With ossec-hids-0.9 I'm having trouble getting a rule to work that will match multiple auth failures in syslog written by dovecot(pam_unix).
"dovecot(pam_unix)[25346]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=aa.bb.cc.dd"
By default, the authentication_failed group matches, and triggers the attack rule based on that, but it doesn't match the IP, so it doesn't trigger a block as I'd like it to.
So I added a rule to match <same_source_ip>, but that isn't ever triggered, since the source IP doesn't seem to be decoded - it's not showing in the alert logs that match the authentication failed messages.
I looked in the decoder.xml file and it looks like it should be matched by the pam decoder. I added a new decoder just for host, rather than host and user to try to catch it, but am not having any luck..
<decoder name="pam-host"> <parent>pam</parent> <prematch offset="after_parent">rhost=\S+</prematch> <regex offset="after_prematch">rhost=(\S+)</regex> <order>srcip</order> </decoder> Can you help me understand what I'm missing. Thanks, Ken A Pacific.Net
