Hi Sebastian, Your rule is actually working as expected. You have:
<rule id="5716" level="5" frequency="2" timeframe="360"> <if_matched_sid>57161</if_matched_sid> <if_sid>5700</if_sid> <description>SSHD authentication failed.</description> <group>authentication_failed,</group> </rule> Because of the <if_sid>5700</if_sid>, whenever a sshd message is received, it is going to check if the rule 57161 happened 2 or more times. I think in your case, you want: <rule id="5716" level="5" frequency="2" timeframe="360"> <if_matched_sid>57161</if_matched_sid> <description>SSHD authentication failed.</description> <group>authentication_failed,</group> </rule> To only check when the rule 57161 happens, not every sshd message... Makes sense? As for syscheck, OSSEC has no way currently to keep sending e-mails for the same event... But we plan to implement something like that for the web ui (when you verify if a file changed was allowed). Thanks, -- Daniel B. Cid dcid ( at ) ossec.net http://www.ossec.net/main/commercial-support/ On Fri, Apr 25, 2008 at 11:42 AM, skoesters <[EMAIL PROTECTED]> wrote: > > Hi, > > i have to questions. > > first the frequency in rules Problem. > > i created the following rules > > <rule id="57161" level="5"> > <if_sid>5700</if_sid> > <match>^Failed|^error: PAM: Authentication</match> > <description>SSHD authentication failed.</description> > <group>authentication_failed,</group> > </rule> > > <rule id="5716" level="5" frequency="2" timeframe="360"> > <if_matched_sid>57161</if_matched_sid> > <if_sid>5700</if_sid> > <description>SSHD authentication failed.</description> > <group>authentication_failed,</group> > </rule> > > After 2 failed ssh logins trigger rule 5716 > > there is one litte problem > > the alert.log > > ** Alert 1209133162.700886: - syslog,sshd,authentication_failed, > 2008 Apr 25 16:19:22 (backup) 10.10.150.20->/var/log/auth.log > Rule: 5716 (level 5) -> 'SSHD authentication failed.' > Src IP: 10.10.10.10 > User: test > Apr 25 16:19:22 [EMAIL PROTECTED] sshd[32344]: Accepted publickey for user > from 10.10.150.10 port 49209 ssh2 > Apr 25 16:19:10 test sshd[28690]: Failed password for tbmx from > xx.xx.xx.xx port 56875 ssh2 > Apr 25 16:18:49 test sshd[28690]: Failed password for tbmx from > xx.xx.xx.xx port 56875 ssh2 > > the log shows the 2 failed logins BUT ALSO this line > > Apr 25 16:19:22 [EMAIL PROTECTED] sshd[32344]: Accepted publickey for user > from 10.10.150.10 port 49209 ssh2 > > he allways does this. > > second example (here with trigger after 3 failures): > > ** Alert 1209132832.691592: - syslog,sshd,authentication_failed, > 2008 Apr 25 16:13:52 (xxxxx) xx.xx.xx.xx ->/var/log/auth.log > Rule: 5716 (level 5) -> 'SSHD authentication failed.' > Src IP: xx.xx.xx.xx > User: test > Apr 25 16:13:51 host sshd[2011]: Accepted publickey for nagios from > yy.yy.yy.yy port 63609 ssh2 > Apr 25 16:13:41 server sshd[28652]: Failed password for tbmx from > xx.xx.xx.xx port 59151 ssh2 > Apr 25 16:13:24 server sshd[28652]: Failed password for tbmx from > xx.xx.xx.xx port 59151 ssh2 > Apr 25 16:13:19 server sshd[28652]: Failed password for tbmx from > xx.xx.xx.xx port 59151 ssh2 > > > he should only show the failed passwords line not the accepted > publickey. > > why does he show a wrong line + the correct lines? I only want to have > the failed password. > > > second question: > > Integrity check > > ossec sends me a mail when a file changes. Can tell ossec to send me > this mail until i say "its ok that this file chagend" > > example. > > /etc/hosts change. > > ossec sends mail > 2 Minutes later it sends the mail again > 2 Minutes later it sends the mail again > 2 Minutes later it sends the mail again > ...... > i tell ossec its ok that /etc/hosts changed and ossec stops sending > and start sending again after the file changed again. > > is something like that possible? > > Thank you! > > Kind regards > Sebastian >