It comes back with " Invalid regular expression " for this rule and does not
load.
> Date: Mon, 10 Mar 2008 12:26:08 -0400
> From: [EMAIL PROTECTED]
> Subject: Re: [Simple-evcorr-users] Looking For Help and Rules/Config For
> Security Log Parsing
> To: [EMAIL PROTECTED]
> CC: [EMAIL PROTECTED]; [email protected]
>
> [EMAIL PROTECTED] wrote:
> > type=single
> > desc=Illegal User Attempt
> > ptype=RegExp
> > pattern=\S+\s+\d+\s+\S+\s+([\w\.\-]+)\s+.+(No account present for user
> > for illegal user)
> > action=pipe '$0' /bin/mailx -s "***ALERT*** $1 SSH Illegal User"
> > [EMAIL PROTECTED]
>
> The pattern you are trying to use does not match the input you are
> giving it. Try something like follows (completely untested):
>
> pattern= ([A-z0-9._-\\]+) sshd\[[0-9]+\]: .*No account present for user
> for illegal user
>
> > Mar 10 11:41:38 myhost/myhost sshd[28961]: [ID 800047 auth.error] error:
> > PAM: No account present for user for illegal user user1 from host111
>
> I think one of the issues is that your syslog instance is setting the
> hostname to <sysloghost>/<hostname> which is not matching [\w\.\-]+
>
> --
> -dave
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
