[netsa-tools-discuss] analysis pipeline alerting issues with EVAL block

Angela Horneman ahorneman at cert.org
Tue Nov 10 08:59:25 EST 2015 

Hi Asad,

Your evaluation is setup to look at all flows

-          of type in, int2int, out, outweb, outicmp (did you also want inweb? If you want all flow types, you can leave out the TYPENAME line in the filters)

-          going to a port in the list provided (is the $ sign in the list a typo?)

-          that do not originate from your DMZ, VOIP, or RNS sets of IP addresses
It then tracks per SIP

-          how many different DIPs are seen in those flows (DISTINCT DIP)

o   in case this isn’t already clear—the DISTINCT DIP will only count the different DIPs per each SIP for flows that match the non-local-to-remote filter; it is possible that there are other DIPs that each SIP sends to, but with flows that do not match the filter

-          and sets the threshold at 25 (>25) in a 6 minute time window (3600 seconds divided by 60 seconds in a minute is 6 minutes)
It then alerts only SIPs that meet this criteria in the last file processed (ALERT JUST_NEW_THIS_TIME)

You may not have SIPs that have 25+ different DIPs within a 6 minute time window. You can check counts with a STATISTIC block:

STATISTIC checkCountsDistinctDIPs
  FILTER non-local-to-remote
  FOREACH SIP
  DISTINCT DIP
  TIME WINDOW 6 MINUTES
  SEVERITY 7
  UPDATE 5 MINUTES
END STATISTIC

Let it run for a bit and see if you ever have SIPs that have 25+ distinct DIPs in the statistic output.

From: netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org [mailto:netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org] On Behalf Of asad
Sent: Tuesday, November 10, 2015 8:30 AM
To: netsa-tools-discuss at cert.org
Subject: [netsa-tools-discuss] analysis pipeline alerting issues with EVAL block

Hello,
I have a very simple alerting requirement

"
when a destination ports matches ports which are considered as 'worm ports' traffic is send to 5 different unique ips in 5 minutes time.

"
I know on traffic level i'm getting required data since using traffic logs from the cisco asa (same device is also sending netflows) and it works as expected. I'm suppose to see an ip address but on alert.log I see nothing. Below is the logic.
Any help?



FILTER outgoing-flows
TYPENAME IN_LIST [in,int2int,out,outweb,outicmp]
SIP NOT_IN_LIST "/root/silkydata/DMZ.set"
SIP NOT_IN_LIST "/root/silkydata/voip.set"
SIP NOT_IN_LIST "/root/silkydata/rns.set"
END FILTER

FILTER non-local-to-remote
TYPENAME IN_LIST [in,int2int,out,outweb,outicmp]
SIP NOT_IN_LIST "/root/silkydata/DMZ.set"
SIP NOT_IN_LIST "/root/silkydata/voip.set"
SIP NOT_IN_LIST "/root/silkydata/rns.set"
DPORT IN_LIST [135, 136, 137, 138, 139, 444, 445, 995, 996, 997, 998, 999, 8998, 3127, 3128, 3129, 3130, 3131, 3132, 3133, 3134, 3135, 3136, 3137, 3138, 3139, 3140, 3141, 3142, 3143,3146, 3147, 31$
END FILTER


EVALUATION  Systems_using_many_different_protocols
FILTER  non-local-to-remote
FOREACH SIP
CHECK THRESHOLD
DISTINCT DIP > 25
TIME_WINDOW 3600 SECONDS
END CHECK
SEVERITY 7
ALERT JUST_NEW_THIS_TIME
ALERT ALWAYS
CLEAR NEVER
END EVALUATION
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the netsa-tools-discuss mailing list