[netsa-tools-discuss] analysis pipeline alerting issues with EVAL block

asad a.alii85 at gmail.com
Wed Nov 11 05:34:27 EST 2015 

Here is the result of the filter

farhan at netflow:~$ rwfilter --sensor=S0 --type=int2int
--saddress=10.10.81.74 --start-date=2015/11/6  --dport=137
--pass=stdout  | rwstats --fields=sip,dip --values=records --top
--count=5
INPUT: 142555 Records for 2944 Bins and 142555 Total Records
OUTPUT: Top 5 Bins by Records
            sIP|            dIP|   Records|  %Records|   cumul_%|
    10.10.81.74|  192.168.33.74|        96|  0.067342|  0.067342|
    10.10.81.74|  192.168.172.1|        96|  0.067342|  0.134685|
    10.10.81.74| 192.168.181.45|        96|  0.067342|  0.202027|
    10.10.81.74| 192.168.172.17|        96|  0.067342|  0.269370|
    10.10.81.74|   10.10.232.21|        96|  0.067342|  0.336712|


Now, I'm not sure why the ALERT will not still be seen.

The auxLog.log shows

"
2015-11-10 05:22:08|Memory_Reset|5|Systems_using_many_different_protocols|130396|Common-worm-portS|0|Excessive-firwall-accepts-From-Multiple-Sources-to-a-Single-Destination|0|"


My update pipeline.conf says

FILTER non-local-to-remote
TYPENAME IN_LIST [int2int]
SIP NOT_IN_LIST "/root/silkydata/DMZ.set"
SIP NOT_IN_LIST "/root/silkydata/voip.set"
SIP NOT_IN_LIST "/root/silkydata/rns.set"
DPORT IN_LIST [135, 136, 137, 138, 139, 444, 445, 995, 996, 997, 998,
999, 8998, 3127, 3128, 3129, 3130, 3131, 3132, 3133, 3134, 3135, 3136,
3137, 3138, 3139, 3140, 3141, 3142, 3143,3146, 3147, 31$
END FILTER


EVALUATION  Systems_using_many_different_protocols
FILTER outgoing-flows
FOREACH SIP
CHECK THRESHOLD
DISTINCT DPORT > 25
TIME_WINDOW 3600 SECONDS
END CHECK
SEVERITY 7
ALERT JUST_NEW_THIS_TIME
ALERT ALWAYS
CLEAR NEVER
END EVALUATION


EVALUATION  Common-worm-ports
FILTER non-local-to-remote
FOREACH SIP
CHECK THRESHOLD
DISTINCT DIP > 5
TIME_WINDOW 300 SECONDS
END CHECK
SEVERITY 7
ALERT ALWAYS
CLEAR NEVER
END EVALUATION

On 11/10/15, Timur D. Snoke <tdsnoke at cert.org> wrote:
> Asad,
>
> The more information you provide the better our ability to help you work
> through what your configuration will need to be.
>
> It is good to be using TYPENAME as a limiting factor at the start of your
> FILTER, often we see that at least half of the traffic by volume is web
> traffic so excluding that from your EVALUATION will provide a performance
> improvement.
>
> The INT2INT traffic usually reflects an incomplete site definition, it would
> be good to fix that because you might find that you have to make special
> accommodations in your FILTER composition.
>
> I  hope this helps,
>
> --
> Timur Snoke
> Network Defense Analyst
> CERT/CC - Network Situational Awareness
> Software Engineering Institute (SEI)
> O: (412) 268-7806
>
> From: asad <a.alii85 at gmail.com<mailto:a.alii85 at gmail.com>>
> Date: Tuesday, November 10, 2015 at 9:32 AM
> To: timur snoke <tdsnoke at cert.org<mailto:tdsnoke at cert.org>>
> Subject: Re: [netsa-tools-discuss] analysis pipeline alerting issues with
> EVAL block
>
>
>
>
>
> On Tue, Nov 10, 2015 at 6:56 PM, Timur D. Snoke
> <tdsnoke at cert.org<mailto:tdsnoke at cert.org>> wrote:
> Hello Asad,
>
> This is an interesting question but I am not sure I understand from your
> description what you are trying to capture.
>
> Thanks Timur,
>
> Let me re-explain it in a clear way.
>
>
>
> You are using type and defining SIP in your filters but do not really
> explain it in your use case.
>
> In my case I want the source IP which is involved in communicating with
> common worm ports to at least x5 different destinations IP. Further I want
> this to match as much as 5 times. I think I need RECORD COUNT >5?
>
>
> Are you looking for outside hosts that are trying to scan these ports on
> multiple hosts inside your network?
> If this is the case you should just use IN for your TYPENAME, there are no
> web ports or icmp traffic that you are concerned with in your port list. If
> the initiating host is outside then you wouldn’t want INT2INT, OUT or
> OUTWEB. This change will potentially limit the total number of flows being
> evaluated.
>
> In my current system which is SIEM the rules are firing for traffic
> direction which is int2int.
>
>
> Can you show example flows that should match but doesn’t?
>
> I will prepare an rwfilter results for you and get back to you. I have
> evidence of its using traffic logs from cisco asa I can show that If you
> want.
>
> --
> Timur Snoke
> Network Defense Analyst
> CERT/CC - Network Situational Awareness
> Software Engineering Institute (SEI)
> O: (412) 268-7806
>
> From:
> <netsa-tools-discuss-bounces+tdsnoke=cert.org at cert.org<mailto:netsa-tools-discuss-bounces+tdsnoke=cert.org at cert.org>>
> on behalf of asad <a.alii85 at gmail.com<mailto:a.alii85 at gmail.com>>
> Date: Tuesday, November 10, 2015 at 8:30 AM
> To: "netsa-tools-discuss at cert.org<mailto:netsa-tools-discuss at cert.org>"
> <netsa-tools-discuss at cert.org<mailto:netsa-tools-discuss at cert.org>>
> Subject: [netsa-tools-discuss] analysis pipeline alerting issues with EVAL
> block
>
> Hello,
>
> I have a very simple alerting requirement
>
> "
> when a destination ports matches ports which are considered as 'worm ports'
> traffic is send to 5 different unique ips in 5 minutes time.
>
> "
>
> I know on traffic level i'm getting required data since using traffic logs
> from the cisco asa (same device is also sending netflows) and it works as
> expected. I'm suppose to see an ip address but on alert.log I see nothing.
> Below is the logic.
>
> Any help?
>
>
>
> FILTER outgoing-flows
> TYPENAME IN_LIST [in,int2int,out,outweb,outicmp]
> SIP NOT_IN_LIST "/root/silkydata/DMZ.set"
> SIP NOT_IN_LIST "/root/silkydata/voip.set"
> SIP NOT_IN_LIST "/root/silkydata/rns.set"
> END FILTER
>
> FILTER non-local-to-remote
> TYPENAME IN_LIST [in,int2int,out,outweb,outicmp]
> SIP NOT_IN_LIST "/root/silkydata/DMZ.set"
> SIP NOT_IN_LIST "/root/silkydata/voip.set"
> SIP NOT_IN_LIST "/root/silkydata/rns.set"
> DPORT IN_LIST [135, 136, 137, 138, 139, 444, 445, 995, 996, 997, 998, 999,
> 8998, 3127, 3128, 3129, 3130, 3131, 3132, 3133, 3134, 3135, 3136, 3137,
> 3138, 3139, 3140, 3141, 3142, 3143,3146, 3147, 31$
> END FILTER
>
>
> EVALUATION  Systems_using_many_different_protocols
> FILTER  non-local-to-remote
> FOREACH SIP
> CHECK THRESHOLD
> DISTINCT DIP > 25
> TIME_WINDOW 3600 SECONDS
> END CHECK
> SEVERITY 7
> ALERT JUST_NEW_THIS_TIME
> ALERT ALWAYS
> CLEAR NEVER
> END EVALUATION
>
>

More information about the netsa-tools-discuss mailing list