I agree with Doug, and would split it into multiple rules. Some simple stuff thrown together (will be improved in my wip-ossec-rules tree at some point): <rule id="370022" level="2"> <if_sid>5700</if_sid> <match>Invalid credentials</match> <description>User entered incorrect password.</description> <group>sshd,ldap,pam,authentication_failure,</group> </rule>
This one is untested (beyond making sure ossec-logtest didn't complain about it) at the moment: <rule id="370023" level="5" frequency="3" timeframe="360"> <if_matched_sid>370022</if_matched_sid> <description>Wrong password entered repeatedly</description> </rule> On Thu, Sep 23, 2010 at 6:33 AM, ItsMikeE <mernst...@gmail.com> wrote: > There is a syslog rule (1002) which looks for any one of a list of > "bad words". > On my RHEL servers this is picking up any mis-typed passwords > > Received From: (server) 123.456.789.012->/var/log/secure > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the > system." > Portion of the log(s): > Sep 23 10:32:25 server sshd[25209]: pam_ldap: error trying to bind as > user "uid=user123,ou=People,dc=domain,dc=com" (Invalid credentials) > > Whilst I want rule 1002 to remain, in the case of mistyped passwords I > only want to be informed if this occurs multiple times. > I created an override in local_rules > > <group name="syslog,errors,"> > > <! Ignore mistyped passwords until 3rd occurrence --> > <rule id="101002" level="5" frequency="3" timeframe="360"> > <if_matched_sid>1002</if_matched_sid> > <match>error trying to bind as user</match> > <description>Wrong password entered repeatedly</description> > </rule> > </group> <!-- SYSLOG,errors --> > > but this is not working. > > Can you combine if_matched_sid with match? > Is there an easier way to do this?