Given loglines like this:
Oct 7 08:46:20.000 ops1.sys.dev1.int sudo: jschroeder : 3 incorrect
password attempts ; TTY=pts/13 ; PWD=/home/jschroeder ; USER=root ;
COMMAND=/usr/bin/test test test
Oct 7 08:47:51.000 ops1.sys.dev1.int sudo: jschroeder : 3 incorrect
password attempts ; TTY=pts/15 ; PWD=/home/jschroeder ; USER=root ;
COMMAND=/usr/bin/test test test
And a pattern like this:
pattern=^.+\d+:\d+:\d+\.\d+ (.+) sudo: (.*) : (\d+) incorrect password
attempts ;.*USER=(.*) ; COMMAND=(.*)$
Is there a way to use $3 for the threshhold and sum it instead of
using the line count?
I briefly cracked open sec.pl and found these lines:
2317 if ($ref->{"thresh"} !~ /^0*(\d+)$/ || $1 == 0) {
2318 log_msg(LOG_ERR, "Rule in $conffile at line $lineno:",
2319 "Invalid threshold '", $ref->{"thresh"}, "'");
2320 return 0;
2321 } else { $ref->{"thresh"} = $1; }
Ideally if sec saw those two log lines the thresh should be 6 in the
created context. My attempts to set thresh via eval have all failed
miserably. Is sec able to do this? Thanks
--
Jeff Schroeder
Don't drink and derive, alcohol and analysis don't mix.
http://www.digitalprognosis.com
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
