[ossec-list] Bug in attack_rules.xml rule 40111?

Thu, 15 Jul 2010 12:17:51 -0700 

Hello,

Earlier this week we received one imapd event with an associated IP
address that triggered a single 2501 alert.  Around the same time, we
received nine 2501 alerts from xscreensaver on someone's PC.

The result was that a 40111 was triggered.  Since a 40111's only
criteria is inclusion in the "authentication_failed" group and the
only IP address was from the imapd event, the source host for the
imapd event was blocked.

I suggest that a 40111 should include the <same_source_ip /> criteria
as well.

Comments?

Here's what the log looked like:

** Alert 1279066528.1780701: mail  -
syslog,attacks,authentication_failures,
2010 Jul 13 17:15:28 (hostname1) hostname1_ip->/var/adm/messages
Rule: 40111 (level 10) -> 'Multiple authentication failures.'
Src IP: w.x.y.z
User: c5m7
Jul 13 17:15:27 hostname1 imapd[6082]: [ID 210418 auth.notice] Login
excessive login failures user=c5m7 auth=c5m7 host=hostname2 [w.x.y.z]
Jul 13 17:15:21 hostname3 unix2_chkpwd[19813]:
pam_authenticate(xscreensaver, root): Authentication failure
Jul 13 17:15:16 hostname3 unix2_chkpwd[19812]:
pam_authenticate(xscreensaver, user1): Authentication failure
Jul 13 17:15:16 hostname1 imapd[6082]: [ID 210418 auth.notice] Login
failed user=c5m7 auth=c5m7 host=hostname2 [w.x.y.z]
Jul 13 17:14:46 hostname3 unix2_chkpwd[19777]:
pam_authenticate(xscreensaver, root): Authentication failure
Jul 13 17:14:41 hostname3 unix2_chkpwd[19776]:
pam_authenticate(xscreensaver, user1): Authentication failure
Jul 13 17:14:10 hostname3 unix2_chkpwd[19775]:
pam_authenticate(xscreensaver, root): Authentication failure
Jul 13 17:14:05 hostname3 unix2_chkpwd[19774]:
pam_authenticate(xscreensaver, user1): Authentication failure
Jul 13 17:13:35 hostname3 unix2_chkpwd[19771]:
pam_authenticate(xscreensaver, root): Authentication failure
Jul 13 17:13:30 hostname3 unix2_chkpwd[19770]:
pam_authenticate(xscreensaver, user1): Authentication failure
Jul 13 17:12:59 hostname3 unix2_chkpwd[19739]:
pam_authenticate(xscreensaver, root): Authentication failure

Here's what a 40111 looks like:

  <rule id="40111" level="10" frequency="10" timeframe="160">
    <if_matched_group>authentication_failed</if_matched_group>
    <description>Multiple authentication failures.</description>
    <group>authentication_failures,</group>
  </rule>

Reply via email to