On Mon, Aug 2, 2010 at 2:28 PM, John P. Rouillard <rou...@cs.umb.edu> wrote:
>
> In message <aanlktinc62hof5tw26qkoqhbbrwjy25ajvbcddj-t...@mail.gmail.com>,
> Jeff Schroeder writes:
>
>>Our firewalls are occasionally brute forced and we are looking to
>>monitor those using sec. I've got it mostly working with the config
>>below but there is one issue:
>>
>>############# Firewall Brute Force Detector ##############
>>#pattern=^<\d+> \w+ \d{2} \d{2}:\d{2}:\d{2}\.\d{3} ([\w\.]+)
>>[\w\d]+\[\d+\]: %AUTH-\d+: Failed password for ([\w\d]+) from
>>([\d\.]+) port \d+ (\w+)$
>>type=SingleWithThreshold
>>ptype=RegExp
>>pattern=^\w+ \d{2} \d{2}:\d{2}:\d{2}\.\d{3} ([\w\.]+) [\w\d]+\[\d+\]:
>>%AUTH-\d+: Failed password for ([\w\d]+) from ([\d\.]+) port \d+
>>(\w+)$
>>desc=Possible brute force attack (ssh) on $1 from $3
>>window=60
>>thresh=5
>>context=!FIREWALL_BRUTE_FROM_$3
>>action=create FIREWALL_BRUTE_FROM_$3 60 (report FIREWALL_BRUTE_FROM_$3
>>/bin/mail -s "ssh brute force attack on $1 from $3" m...@email.com); add
>>FIREWALL_BRUTE_FROM_$3 5 failed ssh attempts within 60 seconds
>>detected; add FIREWALL_BRUTE_FROM_$3 $0
>>
>># Add extra events to the FIREWALL_BRUTE_FROM_HOST context
>>type=Single
>>ptype=RegExp
>>pattern=^\w+ \d{2} \d{2}:\d{2}:\d{2}\.\d{3} ([\w\.]+) [\w\d]+\[\d+\]:
>>%AUTH-\d+: Failed password for ([\w\d]+) from ([\d\.]+) port \d+
>>(\w+)$
>>desc=Possible brute force attack (ssh) on $1 from $3
>>context=FIREWALL_BRUTE_FROM_$3
>>action=add FIREWALL_BRUTE_FROM_$3 "$0"; set FIREWALL_BRUTE_FROM_$3 30
>>(report FIREWALL_BRUTE_FROM_$3 /bin/mail -s "ssh brute force attack on
>>$1 from $3" m...@email.com);
>>##########################################################
>
> Maybe try reversing these two rules. When the SingleWithThreshold is
> triggered IIRC it consumes matching events so everything after the 5th
> event is suppressed for 60 seconds. From the man page:
>
> SingleWithThreshold - count matching input events during t seconds and
> if a given threshold is exceeded, execute an action and ignore all
> matching events during the rest of the time window.
>
> by ignore I think it consumes the events so they aren't passed on to
> following rules.
>
> --
> -- rouilj
> John Rouillard
> ===========================================================================
> My employers don't acknowledge my existence much less my opinions.
(sorry for the spam John. Forgot reply-all)
Thanks for the idea, but unfortunately, reversing the order of rules
doesn't work. Any ideas roughly where to look to fix this?
--
Jeff Schroeder
Don't drink and derive, alcohol and analysis don't mix.
http://www.digitalprognosis.com
------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
