Find unwanted visitors by analyzing behavior
Project description
porlock
Monitor event logs for potentially fraudulent activity
Premise
Oftentimes, specific events in and of themselves don't indicate a risk to your systems. However, when viewed in the context of surrounding events, we can identify potentially risky behavior.
Take the following scenario, represented by the events below:
- A user calls customer service and requests and one time token for login.
- The user logs in, and the system requires a password update
- A few days later, the user comes to the site (from a new IP) and requests a password reset
- The user proceeds to change their password
Event: otp_login, date: 2022-11-01 13:43:17 EST, user_id: 1, ip: 10.0.0.1
Event: password_change, date: 2022-11-01 13:45:53 EST, user_id: 1, ip: 10.0.0.1
Event: password_reset, date: 2022-11-07 17:31:22 EST, user_id: 1, ip: 192.168.0.1
Event: password_change, date: 2022-11-07 17:33:11 EST, user_id: 1, ip: 192.168.0.1
None of the above events, in isolation, look particularly risky, and while it is possible that the user simply forgot their new password, when viewed along with other events, this sequence of events points to a potential account hijack.
porlock provides a rule framework to help make finding these events and flagging them possible. By identifying events, and subsequent matching events, porlock parses logs over a specified time period to flag risky behavior.
Basic Rules
- Rules are written in a simple list format
- Note: future versions may support yaml rules
[
"Password Change After OTP Login",
"otp login",
"followed by",
"any",
["password change"],
"after",
"2d",
"user",
["password change"],
"before",
"1h",
"14d",
"30d"
]
Rule Name
: A human readable description of the ruleEvent Name
: The name of the initial event to search forWhen
:followed by
orpreceded by
(Currently onlyfollowed by
is supported)Match
: What type of match toany
,all
,none
,one
Matching Events
: a list of events to matchPeriod When
: whether or not this event should happenbefore
orafter
thePeriod
parameterPeriod
: How longafter
the initial event to start looking (or when to stop looking forbefore
)Identifier
: The field to match events on. This is typically either a user id, email, or IP addressSecondary Event
: For future useSecondary Period When
: For future useSecondary Period
: For future useMatch time frame
: The time frame after (forfollowed by
) the initial event occurred to check for matching eventsLog time frame
: For future use; The time frame to return all events for a particularidentifier
from the logs
Parameters
When
followed by
- the matching events should come after the initial eventpreceded by
- the matching events should come before the initial event (Note: This is still a work in progress)
Match
any
- can match any of the listed eventsall
- must match all of the listed eventsnone
- must match none of the listed eventsone
- must match one and only one of the listed events
Period When
before
- indicates to check all events prior to thePeriod
parameterafter
- indicates to check all events after to thePeriod
parameter
Period
- The period should be specified by a number followed by one of
s
(seconds),m
(minutes),h
(hours),d
(days), orw
(weeks)
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file porlock-0.0.1.tar.gz
.
File metadata
- Download URL: porlock-0.0.1.tar.gz
- Upload date:
- Size: 7.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.8.9
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | c1f35fc47c02db9570b8ea116fde8ed44283991980a9c037ae78e172562390ae |
|
MD5 | 44b00f54e4f24cc4c8ed4fedd82fd66d |
|
BLAKE2b-256 | 3b57995dce0c94b5811416164724c33ebd8fc8ffd47e86a6b811732e76295715 |
File details
Details for the file porlock-0.0.1-py3-none-any.whl
.
File metadata
- Download URL: porlock-0.0.1-py3-none-any.whl
- Upload date:
- Size: 7.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.8.9
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | e14f1b4a894401dd00bebd23bee3b7dd0d9552ea416fc3e744157f904abc5b56 |
|
MD5 | 618c4248410ea89f23730a7deb465115 |
|
BLAKE2b-256 | 331753690ae66408251c78b94353d2860aa0610057449f2a48e13ded555422f4 |