Epylog is a syslog analyser and report-writer

Robert G. Brown | 2 Sep 2005 16:47

feature/module suggestion

Hi y'all.  Since I'm now using epylog reports daily I'd like to suggest
a feature or module (that may be a hack of an existing module).

Right now in physics we parse e.g. failed root attempts and failed login
attempts for users.  Some of those exhibit a clear pattern of abuse --
e.g.  a single site trying to hit root and lots of other accounts on all
or a large list of hosts.  This is great, but it doesn't make it at all
easy to see if any of the attempts succeed, or if somebody from that
site comes back three days later and exploits their momentary success.
Just too much detail in too long a logfile report, generated several
times a day.

So what I'd suggest is that a module be developed that:

  If site X (! in trusted networks or trusted hosts list) fails in more
than Y root login attempts or Z user login attempts on more than H
hosts, site is added to watchlist and timestamped (or uniq'd against
previous attempts and re-timestamped).  Short report is generated saying
something like "Site X added to watchlist for excessive/automated login
attempts at ${timestamp}"

  If login to ANY account from ANY watchlist site succeeds, generate
report to that effect, flagging affected host and account for immediate
attention.

  watchlist is "groomed" daily, and watchlist sites that have timestamps
more than D days old age out (to keep it from growing without bound).
Optionally a report is generated warning that site X is being removed
from watchlist.

(Continue reading)

nathan r. hruby | 2 Sep 2005 19:05

Picon

Re: feature/module suggestion

On Fri, 2 Sep 2005, Robert [UTF-8] G. Brown wrote:

> Hi y'all.  Since I'm now using epylog reports daily I'd like to suggest
> a feature or module (that may be a hack of an existing module).
>
> Right now in physics we parse e.g. failed root attempts and failed login
> attempts for users.  Some of those exhibit a clear pattern of abuse --
> e.g.  a single site trying to hit root and lots of other accounts on all
> or a large list of hosts.  This is great, but it doesn't make it at all
> easy to see if any of the attempts succeed, or if somebody from that
> site comes back three days later and exploits their momentary success.
> Just too much detail in too long a logfile report, generated several
> times a day.
>
> So what I'd suggest is that a module be developed that:
>
> If site X (! in trusted networks or trusted hosts list) fails in more
> than Y root login attempts or Z user login attempts on more than H
> hosts, site is added to watchlist and timestamped (or uniq'd against
> previous attempts and re-timestamped).  Short report is generated saying
> something like "Site X added to watchlist for excessive/automated login
> attempts at ${timestamp}"
>
> If login to ANY account from ANY watchlist site succeeds, generate
> report to that effect, flagging affected host and account for immediate
> attention.
>
> watchlist is "groomed" daily, and watchlist sites that have timestamps
> more than D days old age out (to keep it from growing without bound).
> Optionally a report is generated warning that site X is being removed

(Continue reading)

Robert G. Brown | 2 Sep 2005 20:37

Re: feature/module suggestion

On Fri, 2 Sep 2005, nathan r. hruby wrote:

> I think this is beyond the scope of epylog, which I think really just
> wants to wash a chunk of logs so you have a good idea as to what's
> happening at a glance.  It's a distiller, not a correlator.
> 
> There are tools like SWATCH or SEC that can do this very easily for you in
> a realtime fashion.

...

> SEC (Simple Event Correlator) can be found here:
> http://kodu.neti.ee/~risto/sec/

Interesting.  Thanks.  I'll see if this might serve.  Swatch seems a bit
on the abandoned side -- no toplevel project site (any more), no rpms in
major distros.  SEC at least seems to be be currently actively
supported and with a mailing list and all.

Also, I >>can<< code in perl at least competently if not well, so there
is a reasonable chance that if SEC won't do just what I'd like that I
can hack it so that it will.  Certainly looks like it is very close.  I
could probably even find a way to run it on epylog output, from the
looks of it, as easily as on /var/log/messages (collective) directly.
Some of the distilling done by epylog (e.g. compression of repeated
events into an event and a count) might make it really easy to write a
ruleset like the one I described.

Or it looks like one maybe COULD turn sec.pl into a module for epylog
itself, except that it also looks like perl modules are deprecated.

(Continue reading)

nathan r. hruby | 2 Sep 2005 21:13

Picon

Re: feature/module suggestion

On Fri, 2 Sep 2005, Robert G. Brown wrote:

> On Fri, 2 Sep 2005, nathan r. hruby wrote:
>
>> I think this is beyond the scope of epylog, which I think really just
>> wants to wash a chunk of logs so you have a good idea as to what's
>> happening at a glance.  It's a distiller, not a correlator.
>>
>> There are tools like SWATCH or SEC that can do this very easily for you in
>> a realtime fashion.
>
> ...
>
>> SEC (Simple Event Correlator) can be found here:
>> http://kodu.neti.ee/~risto/sec/
>
> Interesting.  Thanks.  I'll see if this might serve.  Swatch seems a bit
> on the abandoned side -- no toplevel project site (any more), no rpms in
> major distros.  SEC at least seems to be be currently actively
> supported and with a mailing list and all.
>
> Also, I >>can<< code in perl at least competently if not well, so there
> is a reasonable chance that if SEC won't do just what I'd like that I
> can hack it so that it will.  Certainly looks like it is very close.  I
> could probably even find a way to run it on epylog output, from the
> looks of it, as easily as on /var/log/messages (collective) directly.
> Some of the distilling done by epylog (e.g. compression of repeated
> events into an event and a count) might make it really easy to write a
> ruleset like the one I described.
>

(Continue reading)

Konstantin Ryabitsev | 2 Sep 2005 21:15

Re: feature/module suggestion

On Fri, 2005-02-09 at 15:13 -0400, nathan r. hruby wrote:
> > Or it looks like one maybe COULD turn sec.pl into a module for epylog
> > itself, except that it also looks like perl modules are deprecated.
> > I'll look it over and try it as I have time.
> >
> 
> Yah.  IIRC, modules are a non-good thing.

Yes, please stay away from non-Python modules. :)

--icon

Erik Romijn | 2 Sep 2005 17:09

Picon

Re: feature/module suggestion

Op vr, 02-09-2005 te 10:47 -0400, schreef Robert G. Brown:
> So what I'd suggest is that a module be developed that:
> 
>   If site X (! in trusted networks or trusted hosts list) fails in more
> than Y root login attempts or Z user login attempts on more than H
> hosts, site is added to watchlist and timestamped (or uniq'd against
> previous attempts and re-timestamped).  Short report is generated saying
> something like "Site X added to watchlist for excessive/automated login
> attempts at ${timestamp}"
> [...]

Seems like a very useful feature.
Maybe we should also add an auto-abuse-mail sender to that 

> a) I don't know python (yet)
> b) I'm really amazingly busy

Same here, so don't expect much input from me.

greets,
Erik

Return

Return to gmane.comp.log.epylog.

Project Web Page

Epylog is a syslog analyser and report-writer

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane