We have an Exchange 2003 server that is sending its logs to CS-MARS. We need to parse these logs to detect unauthorized user mailbox access. It?s easy to build this regular expression. But there are some exceptions like some users can do a logon in their boss primary account. I mean:
CEO mailbox is: domain1\ceo_mailbox
CEO user id: domain1\ceo_user
CEO?s personal assistant: domain1\assistant_user
The personal assistant is able to logon CEO mailbox and this kind of access is not an incident. Other user access to this mailbox will fire an incident.
To do that, we need to keep the user id that is trying to login into a mailbox and the owner id of this mailbox. Then, with a custom rule, we need to compare these two string fields and depend on the result, a new incident will be generated or not.
When I?m parsing the message, I try to keep these IDs (user and mailbox owner) in any CS-MARS string field (source/destination IP in hostname format, port in string format, protocol in string format, etc.) Here is the problem: CS-MARS store this information in a non string format. In the following images you could see CS-MARS is trying to store the matched string ?translating? the format to a numeric, IP dotted quad, etc.
a)Using the port field as the parsed field: see attached file custom_parser_port.jpg
The matched string (OSansano) is translated to 0. This is due to MARS stores the value in numeric format.
b)Using the protocol field as the parsed field: see attached file custom_parser_protocol.jpg
In this case, MARS try to translate the matched string in the protocol numeric value. For example, If I change the OSansano string for TCP string, the Parsed Value will be the number 6. When CS-MARS doesn?t know the ?protocol? the value will be -1.
c)Using the IP address (source or destination) as the parsed field: see attached file custom_parser_hostname.jpg
In this case, CS-MARS try to do a reverse dns resolution to store the IP and not the matched string.
What we could do to store the Matched String in one of the Parsed Fields in string format? Or, is it possible to create new Parsed Fields?
Any suggestion to this issue will be appreciated?
Antoni Gutierrez Barbara
Dimension Data Spain
MARS does not allow you to create your own parsed field. I'm not sure how wise it is to try and "coerce" one to suit your needs. Seems like that could be brittle (Cisco could change that behavior at any time) and may cause some unintended consequences (like an unnecessary DNS lookup on bogus info).
The actual parsing process is where you have the most flexibility, because it supports real PCRE's. You might be able to create a parser that only maps the event when the username and mailbox name don't match. Then in the inspection rule you have a "not username/mailbox" keyword for all known combinations that are allowed. clear as mud? I'd be interested in helping map if you can get me a [cleaned up as necessary] raw message.
I were these 10 days working on many things... Now I should be able to work more on the CS-MARS. Sorry for didn't made any update to this conversation.
The most important idea regarding this conversation is that I must be able to detect when a user without permissions is trying to access the "boss mailbox" and send an e-mail in "real-time" to advertise of the incident.
Mhellman, as you said, I'll try with this parser. Now, I can parse the username who is trying to logon the mailbox. I'll update the regular expression to parse the mailbox owner. How can I compare these two usernames with the regular expression? I saw the keyword column inside the rule only accept text and look for it inside the raw message. I want the opposite, how I can do to look for "not these list of users" into the raw message?
The complete raw message is as follow:
Oct 30 12:36:15 fsxtd MSWinEventLog 1 Application 170341 Mon Oct 30 12:36:04 2006 1013 MSExchangeIS Mailbox Store Unknown User N/A Success Audit FSXTD The directory cannot be removed. DOMAIN1\Secretary_UserName was validated as /o=DOMAIN1/ou=xx_DOMAIN1/cn=Recipients/cn=Secretary1_UserName and logged on to /o=DOMAIN1/ou=xx_DOMAIN1/cn=Recipients/cn=Boss_UserName on database ""First Storage Group\DB1"". For more information, click http://www.microsoft.com/contentredirect.asp. 90880
Thanks in advance,
"How can I compare these two usernames with the regular expression?"
The general idea is to use capturing (subpatterns) and lookahead assertions.
Say you have two message that look like this:
"user SECRETARY logged into mailbox SECRETARY";
"user SECRETARY logged into mailbox CEO"
the following pattern will match the second event, but NOT the first:
/user[ ]([\w]+)[ ]logged[ ]into[ ]mailbox[ ](?!\1)/
I will test in CSMARS in a bit to make sure it works as expected.
Not having any success getting capturing and lookahead assertions working in a parser. I've opened a TAC case...I'll let you know what I find out.
I tried yestarday this regular expresion and it didn't work... In any case, thanks :)
I've a TAC case opened since 4 days ago more or less. When I will know the right solution I will post it in this conversation.
Just heard back from Cisco. They are saying that capturing (i.e. back references) are not supported in the custom parser ("by design"). The documentation is incorrect.
FWIW, I always figured the regex documentation wasn't really written by Cisco (too detailed). As a result of this ticket I decide to figure out where it came from...turns out it's verbatim copied from "man pcrepattern". sigh...
So all the documention on pcre in the user guide...what is actually supported is anyone's guess.
I've a TAC case opened and I'm working with the engineer to make it works... If I obtain good results I will post the final solution ;-)
Thanks for all.