In my haste, I forgot to take out the frequency and timeframe from the first rule. So here's my updated recommendation:
! Ignore mistyped passwords until 3rd occurrence --> <rule id="101002" level="4"> <if_sid>1002</if_sid> <match>error trying to bind as user</match> <description>Wrong password</description> </rule> <rule id="101003" level="5" frequency="3" timeframe="360"> <if_matched_sid>101002</if_matched_sid> <description>Wrong password entered repeatedly</description> </rule> </group> <!-- SYSLOG,errors --> I did a quick test of these rules and they appear to work correctly. Please let us know how it goes. Regards, -- Doug Burks, GPEN, GCIH, GCIA, CISSP President, Greater Augusta ISSA http://augusta.issa.org http://securityonion.blogspot.com On Sep 23, 6:58 am, Doug Burks <doug.bu...@gmail.com> wrote: > Have you considered breaking it into two rules like this? (Sorry I > don't have an OSSEC server available to me right now to test with.) > > ! Ignore mistyped passwords until 3rd occurrence --> > <rule id="101002" level="4" frequency="3" timeframe="360"> > <if_sid>1002</if_sid> > <match>error trying to bind as user</match> > <description>Wrong password</description> > </rule> > > <rule id="101003" level="5" frequency="3" timeframe="360"> > <if_matched_sid>101002</if_matched_sid> > <description>Wrong password entered repeatedly</description> > </rule> > </group> <!-- SYSLOG,errors --> > > Please let us know how it goes. > > Regards, > -- > Doug Burks, GPEN, GCIH, GCIA, CISSP > President, Greater Augusta > ISSAhttp://augusta.issa.orghttp://securityonion.blogspot.com > > > > On Thu, Sep 23, 2010 at 6:33 AM, ItsMikeE <mernst...@gmail.com> wrote: > > There is a syslog rule (1002) which looks for any one of a list of > > "bad words". > > On my RHEL servers this is picking up any mis-typed passwords > > > Received From: (server) 123.456.789.012->/var/log/secure > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the > > system." > > Portion of the log(s): > > Sep 23 10:32:25 server sshd[25209]: pam_ldap: error trying to bind as > > user "uid=user123,ou=People,dc=domain,dc=com" (Invalid credentials) > > > Whilst I want rule 1002 to remain, in the case of mistyped passwords I > > only want to be informed if this occurs multiple times. > > I created an override in local_rules > > > <group name="syslog,errors,"> > > > <! Ignore mistyped passwords until 3rd occurrence --> > > <rule id="101002" level="5" frequency="3" timeframe="360"> > > <if_matched_sid>1002</if_matched_sid> > > <match>error trying to bind as user</match> > > <description>Wrong password entered repeatedly</description> > > </rule> > > </group> <!-- SYSLOG,errors --> > > > but this is not working. > > > Can you combine if_matched_sid with match? > > Is there an easier way to do this?