----- Original Message -----
> ----- Original Message -----
> > Hi Phil,
> >
> > On Tue, Feb 8, 2011 at 7:23 AM, --[ UxBoD ]-- <ux...@splatnix.net>
> > wrote:
> > > Dan,
> > >
> > > I think I see what I did wrong and have changed it now to use two
> > > rules:
> > >
> > > <rule id="10044" level="0">
> > > <if_sid>5720</if_sid>
> > > <same_source_ip />
> > > <description>Multiple SSHD authentication failures
> > > (Local)</description>
> > > <group>authentication_failures,</group>
> > > </rule>
> > >
> >
> > You don't need the same_source_ip option. That only really matters
> > when you're looking for multiple events from the same IP.
> > You may need to raise the level to 1, I don't know. I've never
> > tried
> > this with a level 0 event.
> >
> > > <rule id="10044" level="10" frequency="24" timeframe="180">
> > > if_matched_sid>10044</if_matched_sid>
> > > <same_source_ip />
> > > <description>Multiple SSHD authentication failures
> > > (Local)</description>
> > > <group>authentication_failures,</group>
> > > </rule>
> > >
> >
<SNIP>
Okay have been doing quite a bit of testing with all this; and now I am
checking the *correct* rule to start with am seeing some interesting results.
Here are the two rules defined in local_rules.xml:
<rule id="10044" level="1">
<if_sid>5551</if_sid>
<description>Multiple SSHD authentication failures (Override
Generic)</description>
<group>authentication_failures,</group>
</rule>
<rule id="10061" level="10" frequency="3" timeframe="180">
<if_matched_sid>10044</if_matched_sid>
<same_source_ip />
<description>Multiple SSHD authentication failures - GLPI #493</description>
<group>authentication_failures,</group>
</rule>
I start by testing with a source file that contains 31 lines of failed password
attempts all happening within 3 minutes:
Feb 8 13:05:27 someuser sshd[28052]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:05:28 someuser sshd[29099]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:05:29 someuser sshd[29650]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:05:30 someuser sshd[30431]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:05:31 someuser sshd[31405]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:05:32 someuser sshd[31970]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:05:33 someuser sshd[32337]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:05:34 someuser sshd[32729]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:05:35 someuser sshd[716]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:06 someuser sshd[1138]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:10 someuser sshd[1140]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:11 someuser sshd[1564]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:12 someuser sshd[1945]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:13 someuser sshd[2367]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:14 someuser sshd[2769]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:15 someuser sshd[3151]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:16 someuser sshd[6348]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:17 someuser sshd[6724]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:18 someuser sshd[7138]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:19 someuser sshd[7378]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:20 someuser sshd[7532]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:21 someuser sshd[7895]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:22 someuser sshd[8223]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:23 someuser sshd[8287]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:24 someuser sshd[8662]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:25 someuser sshd[9077]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:26 someuser sshd[9457]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:27 someuser sshd[9851]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:28 someuser sshd[10232]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:29 someuser sshd[10617]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
Feb 8 13:06:39 someuser sshd[10896]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123
user=someuser
I run that through ossec-logtest and check for how many times rule 5503 hits:
grep -c "Rule 5503 matched" result
31
That is correct. Now rule 5551 is a standard rule as-well in the pam file and
is written as:
<rule id="5551" level="10" frequency="6" timeframe="180">
<if_matched_sid>5503</if_matched_sid>
<same_source_ip />
<description>Multiple failed logins in a small period of time.</description>
<group>authentication_failures,</group>
</rule>
Yet if I check how many times that hits, and I would expect 5 times but I only
see:
grep -c "Rule 5551 matched" result
3
I must be missing something really simple here ????
Thanks, Phil
