Simple Event Correlator

> Greetings:
> 

hi Peter,

the rule for counting that you have written seems to be correct - I just tested it and it works without problems when I give SEC the sample input lines that you have posted.

I am suspecting that the rule does not work because of the preceding rules - if there happen to be rules before the counting rule that have the same regular expression for the 'pattern' parameter, and the rules don't have the 'continue' parameter set to TakeNext, then the input lines never reach the counting rule. So please review the preceding rules, whether there are any rules among them that could possibly shadow the counting rule.

You can see what exactly is going on by sending SIGUSR1 to the SEC process - the /tmp/sec.dump file will contain a detailed information about which event correlation processes are active, how many lines each rule has matched, etc.

For example, here is a slice from /tmp/sec.dump that was generated when I tested your rule:

Content of input buffer:
------------------------------------------------------------
...
Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net
(24.229.113.135[24.229.113.135]) - FTP session opened.
Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net (24.229.113.135[24.229.113.
135]) - FTP session opened.
Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net (24.229.113.135[24.229.113.
135]) - no such user 'dni'
Dec 24 09:24:21 web /hsphere/shared/bin/sudo:     root : TTY=unknown ; PWD=/root
 ; USER=root ; COMMAND=/hsphere/shared/scripts/server_info.sh
Dec 24 09:24:29 web proftpd[316]: web.dynamicnet.net (24.229.113.135[24.229.113.
135]) - no such user 'dni'
------------------------------------------------------------

Pending events that are generated by rules:
------------------------------------------------------------
------------------------------------------------------------

List of active event correlation operations:
============================================================
Key:                            test.peter | 0 | Brute force FTP from 24.229.113
.135
Start of correlation operation: Wed Dec 24 18:01:39 2003
Configuration file:             test.peter
Rule number:                    1
Rule internal ID:               0
Type:                           SingleWithThreshold
Behaviour after match:          take next
Pattern:                        regexp for 1 line(s): (?-xism:\S+\s+\S+\s+\S+\s+
\S+\s+proftpd\S+\s+(\S+)\s+\((\S+)\[\S+\s+\S+\s+no\s+such\s+user\s+(\S+))
Context:
Event:                          Brute force FTP from 24.229.113.135
Action:                         shellcmd /admin/sec/sec_block.pl 24.229.113.135
/var/log/blocks/ftp.log "Unknown user #3 at IP 24.229.113.135 tried to FTP to we
b.dynamicnet.net";
Window:                         720 seconds
Threshold:                      3
2 events observed at:
Wed Dec 24 18:01:39 2003
Wed Dec 24 18:03:08 2003

------------------------------------------------------------
Total: 1 elements


The dump shows that the counting rule has matched both 'no such user' events that are present in input, and is waiting for the third one.

hth,
risto



> We are currently using a home grown perl script to check for unknown users 
> in /var/log/secure, and after a threshold block the IP in our firewall.
> 
> We are trying to convert the system to SEC rules, but I'm having trouble 
> getting it to work.
> 
> Here is the configuration file I'm using:
> 
> # ftp monitor for brute force attacks
> # -------------------------------------------------------
> #
> # /var/log/messages for input
> #
> type=SingleWithThreshold
> ptype=RegExp
> pattern= 
> S+s+S+s+S+s+S+s+proftpdS+s+(S+)s+((S+)[S+s+S+s+nos+suchs+us
> ers+(S+)
> desc=Brute force FTP from $2
> action=shellcmd /admin/sec/sec_block.pl $2 /var/log/blocks/ftp.log "Unknown 
> user #3 at IP $2 tried to FTP to $1"
> thresh=3
> window=720
> 
> 
> 	NOTE:  When I set it to Single and remove thresh=3 and window=720, it 
> works; so the pattern has been tested.
> 
> /var/log/messages during FTP test:
> 
> Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net 
> (24.229.113.135[24.229.113.135]) - FTP session opened.
> Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net 
> (24.229.113.135[24.229.113.135]) - no such user 'dni'
> Dec 24 09:24:21 web /hsphere/shared/bin/sudo:     root : TTY=unknown ; 
> PWD=/root ; USER=root ; COMMAND=/hsphere/shared/scripts/server_info.sh
> Dec 24 09:24:29 web proftpd[316]: web.dynamicnet.net 
> (24.229.113.135[24.229.113.135]) - no such user 'dni'
> Dec 24 09:24:48 web last message repeated 2 times
> Dec 24 09:25:00 web kernel: auditIN=eth0 OUT= 
> MAC=00:08:02:f0:58:6a:00:08:02:f0:60:57:08:00 SRC=66.187.135.7 
> DST=66.187.135.5 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=25255 DF PROTO=TCP 
> SPT=55043 DPT=110 WINDOW=5840 RES=0x00 SYN URGP=0
> Dec 24 09:25:00 web kernel: PUB_IN DROP 5 IN=eth0 OUT= 
> MAC=00:08:02:f0:58:6a:00:08:02:f0:60:57:08:00 SRC=66.187.135.7 
> DST=66.187.135.5 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=25255 DF PROTO=TCP 
> SPT=55043 DPT=110 WINDOW=5840 RES=0x00 SYN URGP=0
> Dec 24 09:25:10 web proftpd[316]: web.dynamicnet.net 
> (24.229.113.135[24.229.113.135]) - no such user 'dni'
> Dec 24 09:25:10 web proftpd[316]: web.dynamicnet.net 
> (24.229.113.135[24.229.113.135]) - FTP session closed.
> 
> If you pull out
> 
> Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net 
> (24.229.113.135[24.229.113.135]) - FTP session opened.
> Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net 
> (24.229.113.135[24.229.113.135]) - no such user 'dni'
> Dec 24 09:24:29 web proftpd[316]: web.dynamicnet.net 
> (24.229.113.135[24.229.113.135]) - no such user 'dni'
> Dec 24 09:24:48 web last message repeated 2 times
> Dec 24 09:25:10 web proftpd[316]: web.dynamicnet.net 
> (24.229.113.135[24.229.113.135]) - no such user 'dni'
> Dec 24 09:25:10 web proftpd[316]: web.dynamicnet.net 
> (24.229.113.135[24.229.113.135]) - FTP session closed.
> 
> You have 3+ failures; yet sec didn't see it as such.
> 
> 
> 	NOTE:  /var/log/secure is not much better with
> 
> Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net 
> (24.229.113.135[24.229.113.135]) - USER dni: no such user found from 
> 24.229.113.135 [24.229.113.135] to 66.187.135.5:21
> Dec 24 09:24:48 web last message repeated 3 times
> Dec 24 09:25:10 web proftpd[316]: web.dynamicnet.net 
> (24.229.113.135[24.229.113.135]) - USER dni: no such user found from 
> 24.229.113.135 [24.229.113.135] to 66.187.135.5:21
> Dec 24 09:25:10 web proftpd[316]: web.dynamicnet.net 
> (24.229.113.135[24.229.113.135]) - Maximum login attempts (5) exceeded
> 
> (Yes, the pattern for /var/log/secure would be different and is 
> S+s+S+s+S+s+S+s+S+s+(S+)s+S+s+S+s+USERs+(S+)s+S+s+S+s+S+
> s+S+s+S+s+(S+)s+S+s+tos+(S+) 
> for those that care with $1 being the FTP server, $2 the user, $3 the IP 
> brute forcing, and $4 the destination IP and port).
> 
> I thought of trying to come up with a context of open, count, then closed, 
> yet you have cases like the following:
> 
> Dec 24 09:09:11 web proftpd[31724]: web.dynamicnet.net 
> (213.42.2.9[213.42.2.9]) - FTP session opened.
> Dec 24 09:09:11 web proftpd[31724]: web.dynamicnet.net 
> (213.42.2.9[213.42.2.9]) - no such user 'anonymous'
> Dec 24 09:09:11 web proftpd[31724]: web.dynamicnet.net 
> (213.42.2.9[213.42.2.9]) - FTP session closed.
> Dec 24 09:09:29 web proftpd[31749]: web.dynamicnet.net 
> (213.42.2.9[213.42.2.9]) - FTP session opened.
> Dec 24 09:09:29 web proftpd[31749]: web.dynamicnet.net 
> (213.42.2.9[213.42.2.9]) - no such user 'anonymous'
> Dec 24 09:09:30 web proftpd[31749]: web.dynamicnet.net 
> (213.42.2.9[213.42.2.9]) - FTP session closed.
> 
> Where from my perspective, that's two tries, and not one within each session.
> 
> With all of the above said, how can I truly count just the "no such user" 
> messages within a time period from a given IP without concern over the 
> before and after messages (I'm not sure how to use suppress)?
> 
> Thank you.
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@...
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> 

-----------------------------------------
Hot Mobiil - helinad, logod ja piltsõnumid!
http://portal.hot.ee

Greetings Risto Vaarandi:


Thank you for answering so promptly.

1.      I'm not sure what you mean by preceding rules; I'm only running the=
=20
one conf file exactly as posted.

2.      There are three events; so why is it still waiting for the 3rd=
 event?

Thank you.

At 11:16 AM 12/24/2003, you wrote:
> > Greetings:
> >
>
>hi Peter,
>
>the rule for counting that you have written seems to be correct - I just=20
>tested it and it works without problems when I give SEC the sample input=20
>lines that you have posted.
>
>I am suspecting that the rule does not work because of the preceding rules=
=20
>- if there happen to be rules before the counting rule that have the same=
=20
>regular expression for the 'pattern' parameter, and the rules don't have=20
>the 'continue' parameter set to TakeNext, then the input lines never reach=
=20
>the counting rule. So please review the preceding rules, whether there are=
=20
>any rules among them that could possibly shadow the counting rule.
>
>You can see what exactly is going on by sending SIGUSR1 to the SEC process=
=20
>- the /tmp/sec.dump file will contain a detailed information about which=20
>event correlation processes are active, how many lines each rule has=20
>matched, etc.
>
>For example, here is a slice from /tmp/sec.dump that was generated when I=
=20
>tested your rule:
>
>Content of input buffer:
>------------------------------------------------------------
>...
>Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net
>(24.229.113.135[24.229.113.135]) - FTP session opened.
>Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net=20
>(24.229.113.135[24.229.113.
>135]) - FTP session opened.
>Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net=20
>(24.229.113.135[24.229.113.
>135]) - no such user 'dni'
>Dec 24 09:24:21 web /hsphere/shared/bin/sudo:     root : TTY=3Dunknown ;=20
>PWD=3D/root
>  ; USER=3Droot ; COMMAND=3D/hsphere/shared/scripts/server_info.sh
>Dec 24 09:24:29 web proftpd[316]: web.dynamicnet.net=20
>(24.229.113.135[24.229.113.
>135]) - no such user 'dni'
>------------------------------------------------------------
>
>Pending events that are generated by rules:
>------------------------------------------------------------
>------------------------------------------------------------
>
>List of active event correlation operations:
>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>Key:                            test.peter | 0 | Brute force FTP from=20
>24.229.113
>.135
>Start of correlation operation: Wed Dec 24 18:01:39 2003
>Configuration file:             test.peter
>Rule number:                    1
>Rule internal ID:               0
>Type:                           SingleWithThreshold
>Behaviour after match:          take next
>Pattern:                        regexp for 1 line(s):=20
>(?-xism:\S+\s+\S+\s+\S+\s+
>\S+\s+proftpd\S+\s+(\S+)\s+\((\S+)\[\S+\s+\S+\s+no\s+such\s+user\s+(\S+))
>Context:
>Event:                          Brute force FTP from 24.229.113.135
>Action:                         shellcmd /admin/sec/sec_block.pl=20
>24.229.113.135
>/var/log/blocks/ftp.log "Unknown user #3 at IP 24.229.113.135 tried to FTP=
=20
>to we
>b.dynamicnet.net";
>Window:                         720 seconds
>Threshold:                      3
>2 events observed at:
>Wed Dec 24 18:01:39 2003
>Wed Dec 24 18:03:08 2003
>
>------------------------------------------------------------
>Total: 1 elements
>
>
>The dump shows that the counting rule has matched both 'no such user'=20
>events that are present in input, and is waiting for the third one.
>
>hth,
>risto
>
>
>
> > We are currently using a home grown perl script to check for unknown=
 users
> > in /var/log/secure, and after a threshold block the IP in our firewall.
> >
> > We are trying to convert the system to SEC rules, but I'm having trouble
> > getting it to work.
> >
> > Here is the configuration file I'm using:
> >
> > # ftp monitor for brute force attacks
> > # -------------------------------------------------------
> > #
> > # /var/log/messages for input
> > #
> > type=3DSingleWithThreshold
> > ptype=3DRegExp
> > pattern=3D
> > S+s+S+s+S+s+S+s+proftpdS+s+(S+)s+((S+)[S+s+S+s+nos+suchs+us
> > ers+(S+)
> > desc=3DBrute force FTP from $2
> > action=3Dshellcmd /admin/sec/sec_block.pl $2 /var/log/blocks/ftp.log=20
> "Unknown
> > user #3 at IP $2 tried to FTP to $1"
> > thresh=3D3
> > window=3D720
> >
> >
> >       NOTE:  When I set it to Single and remove thresh=3D3 and=20
> window=3D720, it
> > works; so the pattern has been tested.
> >
> > /var/log/messages during FTP test:
> >
> > Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net
> > (24.229.113.135[24.229.113.135]) - FTP session opened.
> > Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net
> > (24.229.113.135[24.229.113.135]) - no such user 'dni'
> > Dec 24 09:24:21 web /hsphere/shared/bin/sudo:     root : TTY=3Dunknown ;
> > PWD=3D/root ; USER=3Droot ;=
 COMMAND=3D/hsphere/shared/scripts/server_info.sh
> > Dec 24 09:24:29 web proftpd[316]: web.dynamicnet.net
> > (24.229.113.135[24.229.113.135]) - no such user 'dni'
> > Dec 24 09:24:48 web last message repeated 2 times
> > Dec 24 09:25:00 web kernel: auditIN=3Deth0 OUT=3D
> > MAC=3D00:08:02:f0:58:6a:00:08:02:f0:60:57:08:00 SRC=3D66.187.135.7
> > DST=3D66.187.135.5 LEN=3D44 TOS=3D0x00 PREC=3D0x00 TTL=3D64 ID=3D25255=
 DF PROTO=3DTCP
> > SPT=3D55043 DPT=3D110 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0
> > Dec 24 09:25:00 web kernel: PUB_IN DROP 5 IN=3Deth0 OUT=3D
> > MAC=3D00:08:02:f0:58:6a:00:08:02:f0:60:57:08:00 SRC=3D66.187.135.7
> > DST=3D66.187.135.5 LEN=3D44 TOS=3D0x00 PREC=3D0x00 TTL=3D64 ID=3D25255=
 DF PROTO=3DTCP
> > SPT=3D55043 DPT=3D110 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0
> > Dec 24 09:25:10 web proftpd[316]: web.dynamicnet.net
> > (24.229.113.135[24.229.113.135]) - no such user 'dni'
> > Dec 24 09:25:10 web proftpd[316]: web.dynamicnet.net
> > (24.229.113.135[24.229.113.135]) - FTP session closed.
> >
> > If you pull out
> >
> > Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net
> > (24.229.113.135[24.229.113.135]) - FTP session opened.
> > Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net
> > (24.229.113.135[24.229.113.135]) - no such user 'dni'
> > Dec 24 09:24:29 web proftpd[316]: web.dynamicnet.net
> > (24.229.113.135[24.229.113.135]) - no such user 'dni'
> > Dec 24 09:24:48 web last message repeated 2 times
> > Dec 24 09:25:10 web proftpd[316]: web.dynamicnet.net
> > (24.229.113.135[24.229.113.135]) - no such user 'dni'
> > Dec 24 09:25:10 web proftpd[316]: web.dynamicnet.net
> > (24.229.113.135[24.229.113.135]) - FTP session closed.
> >
> > You have 3+ failures; yet sec didn't see it as such.
> >
> >
> >       NOTE:  /var/log/secure is not much better with
> >
> > Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net
> > (24.229.113.135[24.229.113.135]) - USER dni: no such user found from
> > 24.229.113.135 [24.229.113.135] to 66.187.135.5:21
> > Dec 24 09:24:48 web last message repeated 3 times
> > Dec 24 09:25:10 web proftpd[316]: web.dynamicnet.net
> > (24.229.113.135[24.229.113.135]) - USER dni: no such user found from
> > 24.229.113.135 [24.229.113.135] to 66.187.135.5:21
> > Dec 24 09:25:10 web proftpd[316]: web.dynamicnet.net
> > (24.229.113.135[24.229.113.135]) - Maximum login attempts (5) exceeded
> >
> > (Yes, the pattern for /var/log/secure would be different and is
> > S+s+S+s+S+s+S+s+S+s+(S+)s+S+s+S+s+USERs+(S+)s+S+s+S+s+S+
> > s+S+s+S+s+(S+)s+S+s+tos+(S+)
> > for those that care with $1 being the FTP server, $2 the user, $3 the IP
> > brute forcing, and $4 the destination IP and port).
> >
> > I thought of trying to come up with a context of open, count, then=
 closed,
> > yet you have cases like the following:
> >
> > Dec 24 09:09:11 web proftpd[31724]: web.dynamicnet.net
> > (213.42.2.9[213.42.2.9]) - FTP session opened.
> > Dec 24 09:09:11 web proftpd[31724]: web.dynamicnet.net
> > (213.42.2.9[213.42.2.9]) - no such user 'anonymous'
> > Dec 24 09:09:11 web proftpd[31724]: web.dynamicnet.net
> > (213.42.2.9[213.42.2.9]) - FTP session closed.
> > Dec 24 09:09:29 web proftpd[31749]: web.dynamicnet.net
> > (213.42.2.9[213.42.2.9]) - FTP session opened.
> > Dec 24 09:09:29 web proftpd[31749]: web.dynamicnet.net
> > (213.42.2.9[213.42.2.9]) - no such user 'anonymous'
> > Dec 24 09:09:30 web proftpd[31749]: web.dynamicnet.net
> > (213.42.2.9[213.42.2.9]) - FTP session closed.
> >
> > Where from my perspective, that's two tries, and not one within each=20
> session.
> >
> > With all of the above said, how can I truly count just the "no such=
 user"
> > messages within a time period from a given IP without concern over the
> > before and after messages (I'm not sure how to use suppress)?
> >
> > Thank you.
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: IBM Linux Tutorials.
> > Become an expert in LINUX or just sharpen your skills.  Sign up for=
 IBM's
> > Free Linux Tutorials.  Learn everything from the bash shell to sys=
 admin.
> > Click now! http://ads.osdn.com/?ad_id=3D1278&alloc_id=3D3371&op=3Dclick
> > _______________________________________________
> > Simple-evcorr-users mailing list
> > Simple-evcorr-users@...
> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> >
>
>-----------------------------------------
>Hot Mobiil - helinad, logod ja pilts=F5numid!
>http://portal.hot.ee

> Greetings Risto Vaarandi:
> 
> 
> Thank you for answering so promptly.
> 
> 1.      I'm not sure what you mean by preceding rules; I'm only running the>  
> one conf file exactly as posted.

by preceding rules I meant whether there are any other rules in that configuration file, and whether they come before the counting rule.
If this is not the case, then try to test SEC interactively by feeding it relevant events one at a time; after feeding each event send the SEC process the SIGUSR1 signal and check whether the counting operation was started or not.

> 
> 2.      There are three events; so why is it still waiting for the 3rd>  event?

I generated the dump at the moment when SEC had seen just 2 macthing events, in order to see whether a counting operation was started. After seeing the 3rd event, SEC executed the action as it should have done. So the dump that I posted was just for illustrating how a dump file would look like and what kind of information you can get from there.

br,
risto

> 
> Thank you.
> 
> At 11:16 AM 12/24/2003, you wrote:
> > > Greetings:
> > >
> >
> >hi Peter,
> >
> >the rule for counting that you have written seems to be correct - I just 
> >tested it and it works without problems when I give SEC the sample input 
> >lines that you have posted.
> >
> >I am suspecting that the rule does not work because of the preceding rules>  
> >- if there happen to be rules before the counting rule that have the same>  
> >regular expression for the 'pattern' parameter, and the rules don't have 
> >the 'continue' parameter set to TakeNext, then the input lines never reach>  
> >the counting rule. So please review the preceding rules, whether there are>  
> >any rules among them that could possibly shadow the counting rule.
> >
> >You can see what exactly is going on by sending SIGUSR1 to the SEC process>  
> >- the /tmp/sec.dump file will contain a detailed information about which 
> >event correlation processes are active, how many lines each rule has 
> >matched, etc.
> >
> >For example, here is a slice from /tmp/sec.dump that was generated when I>  
> >tested your rule:
> >
> >Content of input buffer:
> >------------------------------------------------------------
> >...
> >Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net
> >(24.229.113.135[24.229.113.135]) - FTP session opened.
> >Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net 
> >(24.229.113.135[24.229.113.
> >135]) - FTP session opened.
> >Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net 
> >(24.229.113.135[24.229.113.
> >135]) - no such user 'dni'
> >Dec 24 09:24:21 web /hsphere/shared/bin/sudo:     root : TTY=unknown ; 
> >PWD=/root
> >  ; USER=root ; COMMAND=/hsphere/shared/scripts/server_info.sh
> >Dec 24 09:24:29 web proftpd[316]: web.dynamicnet.net 
> >(24.229.113.135[24.229.113.
> >135]) - no such user 'dni'
> >------------------------------------------------------------
> >
> >Pending events that are generated by rules:
> >------------------------------------------------------------
> >------------------------------------------------------------
> >
> >List of active event correlation operations:
> >=========================> =========================> ==========
> >Key:                            test.peter | 0 | Brute force FTP from 
> >24.229.113
> >.135
> >Start of correlation operation: Wed Dec 24 18:01:39 2003
> >Configuration file:             test.peter
> >Rule number:                    1
> >Rule internal ID:               0
> >Type:                           SingleWithThreshold
> >Behaviour after match:          take next
> >Pattern:                        regexp for 1 line(s): 
> >(?-xism:S+s+S+s+S+s+
> >S+s+proftpdS+s+(S+)s+((S+)[S+s+S+s+nos+suchs+users+(S+))
> >Context:
> >Event:                          Brute force FTP from 24.229.113.135
> >Action:                         shellcmd /admin/sec/sec_block.pl 
> >24.229.113.135
> >/var/log/blocks/ftp.log "Unknown user #3 at IP 24.229.113.135 tried to FTP>  
> >to we
> >b.dynamicnet.net";
> >Window:                         720 seconds
> >Threshold:                      3
> >2 events observed at:
> >Wed Dec 24 18:01:39 2003
> >Wed Dec 24 18:03:08 2003
> >
> >------------------------------------------------------------
> >Total: 1 elements
> >
> >
> >The dump shows that the counting rule has matched both 'no such user' 
> >events that are present in input, and is waiting for the third one.
> >
> >hth,
> >risto
> >
> >
> >
> > > We are currently using a home grown perl script to check for unknown>  users
> > > in /var/log/secure, and after a threshold block the IP in our firewall.
> > >
> > > We are trying to convert the system to SEC rules, but I'm having trouble
> > > getting it to work.
> > >
> > > Here is the configuration file I'm using:
> > >
> > > # ftp monitor for brute force attacks
> > > # -------------------------------------------------------
> > > #
> > > # /var/log/messages for input
> > > #
> > > type=SingleWithThreshold
> > > ptype=RegExp
> > > pattern=
> > > S+s+S+s+S+s+S+s+proftpdS+s+(S+)s+((S+)[S+s+S+s+nos+suchs+us
> > > ers+(S+)
> > > desc=Brute force FTP from $2
> > > action=shellcmd /admin/sec/sec_block.pl $2 /var/log/blocks/ftp.log 
> > "Unknown
> > > user #3 at IP $2 tried to FTP to $1"
> > > thresh=3
> > > window=720
> > >
> > >
> > >       NOTE:  When I set it to Single and remove thresh=3 and 
> > window=720, it
> > > works; so the pattern has been tested.
> > >
> > > /var/log/messages during FTP test:
> > >
> > > Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net
> > > (24.229.113.135[24.229.113.135]) - FTP session opened.
> > > Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net
> > > (24.229.113.135[24.229.113.135]) - no such user 'dni'
> > > Dec 24 09:24:21 web /hsphere/shared/bin/sudo:     root : TTY=unknown ;
> > > PWD=/root ; USER=root ;>  COMMAND=/hsphere/shared/scripts/server_info.sh
> > > Dec 24 09:24:29 web proftpd[316]: web.dynamicnet.net
> > > (24.229.113.135[24.229.113.135]) - no such user 'dni'
> > > Dec 24 09:24:48 web last message repeated 2 times
> > > Dec 24 09:25:00 web kernel: auditIN=eth0 OUT=
> > > MAC=00:08:02:f0:58:6a:00:08:02:f0:60:57:08:00 SRC=66.187.135.7
> > > DST=66.187.135.5 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=25255>  DF PROTO=TCP
> > > SPT=55043 DPT=110 WINDOW=5840 RES=0x00 SYN URGP=0
> > > Dec 24 09:25:00 web kernel: PUB_IN DROP 5 IN=eth0 OUT=
> > > MAC=00:08:02:f0:58:6a:00:08:02:f0:60:57:08:00 SRC=66.187.135.7
> > > DST=66.187.135.5 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=25255>  DF PROTO=TCP
> > > SPT=55043 DPT=110 WINDOW=5840 RES=0x00 SYN URGP=0
> > > Dec 24 09:25:10 web proftpd[316]: web.dynamicnet.net
> > > (24.229.113.135[24.229.113.135]) - no such user 'dni'
> > > Dec 24 09:25:10 web proftpd[316]: web.dynamicnet.net
> > > (24.229.113.135[24.229.113.135]) - FTP session closed.
> > >
> > > If you pull out
> > >
> > > Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net
> > > (24.229.113.135[24.229.113.135]) - FTP session opened.
> > > Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net
> > > (24.229.113.135[24.229.113.135]) - no such user 'dni'
> > > Dec 24 09:24:29 web proftpd[316]: web.dynamicnet.net
> > > (24.229.113.135[24.229.113.135]) - no such user 'dni'
> > > Dec 24 09:24:48 web last message repeated 2 times
> > > Dec 24 09:25:10 web proftpd[316]: web.dynamicnet.net
> > > (24.229.113.135[24.229.113.135]) - no such user 'dni'
> > > Dec 24 09:25:10 web proftpd[316]: web.dynamicnet.net
> > > (24.229.113.135[24.229.113.135]) - FTP session closed.
> > >
> > > You have 3+ failures; yet sec didn't see it as such.
> > >
> > >
> > >       NOTE:  /var/log/secure is not much better with
> > >
> > > Dec 24 09:24:13 web proftpd[316]: web.dynamicnet.net
> > > (24.229.113.135[24.229.113.135]) - USER dni: no such user found from
> > > 24.229.113.135 [24.229.113.135] to 66.187.135.5:21
> > > Dec 24 09:24:48 web last message repeated 3 times
> > > Dec 24 09:25:10 web proftpd[316]: web.dynamicnet.net
> > > (24.229.113.135[24.229.113.135]) - USER dni: no such user found from
> > > 24.229.113.135 [24.229.113.135] to 66.187.135.5:21
> > > Dec 24 09:25:10 web proftpd[316]: web.dynamicnet.net
> > > (24.229.113.135[24.229.113.135]) - Maximum login attempts (5) exceeded
> > >
> > > (Yes, the pattern for /var/log/secure would be different and is
> > > S+s+S+s+S+s+S+s+S+s+(S+)s+S+s+S+s+USERs+(S+)s+S+s+S+s+S+
> > > s+S+s+S+s+(S+)s+S+s+tos+(S+)
> > > for those that care with $1 being the FTP server, $2 the user, $3 the IP
> > > brute forcing, and $4 the destination IP and port).
> > >
> > > I thought of trying to come up with a context of open, count, then>  closed,
> > > yet you have cases like the following:
> > >
> > > Dec 24 09:09:11 web proftpd[31724]: web.dynamicnet.net
> > > (213.42.2.9[213.42.2.9]) - FTP session opened.
> > > Dec 24 09:09:11 web proftpd[31724]: web.dynamicnet.net
> > > (213.42.2.9[213.42.2.9]) - no such user 'anonymous'
> > > Dec 24 09:09:11 web proftpd[31724]: web.dynamicnet.net
> > > (213.42.2.9[213.42.2.9]) - FTP session closed.
> > > Dec 24 09:09:29 web proftpd[31749]: web.dynamicnet.net
> > > (213.42.2.9[213.42.2.9]) - FTP session opened.
> > > Dec 24 09:09:29 web proftpd[31749]: web.dynamicnet.net
> > > (213.42.2.9[213.42.2.9]) - no such user 'anonymous'
> > > Dec 24 09:09:30 web proftpd[31749]: web.dynamicnet.net
> > > (213.42.2.9[213.42.2.9]) - FTP session closed.
> > >
> > > Where from my perspective, that's two tries, and not one within each 
> > session.
> > >
> > > With all of the above said, how can I truly count just the "no such>  user"
> > > messages within a time period from a given IP without concern over the
> > > before and after messages (I'm not sure how to use suppress)?
> > >
> > > Thank you.
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.net email is sponsored by: IBM Linux Tutorials.
> > > Become an expert in LINUX or just sharpen your skills.  Sign up for>  IBM's
> > > Free Linux Tutorials.  Learn everything from the bash shell to sys>  admin.
> > > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> > > _______________________________________________
> > > Simple-evcorr-users mailing list
> > > Simple-evcorr-users@...
> > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> > >
> >
> >-----------------------------------------
> >Hot Mobiil - helinad, logod ja piltsõnumid!
> >http://portal.hot.ee
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op¿ick
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@...
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> 

-----------------------------------------
Hot Mobiil - helinad, logod ja piltsõnumid!
http://portal.hot.ee

Greetings:

Can you use the Perl lookahead (?=..) and (?!..) in the pattern of a 
regular expression within SEC?

If so, what would the pattern look like?

Given

[Mon Dec 29 04:23:36 2003] [error] [client 66.191.172.22] File does not 
exist: /hsphere/local/home/sysnew/sysnews.com/c/winnt/system32/cmd.exe
[Mon Dec 29 04:23:36 2003] [error] [client 66.191.172.22] File does not 
exist: /hsphere/local/home/sysnew/sysnews.com/d/winnt/system32/cmd.exe
[Mon Dec 29 04:23:36 2003] [error] [client 66.191.172.22] File does not 
exist: 
/hsphere/local/home/sysnew/sysnews.com/scripts/..%5c../winnt/system32/cmd.exe
[Mon Dec 29 04:23:36 2003] [error] [client 66.191.172.22] File does not 
exist: 
/hsphere/local/home/sysnew/sysnews.com/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Mon Dec 29 04:23:36 2003] [error] [client 66.191.172.22] File does not 
exist: 
/hsphere/local/home/sysnew/sysnews.com/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe

There is

	([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/) which gives you the IP 
address

And

	([Cc]md.exe)

which gives you only the ones that are trying to run Cmd.exe or cmd.exe

Can I use the Perl lookahead to say when I have an IP and within the line 
ahead, there is cmd.exe (et all)?

If so, what's the pattern look like?

Thank you.

> Greetings:
> 
> Can you use the Perl lookahead (?=..) and (?!..) in the pattern of a 
> regular expression within SEC?

yes, you can use all Perl regexp constructs that have been described in the perlre(1) man page.

> There is
> 
> 	([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})/) which gives you the IP 
> address
> 
> And
> 
> 	([Cc]md.exe)
> 
> which gives you only the ones that are trying to run Cmd.exe or cmd.exe
> 
> Can I use the Perl lookahead to say when I have an IP and within the line 
> ahead, there is cmd.exe (et all)?
> 
> If so, what's the pattern look like?

E.g., you can begin the pattern with the regexp that matches an IP, and continue the pattern with
(?=.*[Cc]md\.exe)

br,
risto

> 
> Thank you.
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@...
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> 

-----------------------------------------
Hot Mobiil - helinad, logod ja piltsõnumid!
http://portal.hot.ee

ANDERSON RUSSELL D (ANDY) wrote:
> I just noticed this after an email alert for a rule I have. The (*) par=
t is added on the syslog line from the %V variable.
>=20
> Email contents:
> Dec 22 08:07:54 <host> sshd[440056]: Accepted password for <user> from =
10.1.50.90 port 976 ssh2 (xcexmxri VPN tunnel IP is 10.1.50.80)
>=20
> Rule:
> action=3Dcopy VPN_IP_$3 %V ; \
>         pipe '$0 (%V)' /bin/mail -s "%s" rxanders
>=20
> What's happening is that %V contains the last assignment.
> %V =3D 'xcexmxri VPN tunnel IP is 10.1.50.80'
>=20
> Since VPN_IP_$3 (10.1.50.90) doesn't exist, it didn't have anything to =
overwrite it with.
> I would have expected %V to be empty. Is this what I should expect as i=
t complicates things alot more?
>=20

hi,
if the context does not exist, SEC will indeed not set the variable to=20
an empty string '', but it will rather log a warning. Imho, this is a=20
better solution than overwriting the variable, because existing context=20
that has an empty event store will already set the variable to an empty=20
string. To overcome the problem you have, I would recommend to=20
initialize the variable with 'assign' before 'copy' - if the context=20
does not exist, the variable will still contain its previous value.

action=3Dassign %V -; copy VPN_IP_$3 %V ; \
        pipe '$0 (%V)' /bin/mail -s "%s" rxanders

br,
risto

> Thanks.
>=20
> Russell Anderson (Andy)
> SRP: Computer Applications
> Phone: 602 -236-6434
> Fax:     602-236-4327
>=20
>=20
>=20
>=20
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM=
's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admi=
n.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id371&op=CCk
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@...
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>=20

I would like to explore it. Perhaps a better example is that we create =
VPN* context(s) and aliases when a user opens a tunnel. We then have =
rules that add certain events to the context during the users session =
that we use to provide audit info. As each related rule hits, a script =
is called that takes the users contexts and events to determine access =
grant|deny for notifications. If for instance, a violation occurs, an =
email is sent with all related events tied to a that user or ip. What =
happens after I restart SEC, is that the info is gone and I end up with =
"%variable" instead of data in the message content. I probably didn't do =
a very good job of explaining, but I hope you get the idea and maybe =
others may see value in exploring the idea. I initially envisioned =
something like a dump|restore similiar to the SIGUSR1 possibly triggered =
by an event fed context. Thanks

-----Original Message-----
From: Risto Vaarandi [mailto:risto.vaarandi@...]
Sent: Friday, December 19, 2003 4:06 AM
To: ANDERSON RUSSELL D (ANDY)
Cc: simple-evcorr-users@...
Subject: Re: Saving states


ANDERSON RUSSELL D (ANDY) wrote:
> I know that you can save contexts via SEC events as described in the =
FAQs.
> The situation we have is that we would also like to reload the context =
event(s) and not just the context in case of SEC shutdown/restart. I =
understand that the event timing relationship would be destroyed, but it =
could be the event contents that are more of value in certain =
situations. An example:
>=20
> Context Name: <hostname>_SYSLOG_LINE
> Creation Time: Thu Dec 18 10:46:01 2003
> Lifetime: 60 seconds
> 1 events associated with context:
> Dec 18 10:46:01 <hostname> sia: EVENT: [Thu Dec 18 10:45:14 2003] =
Successful launching of session
>=20
> Any suggestions on a possible method of addressing this?
>=20

hmmm... good question. I think it is quite difficult to configure such a =

behavior without 'eval'. The shortest way (although this approach is not =

well documented yet!) is to set up a rule that reacts on SEC_SHUTDOWN=20
and writes the internal SEC context hash to a disk. However, this would=20
require some knowledge about SEC internal data structures and you have=20
to study the SEC code. If you are interested, I can post a code to the=20
mailing list (and the FAQ) that will implement this.
Another and more understandable way (for the end user at least) would be =

to keep the information about SEC contexts in the main::SEC data name=20
space (using 'eval'), and write both the name and the content of each=20
individual context to a disk. The downside of this approach is the extra =

CPU time that many calls to 'eval' will involve.

However, from the example above I can see that the contexts you are=20
trying to save are containing last seen syslog message for every host?=20
If this is so, then saving those contexts is probably not a worthy idea, =

because during shutdown/restart *many* new messages can be added to=20
logfiles, i.e., by the time SEC is up and running again, the hosts might =

have sent many new messages, turning obsolete many of the contexts you=20
have saved.

br,
risto

ANDERSON RUSSELL D (ANDY) wrote:
> I would like to explore it. Perhaps a better example is that we create =
VPN* context(s) and aliases when a user opens a tunnel. We then have rule=
s that add certain events to the context during the users session that we=
 use to provide audit info. As each related rule hits, a script is called=
 that takes the users contexts and events to determine access grant|deny =
for notifications. If for instance, a violation occurs, an email is sent =
with all related events tied to a that user or ip. What happens after I r=
estart SEC, is that the info is gone and I end up with "%variable" instea=
d of data in the message content. I probably didn't do a very good job of=
 explaining, but I hope you get the idea and maybe others may see value i=
n exploring the idea. I initially envisioned something like a dump|restor=
e similiar to the SIGUSR1 possibly triggered by an event fed context. Tha=
nks

allright, I understand now. BTW, is there any chance that you can keep=20
the information (that is now in the contexts) in a database (or plain=20
disk files) instead? It sounds to me that preserving this data across=20
different SEC runs is quite important, and imho a database that resides=20
on a disk looks to be a much better alternative for storing data with=20
permanent nature.

Anyway, the sample rule for printing the contexts to standard output is=20
as follows:

type=3DSingle
ptype=3Dregexp
pattern=3D(SEC_RESTART|SEC_SHUTDOWN)
desc=3DWrite all contexts to stdout
action=3Deval %o ( while($context =3D each(%main::context_list)) { \
     print "Context name: $context\n"; \
     print '-' x 60, "\n"; \
     foreach $line (@{$main::context_list{$context}->{"Buffer"}}) { \
       print $line, "\n"; \
     } \
     print '=3D' x 60, "\n"; \
   } )


hth,
risto

>=20
> -----Original Message-----
> From: Risto Vaarandi [mailto:risto.vaarandi@...]
> Sent: Friday, December 19, 2003 4:06 AM
> To: ANDERSON RUSSELL D (ANDY)
> Cc: simple-evcorr-users@...
> Subject: Re: Saving states
>=20
>=20
> ANDERSON RUSSELL D (ANDY) wrote:
>=20
>>I know that you can save contexts via SEC events as described in the FA=
Qs.
>>The situation we have is that we would also like to reload the context =
event(s) and not just the context in case of SEC shutdown/restart. I unde=
rstand that the event timing relationship would be destroyed, but it coul=
d be the event contents that are more of value in certain situations. An =
example:
>>
>>Context Name: <hostname>_SYSLOG_LINE
>>Creation Time: Thu Dec 18 10:46:01 2003
>>Lifetime: 60 seconds
>>1 events associated with context:
>>Dec 18 10:46:01 <hostname> sia: EVENT: [Thu Dec 18 10:45:14 2003] Succe=
ssful launching of session
>>
>>Any suggestions on a possible method of addressing this?
>>
>=20
>=20
> hmmm... good question. I think it is quite difficult to configure such =
a=20
> behavior without 'eval'. The shortest way (although this approach is no=
t=20
> well documented yet!) is to set up a rule that reacts on SEC_SHUTDOWN=20
> and writes the internal SEC context hash to a disk. However, this would=
=20
> require some knowledge about SEC internal data structures and you have=20
> to study the SEC code. If you are interested, I can post a code to the=20
> mailing list (and the FAQ) that will implement this.
> Another and more understandable way (for the end user at least) would b=
e=20
> to keep the information about SEC contexts in the main::SEC data name=20
> space (using 'eval'), and write both the name and the content of each=20
> individual context to a disk. The downside of this approach is the extr=
a=20
> CPU time that many calls to 'eval' will involve.
>=20
> However, from the example above I can see that the contexts you are=20
> trying to save are containing last seen syslog message for every host?=20
> If this is so, then saving those contexts is probably not a worthy idea=
,=20
> because during shutdown/restart *many* new messages can be added to=20
> logfiles, i.e., by the time SEC is up and running again, the hosts migh=
t=20
> have sent many new messages, turning obsolete many of the contexts you=20
> have saved.
>=20
> br,
> risto
>=20
>=20
>=20
>=20
>=20
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM=
's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admi=
n.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id371&op=CCk
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@...
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>=20

Risto Vaarandi wrote:
>=20

just noticed I've made a mistake in the rule below - matching=20
SEC_RESTART event doesn't make sense, because it is generated after SEC=20
has received the HUP signal and cleared all of its data structures,=20
including contexts. So the pattern parameter should read=20
'pattern=3DSEC_SHUTDOWN' instead.

br,
risto

> Anyway, the sample rule for printing the contexts to standard output is=
=20
> as follows:
>=20
> type=3DSingle
> ptype=3Dregexp
> pattern=3D(SEC_RESTART|SEC_SHUTDOWN)
> desc=3DWrite all contexts to stdout
> action=3Deval %o ( while($context =3D each(%main::context_list)) { \
>     print "Context name: $context\n"; \
>     print '-' x 60, "\n"; \
>     foreach $line (@{$main::context_list{$context}->{"Buffer"}}) { \
>       print $line, "\n"; \
>     } \
>     print '=3D' x 60, "\n"; \
>   } )
>=20
>=20
> hth,
> risto
>=20
>>
>> -----Original Message-----
>> From: Risto Vaarandi [mailto:risto.vaarandi@...]
>> Sent: Friday, December 19, 2003 4:06 AM
>> To: ANDERSON RUSSELL D (ANDY)
>> Cc: simple-evcorr-users@...
>> Subject: Re: Saving states
>>
>>
>> ANDERSON RUSSELL D (ANDY) wrote:
>>
>>> I know that you can save contexts via SEC events as described in the=20
>>> FAQs.
>>> The situation we have is that we would also like to reload the=20
>>> context event(s) and not just the context in case of SEC=20
>>> shutdown/restart. I understand that the event timing relationship=20
>>> would be destroyed, but it could be the event contents that are more=20
>>> of value in certain situations. An example:
>>>
>>> Context Name: <hostname>_SYSLOG_LINE
>>> Creation Time: Thu Dec 18 10:46:01 2003
>>> Lifetime: 60 seconds
>>> 1 events associated with context:
>>> Dec 18 10:46:01 <hostname> sia: EVENT: [Thu Dec 18 10:45:14 2003]=20
>>> Successful launching of session
>>>
>>> Any suggestions on a possible method of addressing this?
>>>
>>
>>
>> hmmm... good question. I think it is quite difficult to configure such=
=20
>> a behavior without 'eval'. The shortest way (although this approach is=
=20
>> not well documented yet!) is to set up a rule that reacts on=20
>> SEC_SHUTDOWN and writes the internal SEC context hash to a disk.=20
>> However, this would require some knowledge about SEC internal data=20
>> structures and you have to study the SEC code. If you are interested,=20
>> I can post a code to the mailing list (and the FAQ) that will=20
>> implement this.
>> Another and more understandable way (for the end user at least) would=20
>> be to keep the information about SEC contexts in the main::SEC data=20
>> name space (using 'eval'), and write both the name and the content of=20
>> each individual context to a disk. The downside of this approach is=20
>> the extra CPU time that many calls to 'eval' will involve.
>>
>> However, from the example above I can see that the contexts you are=20
>> trying to save are containing last seen syslog message for every host?=
=20
>> If this is so, then saving those contexts is probably not a worthy=20
>> idea, because during shutdown/restart *many* new messages can be added=
=20
>> to logfiles, i.e., by the time SEC is up and running again, the hosts=20
>> might have sent many new messages, turning obsolete many of the=20
>> contexts you have saved.
>>
>> br,
>> risto
>>
>>
>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: IBM Linux Tutorials.
>> Become an expert in LINUX or just sharpen your skills.  Sign up for IB=
M's
>> Free Linux Tutorials.  Learn everything from the bash shell to sys adm=
in.
>> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id371&op=CCk
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@...
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>=20
>=20
>=20
>=20
>=20
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM=
's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admi=
n.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id371&op=CCk
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@...
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>=20

> Hello,
> 
> Excerpt from the SEC man page: "Any comment line, empty line, or end of 
> the file will terminate the preceding rule definition"
> Just wondering however if there's any way/trick to insert comments between 
> or at the end of parameter lines in a rules. This would help for others to 
> be able to understand and maintain rules that I've written so far.
> 

hi Marc,
unfortunately, with the current version it is not possible to insert comments into a rule. Changing that behavior could be a tricky issue, since there might be configurations around that contain # as a rule parameter value (e.g., as a part of a regular expression), also, some configurations might use only comment lines between the rules :-( So right now the only way is to put a comment block before the rule.

> Risto: thanks much for having developed this great tool and for making it 
> available: SEC is exactly what I've been looking for for quite a long 
> time!

thanks!

br,
risto

> 
> Best Regards/Marc
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@...
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> 

-----------------------------------------
Hot Mobiil - helinad, logod ja piltsõnumid!
http://portal.hot.ee

The dump shows that although sec is running it appears to have hung on =
the syslog repeated N times rules(2,3) as seen by the old times in the =
input buffer compared to the dump time. There was only one original =
entry of "last message repeated". Looking at the context =
ems0171e_SYSLOG_LINE, the Creation Time: Thu Dec 18 14:08:10 2003 there =
appears to be a stuck loop condition. Could someone look at these rules =
for help?
----------------------------------
type=3DSingle
continue=3DDontCont
ptype=3DRegExp
pattern=3D^\S+\s+\d+ \S+ (\S+) last message repeated (\d+) times
context=3D$1_SYSLOG_LINE
desc=3D'Decompress' $1 repeated messages compressed by syslogd $2 times
action=3Dcopy $1_SYSLOG_LINE %L; \
        eval %O ( $line =3D q(%L); \
        @ret =3D (); \
        for ($i =3D 0; $i < $2; ++$i) { push @ret, $line; } \
        return @ret; ); \
        event %O;

type=3DSingle
continue=3DTakeNext
ptype=3DRegExp
pattern=3D^\S+\s+\d+ \S+ (\S+)
desc=3DKeep the last $1 syslog line in case of "last message repeated"
action=3Dcreate $1_SYSLOG_LINE 60; add $1_SYSLOG_LINE $0
----------------------------------
Date of dump: Thu Dec 18 14:09:09 2003
Program version: 2.2.0

Performance statistics:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Run time: 15859 seconds
User time: 5387.83 seconds
System time: 50.45 seconds
Child user time: 7.91 seconds
Child system time: 6.07 seconds
Processed input lines: 2836320

Rule usage statistics:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Statistics for the rules from /etc/sec.conf
------------------------------------------------------------
Rule 1 at line 20 (Ignore these sshd: Failed password for root) has =
matched 0 events
Rule 2 at line 34 ('Decompress' $1 repeated messages compressed by =
syslogd $2 times) has matched 1900010 events
Rule 3 at line 51 (Keep the last $1 syslog line in case of "last message =
repeated") has matched 61 events
Rule 4 at line 62 (PAGER) has matched 0 events
Rule 5 at line 69 (PAGER) has matched 0 events
Rule 6 at line 78 (Repeated failed system(s) access) has matched 0 =
events
Rule 7 at line 88 (Repeated failed system(s) access) has matched 0 =
events
Rule 8 at line 101 (Repeated failed system(s) access) has matched 0 =
events
Rule 9 at line 126 ([FAILED ACCESS]) has matched 0 events
Rule 10 at line 135 ([FAILED ACCESS]) has matched 0 events
Rule 11 at line 144 ([FAILED ACCESS]) has matched 0 events
Rule 12 at line 156 ([FAILED ACCESS]) has matched 0 events
Rule 13 at line 166 ([FAILED ACCESS]) has matched 0 events
Rule 14 at line 176 ([FAILED ACCESS]) has matched 0 events
Rule 15 at line 196 (Suspect su user access) has matched 0 events
Rule 16 at line 209 (Suspect su user access) has matched 0 events
Rule 17 at line 222 (Suspect su user access) has matched 0 events
Rule 18 at line 244 (ulp.pl (update local password) SUCCESS list) has =
matched 0 events
Rule 19 at line 266 (Suppress lines that match: (?-xism:^\S+\s+\d+ \S+ =
(\S+) .*ulp:.* \[FAIL\])) has matched 0 events
Rule 20 at line 275 (ulp.pl (update local password) FAIL list) has =
matched 0 events
Rule 21 at line 295 ($2 VPN tunnel established) has matched 0 events
Rule 22 at line 319 (Delete $2 VPN_ context(s)) has matched 0 events
Rule 23 at line 343 (Suspect (host|user) or VPN access) has matched 0 =
events
Rule 24 at line 359 (Linux system console access by $2) has matched 0 =
events
Rule 25 at line 367 (Linux system console access by $2) has matched 0 =
events
Rule 26 at line 381 (Compaq system console access by $2) has matched 0 =
events
Rule 27 at line 389 (Compaq system console access by $2) has matched 0 =
events
Rule 28 at line 404 (Solaris system console access by $2) has matched 0 =
events
Rule 29 at line 412 (Solaris system console access by $2) has matched 0 =
events

Input sources:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
/etc/syslog_info (status: Open, received data: 0 lines, no context set)

Content of input buffer:
------------------------------------------------------------
Dec 18 12:37:02 ems0171e last message repeated 2 times
Dec 18 12:37:02 ems0171e last message repeated 2 times
Dec 18 12:37:02 ems0171e last message repeated 2 times
Dec 18 12:37:02 ems0171e last message repeated 2 times
Dec 18 12:37:02 ems0171e last message repeated 2 times
Dec 18 12:37:02 ems0171e last message repeated 2 times
Dec 18 12:37:02 ems0171e last message repeated 2 times
Dec 18 12:37:02 ems0171e last message repeated 2 times
Dec 18 12:37:02 ems0171e last message repeated 2 times
Dec 18 12:37:02 ems0171e last message repeated 2 times
------------------------------------------------------------

Pending events that are generated by rules:
------------------------------------------------------------
------------------------------------------------------------

List of active event correlation operations:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Total: 0 elements

List of active contexts:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Context Name: VPN_USER_srestrad_IP_10.1.60.4
Context Name: VPN_IP_10.1.60.4
Context Name: VPN_PID_11787
Creation Time: Thu Dec 18 11:01:24 2003
Lifetime: infinite
1 events associated with context:
srestrad VPN tunnel IP is 10.1.60.4
------------------------------------------------------------
Context Name: VPN_USER_prsutton_IP_10.1.60.46
Context Name: VPN_IP_10.1.60.46
Context Name: VPN_PID_9529
Creation Time: Thu Dec 18 12:08:09 2003
Lifetime: infinite
1 events associated with context:
prsutton VPN tunnel IP is 10.1.60.46
------------------------------------------------------------
Context Name: VPN_USER_cagonzal_IP_10.1.60.45
Context Name: VPN_IP_10.1.60.45
Context Name: VPN_PID_8494
Creation Time: Thu Dec 18 10:16:09 2003
Lifetime: infinite
1 events associated with context:
cagonzal VPN tunnel IP is 10.1.60.45
------------------------------------------------------------
Context Name: ems0171e_SYSLOG_LINE
Creation Time: Thu Dec 18 14:08:10 2003
Lifetime: 60 seconds
1 events associated with context:
Dec 18 12:37:02 ems0171e last message repeated 2 times
------------------------------------------------------------
Total: 4 elements

Running children:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Total: 0 elements

User-defined variables:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
%L =3D 'Dec 18 12:37:02 ems0171e last message repeated 2 times'

%O =3D 'Dec 18 12:37:02 ems0171e last message repeated 2 times
Dec 18 12:37:02 ems0171e last message repeated 2 times'

Total: 2 elements


-----Original Message-----
From: Risto Vaarandi [mailto:ristov@...]
Sent: Thursday, December 18, 2003 1:58 PM
To: ANDERSON RUSSELL D (ANDY); simple-evcorr-users@...
Subject: Re: [Simple-evcorr-users] Memory and CPU usage


> We are seeing this system behavior on our netloghost running SEC.
> `uname -a` Linux <hostname> 2.4.18-3
>=20
>   9:32am  up 18:37,  1 user,  load average: 1.77, 1.28, 1.10
> 55 processes: 52 sleeping, 3 running, 0 zombie, 0 stopped
> CPU states: 97.4% user,  2.5% system,  0.0% nice,  0.0% idle
> Mem:   772984K av,  761464K used,   11520K free,       0K shrd,   =
10544K > buff
> Swap:  264560K av,  144836K used,  119724K free                   =
20396K > cached
>=20
> PID    USER PRI  NI  SIZE  RSS  SHARE STAT %CPU %MEM TIME   COMMAND
> 29999 root    25    0   669M 547M 16428    R      98.6     72.5     > =
230:10 sec.pl
>=20
> We just added another 512 memory to this machine because of swapping.
> Has anyone seen this or have recommendations?

hi,

you can check the status of SEC by sending the SIGUSR1 signal to it =
which creates a dump file /tmp/sec.dump. This file contains a detailed =
information how many correlation operations are active, how many =
contexts have been created, how big the contexts are, etc.

I would suspect that although you are seeing both the high memory and =
CPU usage, the former is causing the latter, e.g., if you have tens of =
thousands of contexts and event correlation operations in the memory, it =
will also require a lot of CPU time to process the correlation and =
context lists.
So as a starting point, I would check which entities are actually =
consuming most memory, and try to reduce their number somehow.

One common mistake that I've made in the past is to store *all* =
interesting event sequences to contexts and keeping their in working =
memory. For example, if you are using that strategy in an IDS for =
memorizing individual attacks, you could easily run out of memory, since =
the number of external IP addresses that incidents can originate from =
can be extremely large. It could be worth of contemplating other =
strategies, e.g., to store some information in disk files (or database) =
instead of keeping them in the working memory. But first please check =
the SEC dump and see what is actually eating your memory.

hth,
risto

>=20
> Russell Anderson (Andy)
> Computer Applications
> Phone: 602 -236-6434
> Fax:     602-236-4327
>=20
>=20
>=20
>=20
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for =
IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys =
admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id371&op=BFick
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@...
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>=20

-----------------------------------------
Hot Mobiil - helinad, logod ja pilts=F5numid!
http://portal.hot.ee

hi Andy,

there is one caveat that could cause things go wrong. The <host>_SYSLOG_LINE context has a lifetime of 1 minute, but suppose the host logs a message, which is then followed by a "last message repeated" from the same host after _more_ than 60 seconds. Since the context <host>_SYSLOG_LINE does not exist any more, the 2nd rule does not match and the "last message repeated" line will be passed to the 3rd rule, which saves the "last message repeated" message to the <host>_SYSLOG_LINE context.

As far as "last message repeated" messages are concerned, I have seen two different implementations:
1) syslogd always logs the original message at least once before "last message repeated", which means that no consecutive "last message repeated" lines can be received from the same host.
2) after syslogd has logged "last message repeated" line, it can log it again without logging the original message before, e.g.,

May 27 02:10:03 myhost kernel: VFS: Disk change detected on device ide1(22,0) 
May 27 02:10:35 myhost last message repeated 8 times 
May 27 02:11:35 myhost last message repeated 15 times 
May 27 02:12:35 myhost last message repeated 15 times 

If the latter is the case for your syslogd, then it is possible that once "last message repeated" line was erroneously saved to <host>_SYSLOG_LINE, then the immediately following "last message repeated" line will trigger an endless loop. Note that after the endless loop has run for 1 minute, the <host>_SYSLOG_LINE context will be deleted, but since there are already many "last message repeated" messages generated by the loop, one of those messages will be matched by the 3rd rule, which will reinforce the loop.

Try to change the <host>_SYSLOG_LINE contexts to have an infinite lifetime and check whether this makes a difference.

hth,
risto

> The dump shows that although sec is running it appears to have hung on > the syslog repeated N times rules(2,3) as seen by the old times in the > input buffer compared to the dump time. There was only one original > entry of "last message repeated". Looking at the context > ems0171e_SYSLOG_LINE, the Creation Time: Thu Dec 18 14:08:10 2003 there > appears to be a stuck loop condition. Could someone look at these rules > for help?
> ----------------------------------
> type=Single
> continue=DontCont
> ptype=RegExp
> pattern=^S+s+d+ S+ (S+) last message repeated (d+) times
> context=$1_SYSLOG_LINE
> desc='Decompress' $1 repeated messages compressed by syslogd $2 times
> action=copy $1_SYSLOG_LINE %L; 
>         eval %O ( $line = q(%L); 
>         @ret = (); 
>         for ($i = 0; $i < $2; ++$i) { push @ret, $line; } 
>         return @ret; ); 
>         event %O;
> 
> type=Single
> continue=TakeNext
> ptype=RegExp
> pattern=^S+s+d+ S+ (S+)
> desc=Keep the last $1 syslog line in case of "last message repeated"
> action=create $1_SYSLOG_LINE 60; add $1_SYSLOG_LINE $0
> ----------------------------------
> Date of dump: Thu Dec 18 14:09:09 2003
> Program version: 2.2.0
> 
> Performance statistics:
> =========================> =========================> ==========
> Run time: 15859 seconds
> User time: 5387.83 seconds
> System time: 50.45 seconds
> Child user time: 7.91 seconds
> Child system time: 6.07 seconds
> Processed input lines: 2836320
> 
> Rule usage statistics:
> =========================> =========================> ==========
> 
> Statistics for the rules from /etc/sec.conf
> ------------------------------------------------------------
> Rule 1 at line 20 (Ignore these sshd: Failed password for root) has > matched 0 events
> Rule 2 at line 34 ('Decompress' $1 repeated messages compressed by > syslogd $2 times) has matched 1900010 events
> Rule 3 at line 51 (Keep the last $1 syslog line in case of "last message > repeated") has matched 61 events
> Rule 4 at line 62 (PAGER) has matched 0 events
> Rule 5 at line 69 (PAGER) has matched 0 events
> Rule 6 at line 78 (Repeated failed system(s) access) has matched 0 > events
> Rule 7 at line 88 (Repeated failed system(s) access) has matched 0 > events
> Rule 8 at line 101 (Repeated failed system(s) access) has matched 0 > events
> Rule 9 at line 126 ([FAILED ACCESS]) has matched 0 events
> Rule 10 at line 135 ([FAILED ACCESS]) has matched 0 events
> Rule 11 at line 144 ([FAILED ACCESS]) has matched 0 events
> Rule 12 at line 156 ([FAILED ACCESS]) has matched 0 events
> Rule 13 at line 166 ([FAILED ACCESS]) has matched 0 events
> Rule 14 at line 176 ([FAILED ACCESS]) has matched 0 events
> Rule 15 at line 196 (Suspect su user access) has matched 0 events
> Rule 16 at line 209 (Suspect su user access) has matched 0 events
> Rule 17 at line 222 (Suspect su user access) has matched 0 events
> Rule 18 at line 244 (ulp.pl (update local password) SUCCESS list) has > matched 0 events
> Rule 19 at line 266 (Suppress lines that match: (?-xism:^S+s+d+ S+ > (S+) .*ulp:.* [FAIL])) has matched 0 events
> Rule 20 at line 275 (ulp.pl (update local password) FAIL list) has > matched 0 events
> Rule 21 at line 295 ($2 VPN tunnel established) has matched 0 events
> Rule 22 at line 319 (Delete $2 VPN_ context(s)) has matched 0 events
> Rule 23 at line 343 (Suspect (host|user) or VPN access) has matched 0 > events
> Rule 24 at line 359 (Linux system console access by $2) has matched 0 > events
> Rule 25 at line 367 (Linux system console access by $2) has matched 0 > events
> Rule 26 at line 381 (Compaq system console access by $2) has matched 0 > events
> Rule 27 at line 389 (Compaq system console access by $2) has matched 0 > events
> Rule 28 at line 404 (Solaris system console access by $2) has matched 0 > events
> Rule 29 at line 412 (Solaris system console access by $2) has matched 0 > events
> 
> Input sources:
> =========================> =========================> ==========
> /etc/syslog_info (status: Open, received data: 0 lines, no context set)
> 
> Content of input buffer:
> ------------------------------------------------------------
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> ------------------------------------------------------------
> 
> Pending events that are generated by rules:
> ------------------------------------------------------------
> ------------------------------------------------------------
> 
> List of active event correlation operations:
> =========================> =========================> ==========
> Total: 0 elements
> 
> List of active contexts:
> =========================> =========================> ==========
> Context Name: VPN_USER_srestrad_IP_10.1.60.4
> Context Name: VPN_IP_10.1.60.4
> Context Name: VPN_PID_11787
> Creation Time: Thu Dec 18 11:01:24 2003
> Lifetime: infinite
> 1 events associated with context:
> srestrad VPN tunnel IP is 10.1.60.4
> ------------------------------------------------------------
> Context Name: VPN_USER_prsutton_IP_10.1.60.46
> Context Name: VPN_IP_10.1.60.46
> Context Name: VPN_PID_9529
> Creation Time: Thu Dec 18 12:08:09 2003
> Lifetime: infinite
> 1 events associated with context:
> prsutton VPN tunnel IP is 10.1.60.46
> ------------------------------------------------------------
> Context Name: VPN_USER_cagonzal_IP_10.1.60.45
> Context Name: VPN_IP_10.1.60.45
> Context Name: VPN_PID_8494
> Creation Time: Thu Dec 18 10:16:09 2003
> Lifetime: infinite
> 1 events associated with context:
> cagonzal VPN tunnel IP is 10.1.60.45
> ------------------------------------------------------------
> Context Name: ems0171e_SYSLOG_LINE
> Creation Time: Thu Dec 18 14:08:10 2003
> Lifetime: 60 seconds
> 1 events associated with context:
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> ------------------------------------------------------------
> Total: 4 elements
> 
> Running children:
> =========================> =========================> ==========
> Total: 0 elements
> 
> User-defined variables:
> =========================> =========================> ==========
> %L = 'Dec 18 12:37:02 ems0171e last message repeated 2 times'
> 
> %O = 'Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times'
> 
> Total: 2 elements
> 
> 
> -----Original Message-----
> From: Risto Vaarandi [mailto:ristov@...]
> Sent: Thursday, December 18, 2003 1:58 PM
> To: ANDERSON RUSSELL D (ANDY); simple-evcorr-users@...
> Subject: Re: [Simple-evcorr-users] Memory and CPU usage
> 
> 
> > We are seeing this system behavior on our netloghost running SEC.
> > `uname -a` Linux <hostname> 2.4.18-3
> > 
> >   9:32am  up 18:37,  1 user,  load average: 1.77, 1.28, 1.10
> > 55 processes: 52 sleeping, 3 running, 0 zombie, 0 stopped
> > CPU states: 97.4% user,  2.5% system,  0.0% nice,  0.0% idle
> > Mem:   772984K av,  761464K used,   11520K free,       0K shrd,   > 10544K > buff
> > Swap:  264560K av,  144836K used,  119724K free                   > 20396K > cached
> > 
> > PID    USER PRI  NI  SIZE  RSS  SHARE STAT %CPU %MEM TIME   COMMAND
> > 29999 root    25    0   669M 547M 16428    R      98.6     72.5     > > 230:10 sec.pl
> > 
> > We just added another 512 memory to this machine because of swapping.
> > Has anyone seen this or have recommendations?
> 
> hi,
> 
> you can check the status of SEC by sending the SIGUSR1 signal to it > which creates a dump file /tmp/sec.dump. This file contains a detailed > information how many correlation operations are active, how many > contexts have been created, how big the contexts are, etc.
> 
> I would suspect that although you are seeing both the high memory and > CPU usage, the former is causing the latter, e.g., if you have tens of > thousands of contexts and event correlation operations in the memory, it > will also require a lot of CPU time to process the correlation and > context lists.
> So as a starting point, I would check which entities are actually > consuming most memory, and try to reduce their number somehow.
> 
> One common mistake that I've made in the past is to store *all* > interesting event sequences to contexts and keeping their in working > memory. For example, if you are using that strategy in an IDS for > memorizing individual attacks, you could easily run out of memory, since > the number of external IP addresses that incidents can originate from > can be extremely large. It could be worth of contemplating other > strategies, e.g., to store some information in disk files (or database) > instead of keeping them in the working memory. But first please check > the SEC dump and see what is actually eating your memory.
> 
> hth,
> risto
> 
> > 
> > Russell Anderson (Andy)
> > Computer Applications
> > Phone: 602 -236-6434
> > Fax:     602-236-4327
> > 
> > 
> > 
> > 
> > -------------------------------------------------------
> > This SF.net email is sponsored by: IBM Linux Tutorials.
> > Become an expert in LINUX or just sharpen your skills.  Sign up for > IBM's
> > Free Linux Tutorials.  Learn everything from the bash shell to sys > admin.
> > Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op¿ick
> > _______________________________________________
> > Simple-evcorr-users mailing list
> > Simple-evcorr-users@...
> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> > 
> 
> -----------------------------------------
> Hot Mobiil - helinad, logod ja piltsõnumid!
> http://portal.hot.ee
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op¿ick
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@...
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> 

-----------------------------------------
Hot Mobiil - helinad, logod ja piltsõnumid!
http://portal.hot.ee

I understand now, thank you. I added a rule between the two to cover all =
syslog implementations we have that solved the problem and changed the =
<host>_SYSLOG_LINE context to infinite lifetime. The new rule basically =
covers the case of starting and having "last message repeated" as the =
first event since the first rule would be skipped as there is no =
<host>_SYSLOG_LINE.

type=3DSingle
continue=3DDontCont
ptype=3DRegExp
pattern=3D^\S+\s+\d+ \S+ (\S+) last message repeated (\d+) times
desc=3DStop "last message repeated" loop if first event for host
action=3Dnone

-----Original Message-----
From: Risto Vaarandi [mailto:ristov@...]
Sent: Thursday, December 18, 2003 3:46 PM
To: ANDERSON RUSSELL D (ANDY); simple-evcorr-users@...
Subject: RE: [Simple-evcorr-users] Memory and CPU usage


hi Andy,

there is one caveat that could cause things go wrong. The =
<host>_SYSLOG_LINE context has a lifetime of 1 minute, but suppose the =
host logs a message, which is then followed by a "last message repeated" =
from the same host after _more_ than 60 seconds. Since the context =
<host>_SYSLOG_LINE does not exist any more, the 2nd rule does not match =
and the "last message repeated" line will be passed to the 3rd rule, =
which saves the "last message repeated" message to the =
<host>_SYSLOG_LINE context.

As far as "last message repeated" messages are concerned, I have seen =
two different implementations:
1) syslogd always logs the original message at least once before "last =
message repeated", which means that no consecutive "last message =
repeated" lines can be received from the same host.
2) after syslogd has logged "last message repeated" line, it can log it =
again without logging the original message before, e.g.,

May 27 02:10:03 myhost kernel: VFS: Disk change detected on device =
ide1(22,0)=20
May 27 02:10:35 myhost last message repeated 8 times=20
May 27 02:11:35 myhost last message repeated 15 times=20
May 27 02:12:35 myhost last message repeated 15 times=20

If the latter is the case for your syslogd, then it is possible that =
once "last message repeated" line was erroneously saved to =
<host>_SYSLOG_LINE, then the immediately following "last message =
repeated" line will trigger an endless loop. Note that after the endless =
loop has run for 1 minute, the <host>_SYSLOG_LINE context will be =
deleted, but since there are already many "last message repeated" =
messages generated by the loop, one of those messages will be matched by =
the 3rd rule, which will reinforce the loop.

Try to change the <host>_SYSLOG_LINE contexts to have an infinite =
lifetime and check whether this makes a difference.

hth,
risto

> The dump shows that although sec is running it appears to have hung on =
> the syslog repeated N times rules(2,3) as seen by the old times in the =
> input buffer compared to the dump time. There was only one original > =
entry of "last message repeated". Looking at the context > =
ems0171e_SYSLOG_LINE, the Creation Time: Thu Dec 18 14:08:10 2003 there =
> appears to be a stuck loop condition. Could someone look at these =
rules > for help?
> ----------------------------------
> type=3DSingle
> continue=3DDontCont
> ptype=3DRegExp
> pattern=3D^S+s+d+ S+ (S+) last message repeated (d+) times
> context=3D$1_SYSLOG_LINE
> desc=3D'Decompress' $1 repeated messages compressed by syslogd $2 =
times
> action=3Dcopy $1_SYSLOG_LINE %L;=20
>         eval %O ( $line =3D q(%L);=20
>         @ret =3D ();=20
>         for ($i =3D 0; $i < $2; ++$i) { push @ret, $line; }=20
>         return @ret; );=20
>         event %O;
>=20
> type=3DSingle
> continue=3DTakeNext
> ptype=3DRegExp
> pattern=3D^S+s+d+ S+ (S+)
> desc=3DKeep the last $1 syslog line in case of "last message repeated"
> action=3Dcreate $1_SYSLOG_LINE 60; add $1_SYSLOG_LINE $0
> ----------------------------------
> Date of dump: Thu Dec 18 14:09:09 2003
> Program version: 2.2.0
>=20
> Performance statistics:
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Run time: 15859 seconds
> User time: 5387.83 seconds
> System time: 50.45 seconds
> Child user time: 7.91 seconds
> Child system time: 6.07 seconds
> Processed input lines: 2836320
>=20
> Rule usage statistics:
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>=20
> Statistics for the rules from /etc/sec.conf
> ------------------------------------------------------------
> Rule 1 at line 20 (Ignore these sshd: Failed password for root) has > =
matched 0 events
> Rule 2 at line 34 ('Decompress' $1 repeated messages compressed by > =
syslogd $2 times) has matched 1900010 events
> Rule 3 at line 51 (Keep the last $1 syslog line in case of "last =
message > repeated") has matched 61 events
> Rule 4 at line 62 (PAGER) has matched 0 events
> Rule 5 at line 69 (PAGER) has matched 0 events
> Rule 6 at line 78 (Repeated failed system(s) access) has matched 0 > =
events
> Rule 7 at line 88 (Repeated failed system(s) access) has matched 0 > =
events
> Rule 8 at line 101 (Repeated failed system(s) access) has matched 0 > =
events
> Rule 9 at line 126 ([FAILED ACCESS]) has matched 0 events
> Rule 10 at line 135 ([FAILED ACCESS]) has matched 0 events
> Rule 11 at line 144 ([FAILED ACCESS]) has matched 0 events
> Rule 12 at line 156 ([FAILED ACCESS]) has matched 0 events
> Rule 13 at line 166 ([FAILED ACCESS]) has matched 0 events
> Rule 14 at line 176 ([FAILED ACCESS]) has matched 0 events
> Rule 15 at line 196 (Suspect su user access) has matched 0 events
> Rule 16 at line 209 (Suspect su user access) has matched 0 events
> Rule 17 at line 222 (Suspect su user access) has matched 0 events
> Rule 18 at line 244 (ulp.pl (update local password) SUCCESS list) has =
> matched 0 events
> Rule 19 at line 266 (Suppress lines that match: (?-xism:^S+s+d+ S+ > =
(S+) .*ulp:.* [FAIL])) has matched 0 events
> Rule 20 at line 275 (ulp.pl (update local password) FAIL list) has > =
matched 0 events
> Rule 21 at line 295 ($2 VPN tunnel established) has matched 0 events
> Rule 22 at line 319 (Delete $2 VPN_ context(s)) has matched 0 events
> Rule 23 at line 343 (Suspect (host|user) or VPN access) has matched 0 =
> events
> Rule 24 at line 359 (Linux system console access by $2) has matched 0 =
> events
> Rule 25 at line 367 (Linux system console access by $2) has matched 0 =
> events
> Rule 26 at line 381 (Compaq system console access by $2) has matched 0 =
> events
> Rule 27 at line 389 (Compaq system console access by $2) has matched 0 =
> events
> Rule 28 at line 404 (Solaris system console access by $2) has matched =
0 > events
> Rule 29 at line 412 (Solaris system console access by $2) has matched =
0 > events
>=20
> Input sources:
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> /etc/syslog_info (status: Open, received data: 0 lines, no context =
set)
>=20
> Content of input buffer:
> ------------------------------------------------------------
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> ------------------------------------------------------------
>=20
> Pending events that are generated by rules:
> ------------------------------------------------------------
> ------------------------------------------------------------
>=20
> List of active event correlation operations:
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Total: 0 elements
>=20
> List of active contexts:
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Context Name: VPN_USER_srestrad_IP_10.1.60.4
> Context Name: VPN_IP_10.1.60.4
> Context Name: VPN_PID_11787
> Creation Time: Thu Dec 18 11:01:24 2003
> Lifetime: infinite
> 1 events associated with context:
> srestrad VPN tunnel IP is 10.1.60.4
> ------------------------------------------------------------
> Context Name: VPN_USER_prsutton_IP_10.1.60.46
> Context Name: VPN_IP_10.1.60.46
> Context Name: VPN_PID_9529
> Creation Time: Thu Dec 18 12:08:09 2003
> Lifetime: infinite
> 1 events associated with context:
> prsutton VPN tunnel IP is 10.1.60.46
> ------------------------------------------------------------
> Context Name: VPN_USER_cagonzal_IP_10.1.60.45
> Context Name: VPN_IP_10.1.60.45
> Context Name: VPN_PID_8494
> Creation Time: Thu Dec 18 10:16:09 2003
> Lifetime: infinite
> 1 events associated with context:
> cagonzal VPN tunnel IP is 10.1.60.45
> ------------------------------------------------------------
> Context Name: ems0171e_SYSLOG_LINE
> Creation Time: Thu Dec 18 14:08:10 2003
> Lifetime: 60 seconds
> 1 events associated with context:
> Dec 18 12:37:02 ems0171e last message repeated 2 times
> ------------------------------------------------------------
> Total: 4 elements
>=20
> Running children:
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Total: 0 elements
>=20
> User-defined variables:
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> %L =3D 'Dec 18 12:37:02 ems0171e last message repeated 2 times'
>=20
> %O =3D 'Dec 18 12:37:02 ems0171e last message repeated 2 times
> Dec 18 12:37:02 ems0171e last message repeated 2 times'
>=20
> Total: 2 elements
>=20
>=20
> -----Original Message-----
> From: Risto Vaarandi [mailto:ristov@...]
> Sent: Thursday, December 18, 2003 1:58 PM
> To: ANDERSON RUSSELL D (ANDY); =
simple-evcorr-users@...
> Subject: Re: [Simple-evcorr-users] Memory and CPU usage
>=20
>=20
> > We are seeing this system behavior on our netloghost running SEC.
> > `uname -a` Linux <hostname> 2.4.18-3
> >=20
> >   9:32am  up 18:37,  1 user,  load average: 1.77, 1.28, 1.10
> > 55 processes: 52 sleeping, 3 running, 0 zombie, 0 stopped
> > CPU states: 97.4% user,  2.5% system,  0.0% nice,  0.0% idle
> > Mem:   772984K av,  761464K used,   11520K free,       0K shrd,   > =
10544K > buff
> > Swap:  264560K av,  144836K used,  119724K free                   > =
20396K > cached
> >=20
> > PID    USER PRI  NI  SIZE  RSS  SHARE STAT %CPU %MEM TIME   COMMAND
> > 29999 root    25    0   669M 547M 16428    R      98.6     72.5     =
> > 230:10 sec.pl
> >=20
> > We just added another 512 memory to this machine because of =
swapping.
> > Has anyone seen this or have recommendations?
>=20
> hi,
>=20
> you can check the status of SEC by sending the SIGUSR1 signal to it > =
which creates a dump file /tmp/sec.dump. This file contains a detailed > =
information how many correlation operations are active, how many > =
contexts have been created, how big the contexts are, etc.
>=20
> I would suspect that although you are seeing both the high memory and =
> CPU usage, the former is causing the latter, e.g., if you have tens of =
> thousands of contexts and event correlation operations in the memory, =
it > will also require a lot of CPU time to process the correlation and =
> context lists.
> So as a starting point, I would check which entities are actually > =
consuming most memory, and try to reduce their number somehow.
>=20
> One common mistake that I've made in the past is to store *all* > =
interesting event sequences to contexts and keeping their in working > =
memory. For example, if you are using that strategy in an IDS for > =
memorizing individual attacks, you could easily run out of memory, since =
> the number of external IP addresses that incidents can originate from =
> can be extremely large. It could be worth of contemplating other > =
strategies, e.g., to store some information in disk files (or database) =
> instead of keeping them in the working memory. But first please check =
> the SEC dump and see what is actually eating your memory.
>=20
> hth,
> risto
>=20
> >=20
> > Russell Anderson (Andy)
> > Computer Applications
> > Phone: 602 -236-6434
> > Fax:     602-236-4327
> >=20
> >=20
> >=20
> >=20
> > -------------------------------------------------------
> > This SF.net email is sponsored by: IBM Linux Tutorials.
> > Become an expert in LINUX or just sharpen your skills.  Sign up for =
> IBM's
> > Free Linux Tutorials.  Learn everything from the bash shell to sys > =
admin.
> > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id371&op=BFick
> > _______________________________________________
> > Simple-evcorr-users mailing list
> > Simple-evcorr-users@...
> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> >=20
>=20
> -----------------------------------------
> Hot Mobiil - helinad, logod ja pilts=F5numid!
> http://portal.hot.ee
>=20
>=20
>=20
>=20
>=20
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for =
IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys =
admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id371&op=BFick
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@...
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>=20

-----------------------------------------
Hot Mobiil - helinad, logod ja pilts=F5numid!
http://portal.hot.ee

> We are seeing this system behavior on our netloghost running SEC.
> `uname -a` Linux <hostname> 2.4.18-3
> 
>   9:32am  up 18:37,  1 user,  load average: 1.77, 1.28, 1.10
> 55 processes: 52 sleeping, 3 running, 0 zombie, 0 stopped
> CPU states: 97.4% user,  2.5% system,  0.0% nice,  0.0% idle
> Mem:   772984K av,  761464K used,   11520K free,       0K shrd,   10544K > buff
> Swap:  264560K av,  144836K used,  119724K free                   20396K > cached
> 
> PID    USER PRI  NI  SIZE  RSS  SHARE STAT %CPU %MEM TIME   COMMAND
> 29999 root    25    0   669M 547M 16428    R      98.6     72.5     > 230:10 sec.pl
> 
> We just added another 512 memory to this machine because of swapping.
> Has anyone seen this or have recommendations?

hi,

you can check the status of SEC by sending the SIGUSR1 signal to it which creates a dump file /tmp/sec.dump. This file contains a detailed information how many correlation operations are active, how many contexts have been created, how big the contexts are, etc.

I would suspect that although you are seeing both the high memory and CPU usage, the former is causing the latter, e.g., if you have tens of thousands of contexts and event correlation operations in the memory, it will also require a lot of CPU time to process the correlation and context lists.
So as a starting point, I would check which entities are actually consuming most memory, and try to reduce their number somehow.

One common mistake that I've made in the past is to store *all* interesting event sequences to contexts and keeping their in working memory. For example, if you are using that strategy in an IDS for memorizing individual attacks, you could easily run out of memory, since the number of external IP addresses that incidents can originate from can be extremely large. It could be worth of contemplating other strategies, e.g., to store some information in disk files (or database) instead of keeping them in the working memory. But first please check the SEC dump and see what is actually eating your memory.

hth,
risto

> 
> Russell Anderson (Andy)
> Computer Applications
> Phone: 602 -236-6434
> Fax:     602-236-4327
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op¿ick
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@...
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> 

-----------------------------------------
Hot Mobiil - helinad, logod ja piltsõnumid!
http://portal.hot.ee