[netsa-tools-discuss] analysis pipeline alerting issues with EVAL block

Timur D. Snoke tdsnoke at cert.org
Tue Nov 10 08:56:41 EST 2015


Hello Asad,

This is an interesting question but I am not sure I understand from your description what you are trying to capture.

You are using type and defining SIP in your filters but do not really explain it in your use case.

Are you looking for outside hosts that are trying to scan these ports on multiple hosts inside your network?
If this is the case you should just use IN for your TYPENAME, there are no web ports or icmp traffic that you are concerned with in your port list. If the initiating host is outside then you wouldn’t want INT2INT, OUT or OUTWEB. This change will potentially limit the total number of flows being evaluated.

Can you show example flows that should match but doesn’t?

--
Timur Snoke
Network Defense Analyst
CERT/CC - Network Situational Awareness
Software Engineering Institute (SEI)
O: (412) 268-7806

From: <netsa-tools-discuss-bounces+tdsnoke=cert.org at cert.org<mailto:netsa-tools-discuss-bounces+tdsnoke=cert.org at cert.org>> on behalf of asad <a.alii85 at gmail.com<mailto:a.alii85 at gmail.com>>
Date: Tuesday, November 10, 2015 at 8:30 AM
To: "netsa-tools-discuss at cert.org<mailto:netsa-tools-discuss at cert.org>" <netsa-tools-discuss at cert.org<mailto:netsa-tools-discuss at cert.org>>
Subject: [netsa-tools-discuss] analysis pipeline alerting issues with EVAL block

Hello,

I have a very simple alerting requirement

"
when a destination ports matches ports which are considered as 'worm ports' traffic is send to 5 different unique ips in 5 minutes time.

"

I know on traffic level i'm getting required data since using traffic logs from the cisco asa (same device is also sending netflows) and it works as expected. I'm suppose to see an ip address but on alert.log I see nothing. Below is the logic.

Any help?



FILTER outgoing-flows
TYPENAME IN_LIST [in,int2int,out,outweb,outicmp]
SIP NOT_IN_LIST "/root/silkydata/DMZ.set"
SIP NOT_IN_LIST "/root/silkydata/voip.set"
SIP NOT_IN_LIST "/root/silkydata/rns.set"
END FILTER

FILTER non-local-to-remote
TYPENAME IN_LIST [in,int2int,out,outweb,outicmp]
SIP NOT_IN_LIST "/root/silkydata/DMZ.set"
SIP NOT_IN_LIST "/root/silkydata/voip.set"
SIP NOT_IN_LIST "/root/silkydata/rns.set"
DPORT IN_LIST [135, 136, 137, 138, 139, 444, 445, 995, 996, 997, 998, 999, 8998, 3127, 3128, 3129, 3130, 3131, 3132, 3133, 3134, 3135, 3136, 3137, 3138, 3139, 3140, 3141, 3142, 3143,3146, 3147, 31$
END FILTER


EVALUATION  Systems_using_many_different_protocols
FILTER  non-local-to-remote
FOREACH SIP
CHECK THRESHOLD
DISTINCT DIP > 25
TIME_WINDOW 3600 SECONDS
END CHECK
SEVERITY 7
ALERT JUST_NEW_THIS_TIME
ALERT ALWAYS
CLEAR NEVER
END EVALUATION
-------------- next part --------------
HTML attachment scrubbed and removed


More information about the netsa-tools-discuss mailing list