Skip to main content

Find unwanted visitors by analyzing behavior

Project description

porlock

Monitor event logs for potentially fraudulent activity

Premise

Oftentimes, specific events in and of themselves don't indicate a risk to your systems. However, when viewed in the context of surrounding events, we can identify potentially risky behavior.

Take the following scenario, represented by the events below:

  • A user calls customer service and requests and one time token for login.
  • The user logs in, and the system requires a password update
  • A few days later, the user comes to the site (from a new IP) and requests a password reset
  • The user proceeds to change their password
Event: otp_login, date: 2022-11-01 13:43:17 EST, user_id: 1, ip: 10.0.0.1
Event: password_change, date: 2022-11-01 13:45:53 EST, user_id: 1, ip: 10.0.0.1
Event: password_reset, date: 2022-11-07 17:31:22 EST, user_id: 1, ip: 192.168.0.1
Event: password_change, date: 2022-11-07 17:33:11 EST, user_id: 1, ip: 192.168.0.1

None of the above events, in isolation, look particularly risky, and while it is possible that the user simply forgot their new password, when viewed along with other events, this sequence of events points to a potential account hijack.

porlock provides a rule framework to help make finding these events and flagging them possible. By identifying events, and subsequent matching events, porlock parses logs over a specified time period to flag risky behavior.

Basic Rules

  • Rules are written in a simple list format
    • Note: future versions may support yaml rules

    [
       "Password Change After OTP Login",
       "otp login",
       "followed by",
       "any",
       ["password change"],
       "after",
       "2d",
       "user",
       ["password change"],
       "before",
       "1h",
       "14d",
       "30d"
    ]
  • Rule Name: A human readable description of the rule
  • Event Name: The name of the initial event to search for
  • When: followed by or preceded by (Currently only followed by is supported)
  • Match: What type of match to any, all, none, one
  • Matching Events: a list of events to match
  • Period When: whether or not this event should happen before or after the Period parameter
  • Period: How long after the initial event to start looking (or when to stop looking for before)
  • Identifier: The field to match events on. This is typically either a user id, email, or IP address
  • Secondary Event: For future use
  • Secondary Period When: For future use
  • Secondary Period: For future use
  • Match time frame: The time frame after (for followed by) the initial event occurred to check for matching events
  • Log time frame: For future use; The time frame to return all events for a particular identifier from the logs

Parameters

When

  • followed by - the matching events should come after the initial event
  • preceded by - the matching events should come before the initial event (Note: This is still a work in progress)

Match

  • any - can match any of the listed events
  • all - must match all of the listed events
  • none - must match none of the listed events
  • one - must match one and only one of the listed events

Period When

  • before - indicates to check all events prior to the Period parameter
  • after- indicates to check all events after to the Period parameter

Period

  • The period should be specified by a number followed by one of s (seconds), m (minutes), h (hours), d (days), or w (weeks)

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

porlock-0.0.1.tar.gz (7.6 kB view details)

Uploaded Source

Built Distribution

porlock-0.0.1-py3-none-any.whl (7.7 kB view details)

Uploaded Python 3

File details

Details for the file porlock-0.0.1.tar.gz.

File metadata

  • Download URL: porlock-0.0.1.tar.gz
  • Upload date:
  • Size: 7.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.8.9

File hashes

Hashes for porlock-0.0.1.tar.gz
Algorithm Hash digest
SHA256 c1f35fc47c02db9570b8ea116fde8ed44283991980a9c037ae78e172562390ae
MD5 44b00f54e4f24cc4c8ed4fedd82fd66d
BLAKE2b-256 3b57995dce0c94b5811416164724c33ebd8fc8ffd47e86a6b811732e76295715

See more details on using hashes here.

File details

Details for the file porlock-0.0.1-py3-none-any.whl.

File metadata

  • Download URL: porlock-0.0.1-py3-none-any.whl
  • Upload date:
  • Size: 7.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.8.9

File hashes

Hashes for porlock-0.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 e14f1b4a894401dd00bebd23bee3b7dd0d9552ea416fc3e744157f904abc5b56
MD5 618c4248410ea89f23730a7deb465115
BLAKE2b-256 331753690ae66408251c78b94353d2860aa0610057449f2a48e13ded555422f4

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page