Have you considered breaking it into two rules like this? (Sorry I
don't have an OSSEC server available to me right now to test with.)
! Ignore mistyped passwords until 3rd occurrence -->
<rule id="101002" level="4" frequency="3" timeframe="360">
<if_sid>1002</if_sid>
<match>error trying to bind as user</match>
<description>Wrong password</description>
</rule>
<rule id="101003" level="5" frequency="3" timeframe="360">
<if_matched_sid>101002</if_matched_sid>
<description>Wrong password entered repeatedly</description>
</rule>
</group> <!-- SYSLOG,errors -->
Please let us know how it goes.
Regards,
--
Doug Burks, GPEN, GCIH, GCIA, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
On Thu, Sep 23, 2010 at 6:33 AM, ItsMikeE <[email protected]> wrote:
> There is a syslog rule (1002) which looks for any one of a list of
> "bad words".
> On my RHEL servers this is picking up any mis-typed passwords
>
> Received From: (server) 123.456.789.012->/var/log/secure
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
> system."
> Portion of the log(s):
> Sep 23 10:32:25 server sshd[25209]: pam_ldap: error trying to bind as
> user "uid=user123,ou=People,dc=domain,dc=com" (Invalid credentials)
>
> Whilst I want rule 1002 to remain, in the case of mistyped passwords I
> only want to be informed if this occurs multiple times.
> I created an override in local_rules
>
> <group name="syslog,errors,">
>
> <! Ignore mistyped passwords until 3rd occurrence -->
> <rule id="101002" level="5" frequency="3" timeframe="360">
> <if_matched_sid>1002</if_matched_sid>
> <match>error trying to bind as user</match>
> <description>Wrong password entered repeatedly</description>
> </rule>
> </group> <!-- SYSLOG,errors -->
>
> but this is not working.
>
> Can you combine if_matched_sid with match?
> Is there an easier way to do this?
