On Thu, Mar 23, 2017 at 12:41 PM, Martin wrote:
> Hello,
>
> I've those kind of log comming from a custom app
>>
>>
>> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1
>> [] []
>
>
> I'm trying to block an ip with to much authentication failure.
>
> So I did a custom decoder which is working ;
>
>
> ^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p
>
>
>
>
> app.ERROR
> ^app.ERROR: \.+ (\S+) for IP: (\S+)
> (\.+)\s(\.+)$
> status,srcip,extra_data,extra_data
>
>
> and I want theses rules working with this log .
>
>
> app.ERROR
> Multiple login attempts customapp
>
>
>
>
> 100201
>
> Multiple login attempts customapp
> authentication_failures,
>
>
>
> But this what I get when testing with /var/ossec/bin/ossec-logtest
>
>
>
> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1
> [] []
>
>
>
>
> **Phase 1: Completed pre-decoding.
>full event: '[2017-03-23 10:18:01] app.ERROR: Authentication failure
> for IP: 172.17.0.1 [] []'
>hostname: 'Digital-Ocean-1'
>program_name: '(null)'
>log: '[2017-03-23 10:18:01] app.ERROR: Authentication failure for IP:
> 172.17.0.1 [] []'
>
>
> **Phase 2: Completed decoding.
>decoder: 'app.ERROR'
>status: 'failure'
>srcip: '172.17.0.1'
>extra_data: '[]'
>extra_data: '[]'
>
>
> **Phase 3: Completed filtering (rules).
>Rule id: '2501'
>Level: '5'
>Description: 'User authentication failure.'
> **Alert to be generated.
>
> why are my rules not working over the 2501 one ?
>
2501 is probably evaluated first.
You can add an 2501 to your first rule to help it match.
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.