In my haste, I forgot to take out the frequency and timeframe from the
first rule. So here's my updated recommendation:
! Ignore mistyped passwords until 3rd occurrence -->
<rule id="101002" level="4">
<if_sid>1002</if_sid>
<match>error trying to bind as user</match>
<description>Wrong password</description>
</rule>
<rule id="101003" level="5" frequency="3" timeframe="360">
<if_matched_sid>101002</if_matched_sid>
<description>Wrong password entered repeatedly</description>
</rule>
</group> <!-- SYSLOG,errors -->
I did a quick test of these rules and they appear to work correctly.
Please let us know how it goes.
Regards,
--
Doug Burks, GPEN, GCIH, GCIA, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
On Sep 23, 6:58 am, Doug Burks <[email protected]> wrote:
> Have you considered breaking it into two rules like this? (Sorry I
> don't have an OSSEC server available to me right now to test with.)
>
> ! Ignore mistyped passwords until 3rd occurrence -->
> <rule id="101002" level="4" frequency="3" timeframe="360">
> <if_sid>1002</if_sid>
> <match>error trying to bind as user</match>
> <description>Wrong password</description>
> </rule>
>
> <rule id="101003" level="5" frequency="3" timeframe="360">
> <if_matched_sid>101002</if_matched_sid>
> <description>Wrong password entered repeatedly</description>
> </rule>
> </group> <!-- SYSLOG,errors -->
>
> Please let us know how it goes.
>
> Regards,
> --
> Doug Burks, GPEN, GCIH, GCIA, CISSP
> President, Greater Augusta
> ISSAhttp://augusta.issa.orghttp://securityonion.blogspot.com
>
>
>
> On Thu, Sep 23, 2010 at 6:33 AM, ItsMikeE <[email protected]> wrote:
> > There is a syslog rule (1002) which looks for any one of a list of
> > "bad words".
> > On my RHEL servers this is picking up any mis-typed passwords
>
> > Received From: (server) 123.456.789.012->/var/log/secure
> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
> > system."
> > Portion of the log(s):
> > Sep 23 10:32:25 server sshd[25209]: pam_ldap: error trying to bind as
> > user "uid=user123,ou=People,dc=domain,dc=com" (Invalid credentials)
>
> > Whilst I want rule 1002 to remain, in the case of mistyped passwords I
> > only want to be informed if this occurs multiple times.
> > I created an override in local_rules
>
> > <group name="syslog,errors,">
>
> > <! Ignore mistyped passwords until 3rd occurrence -->
> > <rule id="101002" level="5" frequency="3" timeframe="360">
> > <if_matched_sid>1002</if_matched_sid>
> > <match>error trying to bind as user</match>
> > <description>Wrong password entered repeatedly</description>
> > </rule>
> > </group> <!-- SYSLOG,errors -->
>
> > but this is not working.
>
> > Can you combine if_matched_sid with match?
> > Is there an easier way to do this?
