hi all,
this email provides an introduction to new features in the 2.9.1 version.
Starting from the 2.9.0 version (released last year), EventGroup rules are
supporting event group patterns which allow for matching specific event
sequences within predefined time windows. For example, suppose you want to
match a sequence of events A and B within the window of 60 seconds,
provided that this sequence ends with subsequence A B A. In order to
accomplish this, you could use the 'egpattern' field together with
EventGroup2 rule:
type=EventGroup2
ptype=SubStr
pattern=EVENT_A
ptype2=SubStr
pattern2=EVENT_B
desc=Sequence of A and B that ends with A B A
action=write - %s
egptype=RegExp
egpattern=1 2 1$
window=60
In the above rule, the 'egpattern' field ensures that the last three events
in the event sequence were matched by the 1st, 2nd, and 1st regular
expression pattern respectively.
Starting from SEC-2.9.1, one is no longer limited to numeric tokens that
indicate the matching pattern (for example, tokens 1 and 2 like in the
above rule), but it is possible to define custom tokens. This allows for
implementing useful event correlation schemes, even for EventGroup rules
involving a single event pattern. For example, consider the following rule:
type=EventGroup
ptype=RegExp
pattern=sshd\[\d+\]: Failed .+ for (\S+) from ([\d.]+) port \d+ ssh2
desc=SSH login failures from three different hosts within 1m for user $1
egtoken=$2
egptype=PerlFunc
egpattern=sub { my(%hosts) = map { $_ => 1 } @{$_[1]}; \
return scalar(keys %hosts) >= 3; }
action=pipe '%t: %s' /bin/mail root@localhost
window=60
thresh=3
The above rule sends an email to root@localhost if at least three SSH login
failures were observed within 60 seconds for the same user account, so that
login failures originated from three unique client hosts. In this rule, the
'egtoken' field configures the use of client host IP addresses as tokens.
Also, the 'egpattern' field is a Perl function which takes the list of
tokens as its second input parameter ($_[1]), making sure that the list
contains at least three unique elements (IP addresses).
The above task can be accomplished with the help of contexts (e.g., this
paper https://ristov.github.io/publications/cogsima15-sec-web.pdf describes
one rule example), but the new features offer an opportunity for writing
more compact solutions.
Hopefully the rule examples from this email provided some insights how to
use the new features and what tasks they allow to address.
kind regards,
risto
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
