Hi , I am new to SEC tool . I have a configuration file with below listed rule set.
#Failed ssh logins for the same user from different IP addresses within a time period type=SingleWithThreshold ptype=RegExp pattern=sshd\[\d+\]: error:\sPAM: Authentication failure for (\w+) from (\S+) desc=$1 action=logonly window=60 thresh=3 #Failed XS logins for the same user from different IP addresses within a time period type=SingleWithThreshold ptype=RegExp pattern=XSSYSLOG:(\S+).*:LOGON.*FAILURE\s+BY\s+(\S+) desc=Three XS login failures within 1m for user $2 from different source hosts action=logonly window=60 thresh=3 #Failed SSH, XS logins for same user on different IP addresses within a time period type=PairWithWindow ptype=RegExp pattern=sshd\[\d+\]: error:\sPAM: Authentication failure for (\w+) from (\S+) desc=$1 continue=TakeNext action=write - XS Failed login event didn't follow SSH failed event within window ptype2=RegExp pattern2=XSSYSLOG:(\S+).*:LOGON.*FAILURE\s+BY\s+(\S+) desc2=$2 action2=write - Failed SSH, ES logins for user $2 within 2 min window ; window=120 The problem I am facing is even though there are matched events in the input file, SEC is never throwing actions specified in "PairWithWindow" rule type. If I keep the same single rule in a separate configuration file and execute SEC I could see the output on my console. My question is can we have the same(duplicate) pattern's in the configuration file. Thanks, Kiran ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
