Sagan Git Update - "after" rule set option added.

7 views

Skip to first unread message

Champ Clark III

unread,

Mar 10, 2012, 10:39:28 PM3/10/12

to saga...@googlegroups.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Added the final "new" feature to Sagan. This is the "after" rule set
option. For example, in a rule you might have:

after: track by_src, count 5, seconds 300;

The would me, send/record an alert "after" 5 events in 300 seconds (5
minutes). In this case, we're tracking by the source IP address of
the event.

after: track by_dst, count 100, seconds 5;

Track by destination, after 100 event in 5 seconds.

"after" can be used in conjunction with threshold. For example, take
the following rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] PAM
Authentication failure"; content: "Authentication failure"; classtype:
unsuccessful-user; reference:
url,wiki.quadrantsec.com/bin/view/Main/5000015; normalize: openssh;
program: sshd; threshold: type limit, track by_src, count 5, seconds
300; after: track by_src, count 10, seconds 300; sid: 5000015; rev:2;)

Note the threshold & after options. This means:

If an invalid login happens 5 times (tracked by source) within 5
minutes, Sagan will start alerting. However, alerts will be
threshold (limited) by the source for a count of 5 event within 5 minutes.

You can think of it this way. If you see some attempting to login
more than 5 times in a row within 5 minute, send an alert. However,
if they continue, only alert on 10 times within 5 minutes.
Basically, don't send me the same alert over and over and over, thus
filling my console with crap :)

Hopefully this makes sense...

- --
- - Champ Clark III (ccl...@quadrantsec.com)
Quadrant Information Security (http://quadrantsec.com)
Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPXB5wAAoJENnmXt7Lmc3K1wYH/RfQCDdy28fm7ignxbCR4Tey
uwSNDnTBCDLAMllFRJsJvFu9u3+Ka2l+DHVM1vQV3tQysLjmP/FwPdIT5+OMg+u+
bGidGYCgr01wEia0LDQ1Te62+gMlU9vGrPgkQuA+38ndF+MqxtGAuB5z9I7HuZrk
VSkQsaya7RE5aI43lyKeTcnjzFhvSo+5HEj3wj2G6kjHq3KE7wCrbSCDfb3DTJRS
4U8K1mz78jl9lj3zUJlNStiSwwFU3h4EMJ5hVlIQwA7+10+/ByELC70AGi1kA75S
fw/jqVk+iSqG0HcAkQhCIsGBENs7ixgKwHchMnc4GX0U4j6tJyr5F1sQ723cnyU=
=Qem8
-----END PGP SIGNATURE-----

Reply all

Reply to author

Forward

0 new messages