Hi,
I try to be alerted when ours ftp sites are under a dictionary attack (we don't have IPS so we have to block IP in our firewall).
Previously I was checking the security logs but the remote agent use to much cpu when it's send thousand of bad result and I need to receive all bad alerts in case of other alerts.
I was thinking of scanning the ftp log and look for something like bad password and trigger an alert after x number of bad password but it's still need to send lot of messages to count these bad attempt.
Now I'm thinking about checking the size of the log file and receive an alert if this size grow anomaly quickly, like a test every minute and if the file grow more then several K then get an alert. What I can figure of for this idea is how to save the result of the previous test to compare with the new one ...
Maybe I'm looking to far and somebody here have an other method to get an alert when we have to many bad try on a ftp site ...
ML
Scanning ftp log for remote attack
You may use "Folder/File Size" test method with "Use Warning status if '%SuggestedReply%' - '%Reply%' > '1 Kb'" optionNow I'm thinking about checking the size of the log file and receive an alert if this size grow anomaly quickly, like a test every minute and if the file grow more then several K then get an alert. What I can figure of for this idea is how to save the result of the previous test to compare with the new one ...
('1 Kb' is just for exampel)
Regards
Alex
'%SuggestedReply%' is the last results of a test ?
I' m sure I can make it work with something like that.
Is there a way to stop a test if we get x many bad, change the "Report about all events" to only last bad so it skip all the bad for some time and the change it back at the first good reply ? I think I can tweak the alert profile for some of that but I' m not sure it' s the good avenue ...
Thanks
I' m sure I can make it work with something like that.
Is there a way to stop a test if we get x many bad, change the "Report about all events" to only last bad so it skip all the bad for some time and the change it back at the first good reply ? I think I can tweak the alert profile for some of that but I' m not sure it' s the good avenue ...
Thanks
Quote from the manual'%SuggestedReply%' is the last results of a test ?
===================
I.e.
- HostMonitor performs the test;
- processes "Reverse alert" option;
- sets "suggested" macro variables (%SuggestedStatus%, %SuggestedSimpleStatus%, %SuggestedReply%, %SuggestedRecurrences% and %FailureIteration%) without touching regular counters (%Status%, %Reply%, %Recurrences%, etc);
- then HostMonitor evaluates "Warning", "Normal" and "Tune up Reply" expressions and finally modifies current test status, reply field and statistics counters (Status, Reply, Alive%, Passed tests, Failed tests, etc).
====================
If you stop the test, how it can "change it back at the first good reply"??Is there a way to stop a test if we get x many bad, change the "Report about all events" to only last bad so it skip all the bad for some time and the change it back at the first good reply ?
You just need to use basic action properties, such as "Start when" and "Repeat N times"
Please check the manual:
http://www.ks-soft.net/hostmon.eng/mfra ... ctions.htm
http://www.ks-soft.net/hostmon.eng/mfra ... properties
Regards
Alex
In fact, I already know that part .... It's the part about changing the "Report about all events" to "Report only last bad" and changing it back that I can't figure out. ...[/quote]If you stop the test, how it can "change it back at the first good reply"??
You just need to use basic action properties, such as "Start when" and "Repeat N times"
yes, nt log.
I receive a lot of msg when I monitor the security log when we have a ftp attack. By monitoring the log files I will be able to send me an alert for the right reason.
Now, I need to stop the monitoring of the nt security log when I'm under attack and start it back after so my RMA won't use to much cpu on that server. And also, when the nt log test will resume, I need to be able to skip all bad events and start the monitoring clean ...
I'm not sure that I explain it clearly, as you can see, english is not my native language
I receive a lot of msg when I monitor the security log when we have a ftp attack. By monitoring the log files I will be able to send me an alert for the right reason.
Now, I need to stop the monitoring of the nt security log when I'm under attack and start it back after so my RMA won't use to much cpu on that server. And also, when the nt log test will resume, I need to be able to skip all bad events and start the monitoring clean ...
I'm not sure that I explain it clearly, as you can see, english is not my native language
Question is how do you (well HostMonitor) should decide when you are under attack?
E.g.
if you think 10 consecusive "bad" records it a flag for attack, you may add "Execute HM Script" action, set "Start when 10 consecutive Bad results occur" and "Repeat: until status changes" option. Use "ResetEventLogRefPoint <testname>" command in the script
http://www.ks-soft.net/hostmon.eng/mfra ... #actScript
Another solution: use HM Script action with ImportFromFile command to import test settings from text file. In such way you may replace "Report about all events" to "Report only last bad" options and vice versa.
Regards
Alex
E.g.
if you think 10 consecusive "bad" records it a flag for attack, you may add "Execute HM Script" action, set "Start when 10 consecutive Bad results occur" and "Repeat: until status changes" option. Use "ResetEventLogRefPoint <testname>" command in the script
http://www.ks-soft.net/hostmon.eng/mfra ... #actScript
Another solution: use HM Script action with ImportFromFile command to import test settings from text file. In such way you may replace "Report about all events" to "Report only last bad" options and vice versa.
Regards
Alex