Our firewalls are occasionally brute forced and we are looking to
monitor those using sec. I've got it mostly working with the config
below but there is one issue:
############# Firewall Brute Force Detector ##############
#pattern=^<\d+> \w+ \d{2} \d{2}:\d{2}:\d{2}\.\d{3} ([\w\.]+)
[\w\d]+\[\d+\]: %AUTH-\d+: Failed password for ([\w\d]+) from
([\d\.]+) port \d+ (\w+)$
type=SingleWithThreshold
ptype=RegExp
pattern=^\w+ \d{2} \d{2}:\d{2}:\d{2}\.\d{3} ([\w\.]+) [\w\d]+\[\d+\]:
%AUTH-\d+: Failed password for ([\w\d]+) from ([\d\.]+) port \d+
(\w+)$
desc=Possible brute force attack (ssh) on $1 from $3
window=60
thresh=5
context=!FIREWALL_BRUTE_FROM_$3
action=create FIREWALL_BRUTE_FROM_$3 60 (report FIREWALL_BRUTE_FROM_$3
/bin/mail -s "ssh brute force attack on $1 from $3" [email protected]); add
FIREWALL_BRUTE_FROM_$3 5 failed ssh attempts within 60 seconds
detected; add FIREWALL_BRUTE_FROM_$3 $0
# Add extra events to the FIREWALL_BRUTE_FROM_HOST context
type=Single
ptype=RegExp
pattern=^\w+ \d{2} \d{2}:\d{2}:\d{2}\.\d{3} ([\w\.]+) [\w\d]+\[\d+\]:
%AUTH-\d+: Failed password for ([\w\d]+) from ([\d\.]+) port \d+
(\w+)$
desc=Possible brute force attack (ssh) on $1 from $3
context=FIREWALL_BRUTE_FROM_$3
action=add FIREWALL_BRUTE_FROM_$3 "$0"; set FIREWALL_BRUTE_FROM_$3 30
(report FIREWALL_BRUTE_FROM_$3 /bin/mail -s "ssh brute force attack on
$1 from $3" [email protected]);
##########################################################
An example log entry would look like this:
Jul 15 00:02:00.000 f01p.blah.int sshd[46042]: %AUTH-6: Failed
password for admin from 220.136.15.64 port 34756 ssh2
So after 5 events, a FIREWALL_BRUTE_FROM_220.136.15.64 context is
created. After 60 seconds have passed, it will shoot out an email. The
contents of that email contains the very first of the first 5 events,
and then anything that follows after the original context is created.
I'm running sec like this:
./sec-2.5.3.pl -input=- -debug=6 -conf=brute.conf
And feeding it this fake log:
Jul 15 00:02:00.000 f01p.blah.int sshd[46043]: %AUTH-6: Failed
password for root from 220.136.15.64 port 34784 ssh2
Jul 15 00:02:01.001 f01p.blah.int sshd[46043]: %AUTH-6: Failed
password for root from 220.136.15.64 port 34784 ssh2
Jul 15 00:02:02.002 f01p.blah.int sshd[46043]: %AUTH-6: Failed
password for root from 220.136.15.64 port 34784 ssh2
Jul 15 00:02:03.003 f01p.blah.int sshd[46043]: %AUTH-6: Failed
password for root from 220.136.15.64 port 34784 ssh2
Jul 15 00:02:04.004 f01p.blah.int sshd[46043]: %AUTH-6: Failed
password for root from 220.136.15.64 port 34784 ssh2
Jul 15 00:02:05.005 f01p.blah.int sshd[46043]: %AUTH-6: Failed
password for root from 220.136.15.64 port 34784 ssh2
Jul 15 00:02:06.006 f01p.blah.int sshd[46043]: %AUTH-6: Failed
password for root from 220.136.15.64 port 34784 ssh2
The email looks like this, but I'm trying to make it send all of the events:
5 failed ssh attempts within 60 seconds detected
Jul 15 00:02:00.000 f01p.blah.int sshd[46043]: %AUTH-6: Failed
password for root from 220.136.15.64 port 34784 ssh2
"Jul 15 00:02:05.005 f01p.blah.int sshd[46043]: %AUTH-6: Failed
password for root from 220.136.15.64 port 34784 ssh2"
"Jul 15 00:02:06.006 f01p.blah.int sshd[46043]: %AUTH-6: Failed
password for root from 220.136.15.64 port 34784 ssh2"
What am I doing wrong here?
--
Jeff Schroeder
Don't drink and derive, alcohol and analysis don't mix.
http://www.digitalprognosis.com
------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
