[prev in list] [next in list] [prev in thread] [next in thread]
List: prelude-devel
Subject: [prelude-devel] Fw: PPP/PPTP/L2TP prelude-lml sensor rules
From: "Alexander Afonyashin" <firm () iname ! com>
Date: 2008-12-15 13:52:25
Message-ID: 20081215135225.D557B478088 () ws1-5 ! us4 ! outblaze ! com
[Download RAW message or body]
Hi everyone,
Good news: ruleset was updated and now is being tested in working environment.
Bad news: to support reporting of successful logins I need to set PPP context to \
infinite expire time (it can be done by setting time to zero). But I can't see how to \
destroy PPP context manually (without setting expire time). Without deleting there \
will be zombie PPP contexts. The command should be like delete_context=PPP_$1.
----- Original Message -----
From: "Alexander Afonyashin"
To: prelude-devel@prelude-ids.org
Subject: [prelude-devel] PPP/PPTP/L2TP prelude-lml sensor rules
Date: Thu, 11 Dec 2008 19:40:15 +0300
Hi everyone,
I'm writing new ruleset to monitor pppd+poptop daemons log events.
Some questions need to be answered. Here they are:
1. To record the ip address assigned to remote client by ppp server
we need to start context at IPCP phase. But I see no reason to do
this since if remote client doesn't supply user name later then we
have single 'telnet-like' connect. And there's no reason to
generate an alert. Ideas?
2. There's no way (at least in my ppp/pptpd logs) to determine
which PID is of forked ppp process. So the only thing to bind
supplied user name and its remote ip address is to wait until
connection finish. If anyone has idea about it?
3. Context PPP should live until session ended. So it has zero
(unlimited?) lifetime. How to delete this context together with
deleting PPTPD context when alert is fully composed?
4. Do we need (are there IDMEF fields) ip-address assigned to
remote user by server?
5. Do we need (are there IDMEF fields) to provide authentication
type protocol and tunnel number?
Below is the very first draft of this ruleset:
# PPP/PPTP/L2TP VPN Server rules
# Copyright (C) 2008 Alexander Afonyashin
#Dec 4 23:01:24 beorc pptpd[24795]: CTRL: Client 1.2.3.4 control
connection started
#Dec 4 23:01:24 beorc pptpd[24795]: CTRL: Starting call (launching
pppd, opening GRE)
#Dec 4 23:01:25 beorc ppp[24796]: tun2: IPCP: Selected IP address 5.6.7.8
# Logging succeed
#Dec 4 23:01:36 beorc ppp[24796]: tun2: Phase: Chap Input:
RESPONSE (49 bytes from afonyashin)
regex=ppp\[(\d+)\]: \S+: Phase: \S+ Input: RESPONSE \(\d+ bytes
from (\S+)\); \
new_context=PPP_$1,expire:0; \
target(0).user.user_id(0).type=target-user; \
target(0).user.user_id(0).name=$2; \
silent;
#Dec 4 23:01:36 beorc ppp[24796]: tun2: Phase: Chap Output: SUCCESS
regex=ppp\[(\d+)\]: \S+: Phase: \S+ Output: SUCCESS
require_context=PPP_$1; \
assessment.impact.severity=low; \
assessment.impact.completion=succeded; \
assessment.impact.type=user; \
silent;
#Dec 4 23:01:49 beorc pptpd[24795]: CTRL: Reaping child PPP[24796]
regex=pptpd\[(\d+)\]: CTRL: \S+ \S+ PPP\[(\d+)\]; \
require_context=PPP_$2; \
new_context=PPTPD_$1,expire:5; \
silent;
#Dec 4 23:01:49 beorc pptpd[24795]: CTRL: Client 1.2.3.4 control
connection finished
regex=pptpd\[(\d+)\]: CTRL: Client (\S+) control; \
require_context=PPTPD_$1; \
source(0).node.address(0).address=$2;
last;
# Logging failed
#Dec 4 23:01:36 beorc ppp[24796]: tun2: Phase: Chap Output: FAILURE
regex=ppp\[(\d+)\]: \S+: Phase: \S+ Output: FAILURE
require_context=PPP_$1; \
assessment.impact.severity=medium; \
assessment.impact.completion=failed; \
assessment.impact.type=user; \
silent;
Best regards,
Alexander Afonyashin
--
Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com
_______________________________________________
Prelude-devel site list
Prelude-devel@prelude-ids.org
http://lists.prelude-ids.org/mailman/listinfo/prelude-devel
--
Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com
_______________________________________________
Prelude-devel site list
Prelude-devel@prelude-ids.org
http://lists.prelude-ids.org/mailman/listinfo/prelude-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic