Aashish, this task can be addressed by the following two rules -- the first does the counting, but the second ensures by setting a context that each user is counted only once. A similar ruleset (although somewhat more complex) has been also described in the Hakin9 paper about SEC (see SEC homepage):
type=SingleWithThreshold continue=TakeNext ptype=RegExp pattern=Accepted publickey for (\S+) from (\S+) context=!COUNTED_$1 desc=Count distinct user logins for IP $2 action=write - three distinct user logins from IP $2 window=10 thresh=3 type=Single ptype=RegExp pattern=Accepted publickey for (\S+) from \S+ desc=Create "count once" context for user $1 action=create COUNTED_$1 10 There is only one subtle caveat -- if the counting window needs to be moved forward, it will moved to the next _distinct_ user login. However, one could argue that if the first user tried to login repeatedly two times without intervening logins from others, we should move the window to the second such login -- but we can't, since we have suppressed this event in the past with a context. Leaving that question about window sliding correctness aside, I think this ruleset probably does what you want. br, risto Aashish Sharma wrote: > Hello Josep: > > Thanks for your reply. I think with your rule, I will also get alert if same > user logins into the system twice or more in the given window. > > I am looking for different users logging into the system from same IP address > in a given window AND not alert for the same user. > > Hope I clarify my point, > > Thanks, > Aashish > > On Thu, Apr 02, 2009 at 08:34:22AM +0200, Josep Abenza wrote: >> Hi Asshish, >> >> IO think what you need is a SingleWithThreshold rule with the description >> being: >> 'Accepted publickey from IP $1' >> >> For example: >> >> type=SingleWithThreshold >> ptype=RegExp >> pattern=Accepted publickey for \S+ from (\S+) >> desc=Login from IP $1 >> action=write - two logins from IP $1 >> window=10 >> thresh=2 >> >> This way, since your description only includes the IP address, logins from >> any user coming from the same IP will be correlated. >> >> Josep >> >> On Wed, Apr 1, 2009 at 11:56 PM, Aashish Sharma <[email protected]> wrote: >> >>> am trying to define a rule-set which alerts on multiple (> 1) user login >>> from *same* IP address to one or more systems with in a certain duration. >>> >>> >>> Apr 1 16:18:09 host-1 sshd[172120]: Accepted publickey for user1 from >>> xx.yy.96.100 port 27640 ssh2 >>> Apr 1 16:21:17 host-1 sshd[163958]: Accepted publickey for user2 from >>> xx.yy.96.100 port 16361 ssh2 >>> Apr 1 16:24:14 host-2 sshd[172142]: Accepted publickey for user1 from >>> xx.yy.96.100 port 16362 ssh2 >>> Apr 1 16:24:29 host-1 sshd[127194]: Accepted publickey for user3 from >>> xx.yy.96.100 port 16363 ssh2 >>> >> >> >> -- >> IMPORTANT: Aquest correu és només per el(s) destinatari(s) indicats a dalt i >> pot contenir informació confidencial o poc indicada per persones massa >> susceptibles amb baixa auto-estima, sense sentit de l'humor o amb creences >> religioses irracionals. Si no ets el destinatari correcte, la distribució o >> còpia del correu és d'un mal gust irritant. >> >> No s'ha fet mal a animals en la transmissió d'aquest correu (però el gos del >> veí fa temps que té una pota al cementiri, la veritat). Per tranquil·litzar >> els seguidors d'Iker J*m*n*z, sabeu que llegir aquest avís al revés no >> revelarà cap missatge ocult. Ara bé, si feu un cercle de sal al voltant >> vostre i de l'ordinador us evitareu qualsevol mal a vosaltres o els vostres >> peixos de colors. >> >> Si has rebut aquest correu per error, si us plau afegeix nou moscada i tres >> clares d'ou, mescla-ho tot i posa-ho al forn quaranta minuts. Deixa-ho >> refredar i serveix-lo acompanyat d'emmental. > >> ------------------------------------------------------------------------------ > >> _______________________________________________ >> Simple-evcorr-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > ------------------------------------------------------------------------------ > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
