On Tue, Feb 8, 2011 at 2:10 PM, --[ UxBoD ]-- <ux...@splatnix.net> wrote: > > <SNIP> > > Okay have been doing quite a bit of testing with all this; and now I am > checking the *correct* rule to start with am seeing some interesting results. > Here are the two rules defined in local_rules.xml: > > <rule id="10044" level="1"> > <if_sid>5551</if_sid> > <description>Multiple SSHD authentication failures (Override > Generic)</description> > <group>authentication_failures,</group> > </rule> > > <rule id="10061" level="10" frequency="3" timeframe="180"> > <if_matched_sid>10044</if_matched_sid> > <same_source_ip /> > <description>Multiple SSHD authentication failures - GLPI > #493</description> > <group>authentication_failures,</group> > </rule> > > I start by testing with a source file that contains 31 lines of failed > password attempts all happening within 3 minutes: > > Feb 8 13:05:27 someuser sshd[28052]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:05:28 someuser sshd[29099]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:05:29 someuser sshd[29650]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:05:30 someuser sshd[30431]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:05:31 someuser sshd[31405]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:05:32 someuser sshd[31970]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:05:33 someuser sshd[32337]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:05:34 someuser sshd[32729]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:05:35 someuser sshd[716]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:06 someuser sshd[1138]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:10 someuser sshd[1140]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:11 someuser sshd[1564]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:12 someuser sshd[1945]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:13 someuser sshd[2367]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:14 someuser sshd[2769]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:15 someuser sshd[3151]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:16 someuser sshd[6348]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:17 someuser sshd[6724]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:18 someuser sshd[7138]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:19 someuser sshd[7378]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:20 someuser sshd[7532]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:21 someuser sshd[7895]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:22 someuser sshd[8223]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:23 someuser sshd[8287]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:24 someuser sshd[8662]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:25 someuser sshd[9077]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:26 someuser sshd[9457]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:27 someuser sshd[9851]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:28 someuser sshd[10232]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:29 someuser sshd[10617]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:39 someuser sshd[10896]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > > I run that through ossec-logtest and check for how many times rule 5503 hits: > > grep -c "Rule 5503 matched" result > 31 > > That is correct. Now rule 5551 is a standard rule as-well in the pam file and > is written as: > > <rule id="5551" level="10" frequency="6" timeframe="180"> > <if_matched_sid>5503</if_matched_sid> > <same_source_ip /> > <description>Multiple failed logins in a small period of > time.</description> > <group>authentication_failures,</group> > </rule> > > Yet if I check how many times that hits, and I would expect 5 times but I > only see: > > grep -c "Rule 5551 matched" result > 3 > > I must be missing something really simple here ???? > > Thanks, Phil > > > >
Doesn't look like you're missing anything.
