Hey, The frequency of 6, actually means 8 events for it to alert. It makes sense when you think of the rule in these terms:
if_matched_sid -> Alert me if the rule XYZ fired in the last ABC seconds more than 6 times (not including the current event). So in your case, the rule 5551 will check if in the last few minutes the rule 5503 was set more than 6 times... So out of the 31 events, you would get 3 alerts from the rule 5551. So why is that? Because you can write rules like this one: <if_group>authentication_success</if_group> <if_matched_group>authentication_failure</if_matched_group> So the current event is not tied to the list when searching on the if_matched_* signatures.... Hope it made some sense :) Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Feb 8, 2011 at 3:10 PM, --[ UxBoD ]-- <ux...@splatnix.net> wrote: > ----- Original Message ----- >> ----- Original Message ----- >> > Hi Phil, >> > >> > On Tue, Feb 8, 2011 at 7:23 AM, --[ UxBoD ]-- <ux...@splatnix.net> >> > wrote: >> > > Dan, >> > > >> > > I think I see what I did wrong and have changed it now to use two >> > > rules: >> > > >> > > <rule id="10044" level="0"> >> > > <if_sid>5720</if_sid> >> > > <same_source_ip /> >> > > <description>Multiple SSHD authentication failures >> > > (Local)</description> >> > > <group>authentication_failures,</group> >> > > </rule> >> > > >> > >> > You don't need the same_source_ip option. That only really matters >> > when you're looking for multiple events from the same IP. >> > You may need to raise the level to 1, I don't know. I've never >> > tried >> > this with a level 0 event. >> > >> > > <rule id="10044" level="10" frequency="24" timeframe="180"> >> > > if_matched_sid>10044</if_matched_sid> >> > > <same_source_ip /> >> > > <description>Multiple SSHD authentication failures >> > > (Local)</description> >> > > <group>authentication_failures,</group> >> > > </rule> >> > > >> > > > <SNIP> > > Okay have been doing quite a bit of testing with all this; and now I am > checking the *correct* rule to start with am seeing some interesting results. > Here are the two rules defined in local_rules.xml: > > <rule id="10044" level="1"> > <if_sid>5551</if_sid> > <description>Multiple SSHD authentication failures (Override > Generic)</description> > <group>authentication_failures,</group> > </rule> > > <rule id="10061" level="10" frequency="3" timeframe="180"> > <if_matched_sid>10044</if_matched_sid> > <same_source_ip /> > <description>Multiple SSHD authentication failures - GLPI > #493</description> > <group>authentication_failures,</group> > </rule> > > I start by testing with a source file that contains 31 lines of failed > password attempts all happening within 3 minutes: > > Feb 8 13:05:27 someuser sshd[28052]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:05:28 someuser sshd[29099]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:05:29 someuser sshd[29650]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:05:30 someuser sshd[30431]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:05:31 someuser sshd[31405]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:05:32 someuser sshd[31970]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:05:33 someuser sshd[32337]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:05:34 someuser sshd[32729]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:05:35 someuser sshd[716]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:06 someuser sshd[1138]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:10 someuser sshd[1140]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:11 someuser sshd[1564]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:12 someuser sshd[1945]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:13 someuser sshd[2367]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:14 someuser sshd[2769]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:15 someuser sshd[3151]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:16 someuser sshd[6348]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:17 someuser sshd[6724]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:18 someuser sshd[7138]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:19 someuser sshd[7378]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:20 someuser sshd[7532]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:21 someuser sshd[7895]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:22 someuser sshd[8223]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:23 someuser sshd[8287]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:24 someuser sshd[8662]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:25 someuser sshd[9077]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:26 someuser sshd[9457]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:27 someuser sshd[9851]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:28 someuser sshd[10232]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:29 someuser sshd[10617]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > Feb 8 13:06:39 someuser sshd[10896]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 > user=someuser > > I run that through ossec-logtest and check for how many times rule 5503 hits: > > grep -c "Rule 5503 matched" result > 31 > > That is correct. Now rule 5551 is a standard rule as-well in the pam file and > is written as: > > <rule id="5551" level="10" frequency="6" timeframe="180"> > <if_matched_sid>5503</if_matched_sid> > <same_source_ip /> > <description>Multiple failed logins in a small period of > time.</description> > <group>authentication_failures,</group> > </rule> > > Yet if I check how many times that hits, and I would expect 5 times but I > only see: > > grep -c "Rule 5551 matched" result > 3 > > I must be missing something really simple here ???? > > Thanks, Phil > > > >