----- Original Message ----- > ----- Original Message ----- > > Hi Phil, > > > > On Tue, Feb 8, 2011 at 7:23 AM, --[ UxBoD ]-- <ux...@splatnix.net> > > wrote: > > > Dan, > > > > > > I think I see what I did wrong and have changed it now to use two > > > rules: > > > > > > <rule id="10044" level="0"> > > > <if_sid>5720</if_sid> > > > <same_source_ip /> > > > <description>Multiple SSHD authentication failures > > > (Local)</description> > > > <group>authentication_failures,</group> > > > </rule> > > > > > > > You don't need the same_source_ip option. That only really matters > > when you're looking for multiple events from the same IP. > > You may need to raise the level to 1, I don't know. I've never > > tried > > this with a level 0 event. > > > > > <rule id="10044" level="10" frequency="24" timeframe="180"> > > > if_matched_sid>10044</if_matched_sid> > > > <same_source_ip /> > > > <description>Multiple SSHD authentication failures > > > (Local)</description> > > > <group>authentication_failures,</group> > > > </rule> > > > > >
<SNIP> Okay have been doing quite a bit of testing with all this; and now I am checking the *correct* rule to start with am seeing some interesting results. Here are the two rules defined in local_rules.xml: <rule id="10044" level="1"> <if_sid>5551</if_sid> <description>Multiple SSHD authentication failures (Override Generic)</description> <group>authentication_failures,</group> </rule> <rule id="10061" level="10" frequency="3" timeframe="180"> <if_matched_sid>10044</if_matched_sid> <same_source_ip /> <description>Multiple SSHD authentication failures - GLPI #493</description> <group>authentication_failures,</group> </rule> I start by testing with a source file that contains 31 lines of failed password attempts all happening within 3 minutes: Feb 8 13:05:27 someuser sshd[28052]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:05:28 someuser sshd[29099]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:05:29 someuser sshd[29650]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:05:30 someuser sshd[30431]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:05:31 someuser sshd[31405]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:05:32 someuser sshd[31970]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:05:33 someuser sshd[32337]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:05:34 someuser sshd[32729]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:05:35 someuser sshd[716]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:06 someuser sshd[1138]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:10 someuser sshd[1140]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:11 someuser sshd[1564]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:12 someuser sshd[1945]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:13 someuser sshd[2367]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:14 someuser sshd[2769]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:15 someuser sshd[3151]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:16 someuser sshd[6348]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:17 someuser sshd[6724]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:18 someuser sshd[7138]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:19 someuser sshd[7378]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:20 someuser sshd[7532]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:21 someuser sshd[7895]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:22 someuser sshd[8223]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:23 someuser sshd[8287]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:24 someuser sshd[8662]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:25 someuser sshd[9077]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:26 someuser sshd[9457]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:27 someuser sshd[9851]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:28 someuser sshd[10232]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:29 someuser sshd[10617]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser Feb 8 13:06:39 someuser sshd[10896]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=someuser I run that through ossec-logtest and check for how many times rule 5503 hits: grep -c "Rule 5503 matched" result 31 That is correct. Now rule 5551 is a standard rule as-well in the pam file and is written as: <rule id="5551" level="10" frequency="6" timeframe="180"> <if_matched_sid>5503</if_matched_sid> <same_source_ip /> <description>Multiple failed logins in a small period of time.</description> <group>authentication_failures,</group> </rule> Yet if I check how many times that hits, and I would expect 5 times but I only see: grep -c "Rule 5551 matched" result 3 I must be missing something really simple here ???? Thanks, Phil