In message <aanlktinc62hof5tw26qkoqhbbrwjy25ajvbcddj-t...@mail.gmail.com>,
Jeff Schroeder writes:
>Our firewalls are occasionally brute forced and we are looking to
>monitor those using sec. I've got it mostly working with the config
>below but there is one issue:
>
>############# Firewall Brute Force Detector ##############
>#pattern=^<\d+> \w+ \d{2} \d{2}:\d{2}:\d{2}\.\d{3} ([\w\.]+)
>[\w\d]+\[\d+\]: %AUTH-\d+: Failed password for ([\w\d]+) from
>([\d\.]+) port \d+ (\w+)$
>type=SingleWithThreshold
>ptype=RegExp
>pattern=^\w+ \d{2} \d{2}:\d{2}:\d{2}\.\d{3} ([\w\.]+) [\w\d]+\[\d+\]:
>%AUTH-\d+: Failed password for ([\w\d]+) from ([\d\.]+) port \d+
>(\w+)$
>desc=Possible brute force attack (ssh) on $1 from $3
>window=60
>thresh=5
>context=!FIREWALL_BRUTE_FROM_$3
>action=create FIREWALL_BRUTE_FROM_$3 60 (report FIREWALL_BRUTE_FROM_$3
>/bin/mail -s "ssh brute force attack on $1 from $3" m...@email.com); add
>FIREWALL_BRUTE_FROM_$3 5 failed ssh attempts within 60 seconds
>detected; add FIREWALL_BRUTE_FROM_$3 $0
>
># Add extra events to the FIREWALL_BRUTE_FROM_HOST context
>type=Single
>ptype=RegExp
>pattern=^\w+ \d{2} \d{2}:\d{2}:\d{2}\.\d{3} ([\w\.]+) [\w\d]+\[\d+\]:
>%AUTH-\d+: Failed password for ([\w\d]+) from ([\d\.]+) port \d+
>(\w+)$
>desc=Possible brute force attack (ssh) on $1 from $3
>context=FIREWALL_BRUTE_FROM_$3
>action=add FIREWALL_BRUTE_FROM_$3 "$0"; set FIREWALL_BRUTE_FROM_$3 30
>(report FIREWALL_BRUTE_FROM_$3 /bin/mail -s "ssh brute force attack on
>$1 from $3" m...@email.com);
>##########################################################
Maybe try reversing these two rules. When the SingleWithThreshold is
triggered IIRC it consumes matching events so everything after the 5th
event is suppressed for 60 seconds. From the man page:
SingleWithThreshold - count matching input events during t seconds and
if a given threshold is exceeded, execute an action and ignore all
matching events during the rest of the time window.
by ignore I think it consumes the events so they aren't passed on to
following rules.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
