I agree with Doug, and would split it into multiple rules.
Some simple stuff thrown together (will be improved in my
wip-ossec-rules tree at some point):
<rule id="370022" level="2">
<if_sid>5700</if_sid>
<match>Invalid credentials</match>
<description>User entered incorrect password.</description>
<group>sshd,ldap,pam,authentication_failure,</group>
</rule>
This one is untested (beyond making sure ossec-logtest didn't complain
about it) at the moment:
<rule id="370023" level="5" frequency="3" timeframe="360">
<if_matched_sid>370022</if_matched_sid>
<description>Wrong password entered repeatedly</description>
</rule>
On Thu, Sep 23, 2010 at 6:33 AM, ItsMikeE <mernst...@gmail.com> wrote:
> There is a syslog rule (1002) which looks for any one of a list of
> "bad words".
> On my RHEL servers this is picking up any mis-typed passwords
>
> Received From: (server) 123.456.789.012->/var/log/secure
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
> system."
> Portion of the log(s):
> Sep 23 10:32:25 server sshd[25209]: pam_ldap: error trying to bind as
> user "uid=user123,ou=People,dc=domain,dc=com" (Invalid credentials)
>
> Whilst I want rule 1002 to remain, in the case of mistyped passwords I
> only want to be informed if this occurs multiple times.
> I created an override in local_rules
>
> <group name="syslog,errors,">
>
> <! Ignore mistyped passwords until 3rd occurrence -->
> <rule id="101002" level="5" frequency="3" timeframe="360">
> <if_matched_sid>1002</if_matched_sid>
> <match>error trying to bind as user</match>
> <description>Wrong password entered repeatedly</description>
> </rule>
> </group> <!-- SYSLOG,errors -->
>
> but this is not working.
>
> Can you combine if_matched_sid with match?
> Is there an easier way to do this?
