[ossec-list] Multiple Failed login thresholds (rule 5720).(SSHD,TELNET,etc)

[alsdks]

Hello list,


Some systems , in syslog logging , tend to group same messages to save
space and load. For example Solaris
logs failed ssh logins to syslog but issues an event that says that
the last message repeated x times, like :

sshd[22082]: [ID 800047 auth.notice] Failed keyboard-interactive
for 
Feb  2 10:38:00 systemname last message repeated 1 time


This way rule ID 5720  triggers at actually about 10 failed logins
instead of 8.

Is there a way to work around this ? Maybe lower the threshold for
specific systems\platforms ?

The same goes for telnet logging which does summarize a lot these
events .Probably other services too .

Thank you   !

Re: [ossec-list] Multiple Failed login thresholds (rule 5720).(SSHD,TELNET,etc)

[dan (ddp)]

On Thu, Feb 2, 2012 at 5:03 AM, alsdks als...@gmail.com wrote:
 Hello list,


 Some systems , in syslog logging , tend to group same messages to save
 space and load. For example Solaris
 logs failed ssh logins to syslog but issues an event that says that
 the last message repeated x times, like :

 sshd[22082]: [ID 800047 auth.notice] Failed keyboard-interactive
 for 
 Feb  2 10:38:00 systemname last message repeated 1 time


 This way rule ID 5720  triggers at actually about 10 failed logins
 instead of 8.

 Is there a way to work around this ? Maybe lower the threshold for
 specific systems\platforms ?

 The same goes for telnet logging which does summarize a lot these
 events .Probably other services too .

 Thank you   !

Maybe you could turn off the message repeated messages.
Or I guess you could use the overwrite option to the rules that are
issues to lower the frequency for your environment.