search

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch
https://elastalert.readthedocs.org
Apache License 2.0
7.99k stars 1.74k forks source link

FeedBack Elastalert #1080

Open locktll opened 7 years ago

locktll commented 7 years ago

Hi,

I'm using Elastalert since some months and I would like to have some feedbacks, how many rules have you set up ? how many Elastalert instances and how many rules per instance?

I'm asking for some feedbacks because I'm currently using one instance with 8 rules but I want to set up like hundreds of rules.

best regards locktll.

pjanzen commented 7 years ago

Currently I am testing ElastAlert and it does not (yet) meet my requirements.

My use case is as follows: I have user which are sending email trough authenticated smtp and login with the email address and password. Now this is prone for brute forcing username/password and I want to detect that with ElastAlert. I want to detect login attempt from multiple source ip using the same username with different passwords. Multiple source ip using the same username and password should be flagged to monitor but initially ignored.

I have tried several methods, frequency, cardinality, new_term and neither of those give me the result I need.

So to anwser your question, currently I have 0 rules running :)

Qmando commented 7 years ago

@locktll We've had probably about 200-250 or so running on a single instance at a time. I'm super you could do more, depending on a few things like how complicated the queries are, how much data there is, how much latency you can tolerate, etc. You can always run a another instance with separate rules.

@pjanzen You CAN set that up, though it's a little complicated. Cardinality only supports one field at a time, but you can make a rule that will alert when two separate cardinality rules alert.

In ip_rule.yaml

name: Failed logins IP
type: cardinality
cardinality_field: IP
query_key: username
max_cardinality: 5
alert:
 - debug

In password_rule.yaml

name: Failed logins password
type: cardinality
cardinality_field: password
query_key: username
max_cardinality: 5
alert:
 - debug

in failed_logins.yaml

name: Brute force attack
type: cardinality
cardinality_field: rule_name
index: elastalert_status
filter:
 - query:
      query_string;
        query: "_type: elastalert AND (rule_name: \"Failed logins IP\" OR rule_name: \"Failed logins password\")"
max_cardinality: 1

This would alert if both the alerts for 5 different IPs and 5 different passwords went off within some timeframe. I excluded a few fields but I think you get the idea.

Yes, it would be really nice to support this use case without this weird meta alert thing.