On Mon, Aug 2, 2010 at 2:28 PM, John P. Rouillard <rou...@cs.umb.edu> wrote: > > In message <aanlktinc62hof5tw26qkoqhbbrwjy25ajvbcddj-t...@mail.gmail.com>, > Jeff Schroeder writes: > >>Our firewalls are occasionally brute forced and we are looking to >>monitor those using sec. I've got it mostly working with the config >>below but there is one issue: >> >>############# Firewall Brute Force Detector ############## >>#pattern=^<\d+> \w+ \d{2} \d{2}:\d{2}:\d{2}\.\d{3} ([\w\.]+) >>[\w\d]+\[\d+\]: %AUTH-\d+: Failed password for ([\w\d]+) from >>([\d\.]+) port \d+ (\w+)$ >>type=SingleWithThreshold >>ptype=RegExp >>pattern=^\w+ \d{2} \d{2}:\d{2}:\d{2}\.\d{3} ([\w\.]+) [\w\d]+\[\d+\]: >>%AUTH-\d+: Failed password for ([\w\d]+) from ([\d\.]+) port \d+ >>(\w+)$ >>desc=Possible brute force attack (ssh) on $1 from $3 >>window=60 >>thresh=5 >>context=!FIREWALL_BRUTE_FROM_$3 >>action=create FIREWALL_BRUTE_FROM_$3 60 (report FIREWALL_BRUTE_FROM_$3 >>/bin/mail -s "ssh brute force attack on $1 from $3" m...@email.com); add >>FIREWALL_BRUTE_FROM_$3 5 failed ssh attempts within 60 seconds >>detected; add FIREWALL_BRUTE_FROM_$3 $0 >> >># Add extra events to the FIREWALL_BRUTE_FROM_HOST context >>type=Single >>ptype=RegExp >>pattern=^\w+ \d{2} \d{2}:\d{2}:\d{2}\.\d{3} ([\w\.]+) [\w\d]+\[\d+\]: >>%AUTH-\d+: Failed password for ([\w\d]+) from ([\d\.]+) port \d+ >>(\w+)$ >>desc=Possible brute force attack (ssh) on $1 from $3 >>context=FIREWALL_BRUTE_FROM_$3 >>action=add FIREWALL_BRUTE_FROM_$3 "$0"; set FIREWALL_BRUTE_FROM_$3 30 >>(report FIREWALL_BRUTE_FROM_$3 /bin/mail -s "ssh brute force attack on >>$1 from $3" m...@email.com); >>########################################################## > > Maybe try reversing these two rules. When the SingleWithThreshold is > triggered IIRC it consumes matching events so everything after the 5th > event is suppressed for 60 seconds. From the man page: > > SingleWithThreshold - count matching input events during t seconds and > if a given threshold is exceeded, execute an action and ignore all > matching events during the rest of the time window. > > by ignore I think it consumes the events so they aren't passed on to > following rules. > > -- > -- rouilj > John Rouillard > =========================================================================== > My employers don't acknowledge my existence much less my opinions.
(sorry for the spam John. Forgot reply-all) Thanks for the idea, but unfortunately, reversing the order of rules doesn't work. Any ideas roughly where to look to fix this? -- Jeff Schroeder Don't drink and derive, alcohol and analysis don't mix. http://www.digitalprognosis.com ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users