Hello,
I've those kind of log comming from a custom app
>
> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1
> [] []
I'm trying to block an ip with to much authentication failure.
So I did a custom decoder which is working ;
<decoder name="app.ERROR">
<prematch>^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p </prematch>
</decoder>
<decoder name="app.ERROR-verify-login">
<parent>app.ERROR</parent>
<regex offset="after_parent">^app.ERROR: \.+ (\S+) for IP: (\S+)
(\.+)\s(\.+)$</regex>
<order>status,srcip,extra_data,extra_data</order>
</decoder>
and I want theses rules working with this log .
<rule id="100201" level="1">
<decoded_as>app.ERROR</decoded_as>
<description>Multiple login attempts customapp</description>
</rule>
<rule id="100202" level="7" frequency="10" timeframe="60">
<if_matched_sid>100201</if_matched_sid>
<same_source_ip />
<description>Multiple login attempts customapp</description>
<group>authentication_failures,</group>
</rule>
But this what I get when testing with */var/ossec/bin/ossec-logtest*
[2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1
[] []
**Phase 1: Completed pre-decoding.
full event: '[2017-03-23 10:18:01] app.ERROR: Authentication failure
for IP: 172.17.0.1 [] []'
hostname: 'Digital-Ocean-1'
program_name: '(null)'
log: '[2017-03-23 10:18:01] app.ERROR: Authentication failure for
IP: 172.17.0.1 [] []'
**Phase 2: Completed decoding.
decoder: 'app.ERROR'
status: 'failure'
srcip: '172.17.0.1'
extra_data: '[]'
extra_data: '[]'
**Phase 3: Completed filtering (rules).
Rule id: '2501'
Level: '5'
Description: 'User authentication failure.'
**Alert to be generated.
why are my rules not working over the 2501 one ?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
