively less number of logs. This also
   increases the cpu usage from 0.3% to 45%

************************

Type=single

Ptype=regexp

Pattern=([.\d]+)

Desc=$1

Action=pipe $0 nc syslog101 514

************************



   1. On a different scenario, I was interested to match the logs with list
   of IOC’s. Here i was trying to mail the detected log along with IOC name. I
   could achieve it to certain level as mentioned in example but no luck with
   this cases, "Split IP's from the IOC file and use it on the “pattern” to
   match IP from logs"

************************

IOC_data_proposal.txt

187.163.222.244:465 - emotet

187.189.195.208:8443 - emotet

188.166.253.46:8080 - emotet

189.209.217.49:80  - heartbleed

************************

Please check and share some insights.





Eg: I currently tested below case and its working fine as this is a
straight forward IOC matches.

************************

#Current Rule for matching IOC:

type=Single

ptype=RegExp

pattern=(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)

desc=load IOC data

action=logonly; delete IP; create IP; \

       lcall %iocevents -> (sub{scalar `cat
/usr/local/bin/sec-rules/ioc_data.txt`});
\

       cevent IOC_IP 0 %iocevents;



type=Single

ptype=RegExp

pattern=.

context=IOC_IP

desc=create an entry

action=logonly; alias IOC IOC_$0



type=Single

ptype=regexp

context=IOC_$2

pattern= syslog.*hostname=([\w\-\d]+).*IP=([\d\.]+)

desc=Matched host & ip: $2 && $3

action=pipe '$0' mail -s ‘%s’ ‘test123.gmail.com’



IOC_data.txt

187.163.222.244

187.189.195.208

188.166.253.46

189.209.217.49

187.163.222.244

187.189.195.208

188.166.253.46

189.209.217.49

************************



Regards,

san

_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users






















					Reply via email to