0

I've written a rule for alerting ssh event with "failed password". This rule is here:

rule "Hello World"
  when
    accumulate(m:Message(eventType=="Failed password") over window:time( 59s );s:count(m);s>3)
  then
     System.out.println( "success" );
     Alert alert=new Alert("ssh","test");
     insert(alert);
end

This is working for the first scenario. But I want to extend this rule. I want to accumulate ssh event with "failed password" for with the same Src_ip address. For example, if I have 4 failed password ssh event in 59s from three different src_ip, the rule does not match, but when I have 4 failed password ssh event in 59s from one src_ip, rule matches. How I should rewrite this rule for this scenario.

M M
  • 31
  • 7
  • You speak about some properties (ssh, src_ip) without clear indication to which class they belong. Add the Java classes to your question. - Also, the logic isn't clear. What about 4 failed from events from *two* different src_ip? Or three from one src_ip? Or 10 from three different src_ip? ;-) – laune Jan 12 '16 at 07:34
  • the "then" part of the rule is not important here. my question is related to the "when" part of rule. with this rule if there are 4 ssh events with the type of "failed password" in 59s from any src_ip matches the rule and the "then" part of the rule execute. But I want to rewrite this rule to matches only when 4 ssh events with the type of "failed password" in 59s have the same value in the filed of src_ip. – M M Jan 12 '16 at 11:53
  • with this rule these events fire the rule: ts:"1:1:1",eventype:"failed password",src_ip:"1.1.1.1" ts:"1:1:3",eventype:"failed password",src_ip:"1.1.1.1" ts:"1:1:7",eventype:"failed password",src_ip:"1.1.1.5" ts:"1:1:9",eventype:"failed password",src_ip:"1.1.1.7" I want to rewrite rule to fire only with these events: ts:"1:1:1",eventype:"failed password",src_ip:"1.1.1.1" ts:"1:1:3",eventype:"failed password",src_ip:"1.1.1.1" ts:"1:1:7",eventype:"failed password",src_ip:"1.1.1.1" ts:"1:1:9",eventype:"failed password",src_ip:"1.1.1.1" – M M Jan 12 '16 at 12:13

1 Answers1

0

You need one Message to pick a certain IP address; then you can accumulate others with the same value.

rule "Four or more"
when
   $ml: Message( eventType == "Failed password", $ip: src_ip )
   not Message( eventType == "Failed password", src_ip == $ip, this after $ml )
   accumulate( Message(eventType == "Failed password", src_ip == $ip )
        over window:time( 59s ); s:count(1); s > 3 )
then
   System.out.println( "success" );
   Alert alert=new Alert("ssh","test");
   insert(alert);
 end
laune
  • 31,114
  • 3
  • 29
  • 42
  • this code makes error: Field Reader does not exist for declaration '$ip' in 'predicate 'eventType == "Failed password"'' in the rule 'sshbrute' : [Rule name='sshbrute'] Field Reader does not exist for declaration '$ip' in 'predicate 'src_ip == $ip'' in the rule 'sshbrute' : [Rule name='sshbrute'] Unable to Analyse Expression src_ip == $ip: [Error: unable to resolve method using strict-mode: com.sample.Message.src_ip()] [Near : {... src_ip == $ip ....}] – M M Jan 16 '16 at 13:06
  • Perhaps you didn't copy the rule correctly. Which Drools version are you using? – laune Jan 16 '16 at 13:59
  • Works as advertised. Either you made an error in copying or you have some other snag. Edit your question (don't use comments for code etc) adding: (a) the rule as it is now (b) class Message with all declarations for the attributes eventType and src_ip. – laune Jan 17 '16 at 05:18
  • when I rewrite to this form it works: ml: Message( eventType == "Failed password") not Message( eventType == "Failed password", srcip == ml.srcip, this before ml ) mesg : Number(doubleValue>3) from accumulate( Message( eventType=="Failed password",srcip==ml.srcip) over window:time( 59s ),count(1) ) why it gets error when I use $ip in first pattern? – M M Jan 31 '16 at 08:44
  • I can't tell you unless you post *exactly* the code causing the error, including the Java class definition for Message. – laune Jan 31 '16 at 13:16