In message <aanlktinc62hof5tw26qkoqhbbrwjy25ajvbcddj-t...@mail.gmail.com>, Jeff Schroeder writes:
>Our firewalls are occasionally brute forced and we are looking to >monitor those using sec. I've got it mostly working with the config >below but there is one issue: > >############# Firewall Brute Force Detector ############## >#pattern=^<\d+> \w+ \d{2} \d{2}:\d{2}:\d{2}\.\d{3} ([\w\.]+) >[\w\d]+\[\d+\]: %AUTH-\d+: Failed password for ([\w\d]+) from >([\d\.]+) port \d+ (\w+)$ >type=SingleWithThreshold >ptype=RegExp >pattern=^\w+ \d{2} \d{2}:\d{2}:\d{2}\.\d{3} ([\w\.]+) [\w\d]+\[\d+\]: >%AUTH-\d+: Failed password for ([\w\d]+) from ([\d\.]+) port \d+ >(\w+)$ >desc=Possible brute force attack (ssh) on $1 from $3 >window=60 >thresh=5 >context=!FIREWALL_BRUTE_FROM_$3 >action=create FIREWALL_BRUTE_FROM_$3 60 (report FIREWALL_BRUTE_FROM_$3 >/bin/mail -s "ssh brute force attack on $1 from $3" m...@email.com); add >FIREWALL_BRUTE_FROM_$3 5 failed ssh attempts within 60 seconds >detected; add FIREWALL_BRUTE_FROM_$3 $0 > ># Add extra events to the FIREWALL_BRUTE_FROM_HOST context >type=Single >ptype=RegExp >pattern=^\w+ \d{2} \d{2}:\d{2}:\d{2}\.\d{3} ([\w\.]+) [\w\d]+\[\d+\]: >%AUTH-\d+: Failed password for ([\w\d]+) from ([\d\.]+) port \d+ >(\w+)$ >desc=Possible brute force attack (ssh) on $1 from $3 >context=FIREWALL_BRUTE_FROM_$3 >action=add FIREWALL_BRUTE_FROM_$3 "$0"; set FIREWALL_BRUTE_FROM_$3 30 >(report FIREWALL_BRUTE_FROM_$3 /bin/mail -s "ssh brute force attack on >$1 from $3" m...@email.com); >########################################################## Maybe try reversing these two rules. When the SingleWithThreshold is triggered IIRC it consumes matching events so everything after the 5th event is suppressed for 60 seconds. From the man page: SingleWithThreshold - count matching input events during t seconds and if a given threshold is exceeded, execute an action and ignore all matching events during the rest of the time window. by ignore I think it consumes the events so they aren't passed on to following rules. -- -- rouilj John Rouillard =========================================================================== My employers don't acknowledge my existence much less my opinions. ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users