An example that detects slow scan activity by identifying patterns of syslog entries.
An IDS warning that a machine has been attacked by the worm.
An excessive number of NETBIOS packets appears within the time threshold.
The Module is parameterized:
|
BackDoorWatchDuration |
Number of hours after an attack during which the attacked machine should be monitored. |
|
AlertThresholdCount |
Number of NETBIOS packets that are considered to be "excessive". |
|
AlertThresholdDuration |
Number of microseconds during which AlertThresholdCount must be exceeded in order for NETBIOS packets to be considered excessive. |
|
AlertThresholdCountPlus1 |
Used in creating a window in one of the queries in the module. |
Production environments generate a large number of syslog entries for many machines. At any time, a relatively small number of machines are attacked by viruses, and are therefore under suspicion. The module is structured into several queries in order to minimize the load on the Sybase CEP Engine.
The first query creates a stream containing only the attack entries from the IDS. This prefiltering is used to make the second query's WatchWindow size smaller, as WatchWindow will now include information about only those machines that have actually been attacked, instead of storing data about all machines.
The second query filters in only NETBIOS activity from machines that have been attacked within $BackDoorWatchDuration hours. This minimizes the window size in the third query.
The third query creates alerts when the $AlertThresholdCount suspicious rows have occurred within $AlertThresholdDuration.
The fourth query formats the alert.