Hello;
I am a little confused. I have a config with a total of 80 rules, they all seem
to load well, according to the output generated when I start sec.
There is a catch-all config at the end, and so far it seems to be the *only
one* that actually reports anything at all.
The catch-all is as follows, I downloaded this from
http://simple-evcorr.sourceforge.net/rulesets/cisco-syslog.sec
# ----- process events that have not been matched by any of above rules -----
# Default match
# this rule will match anything not previously matched but allows only
# one notification per day for each new event class seen
#
type=singleWithSuppress
ptype=regexp
pattern=(%.*?:)
desc=$1
action=pipe '$0' /bin/mailx -s 'cisco event' [EMAIL PROTECTED]
window=86400
On the top of the config, about the second rule, I have the following:
type=single
desc=Illegal User Attempt
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+([\w\.\-]+)\s+.+(No account present for user for
illegal user)
action=pipe '$0' /bin/mailx -s "***ALERT*** $1 SSH Illegal User" [EMAIL
PROTECTED]
I am testing my config by running a second instance of sec, with standard in as
well as a file, as input. Neither one triggers an alert and my output in my
log is as follows:
Mar 10 11:41:38 myhost/myhost sshd[28961]: [ID 800047 auth.error]
error: PAM: No account present for user for illegal user user1 from
host111
Mar 10 11:41:40 myhostmyhost sshd[28961]: [ID 800047 auth.error]
error: PAM: No account present for user for illegal user user1 from
host111
Mar 10 11:41:42 myhost/myhost sshd[28961]: [ID 800047 auth.error] error: PAM: No
account present for user for illegal user user1 from host111
Any help would be greatly appreciated.
Sincerely,
.vp
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [email protected]
Subject: RE: [Simple-evcorr-users] Looking For Help and Rules/Config For
Security Log Parsing
Date: Mon, 10 Mar 2008 08:13:25 -0400
Risto;
Many, many thanks. Those are all very excellent docs and will certainly answer
many of my questions.
.vp
Vadim Anatoly Pushkin
-- The Ukranian Stallion --
> Date: Sat, 8 Mar 2008 15:06:47 -0800
> From: [EMAIL PROTECTED]
> Subject: Re: [Simple-evcorr-users] Looking For Help and Rules/Config For
> Security Log Parsing
> To: [EMAIL PROTECTED]; [email protected]
>
>
> >
> > Hello;
> >
> > My environment is mixed with MS Windows, Solaris,
> > Linux (Debian, FC and RH), Cisco routers, PIX
> > Firewalls.
> >
> > I would like to begin using the collection of rules
> > and examples but find them confusing, always been at
> > regex/pcre/etc type stuff. Looking for a good
> > tutorial to get me started using SEC very quickly.
> > I've recently began using it with syslog-ng and
> > unless the rules are extremely simple, i.e. there
> > was a login, then my rules fail.
>
> If you are looking for a good tutorial, please check
> the tutorial written by Jim Brown
> (http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
> and
> http://sixshooter.v6.thrupoint.net/SEC-examples/article-part2.html).
>
> However, if you are struggling with regular
> expressions and find it difficult to write regexp's
> for certain events, you can always post questions to
> this list - we have discussed regexp issues here in
> the past. Also, check the following tutorial (part of
> the Perl documentation):
> http://perldoc.perl.org/perlretut.html
> hth,
> risto
>
> >
> > Also looking for any not well known repositories for
> > sec rulesets.
> >
> > Thanks all,
> >
> > .vp
> >
> > >
> -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio
> > 2008.
> >
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/>
> _______________________________________________
> > Simple-evcorr-users mailing list
> > [email protected]
> >
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> >
>
>
>
>
> ____________________________________________________________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it now.
> http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
