Ok, so the net.police will probably come after me for following up on
my own message, but I just wanted to point out that Daniel was kind
enough to let me know that this option already exists. I didn't see
it listed in the online manual, so I assume it's a fairly new feature.
Anyway, that's good news, so I look forward to trying it out tomorrow!
Thanks, Daniel.
David
David J. Bianco wrote:
> Hi, all. I was looking into writing some basic correlation rules to
> detect excessive login attempts, and I noticed that it'd be really handy
> to have a rule option that could match multiple events by the same user.
>
> For example, I could do something like:
>
> <rule id="99999" frequency="10" timeframe="300" ignore="240">
> <if_group>authentication_success</if_group>
> <same_user />
> <description>A single user generated too many logins</description>
> </rule>
>
> NOTE: that's untested, and I just wrote it for this email, but I think
> you get the idea. This would catch attacks where an intruder has
> captured a single user's login credentials and wants to try them
> everywhere on site, just to see what he has access to. Yeah, dumb
> idea, but we've seen it happen.
>
> David
>
>
