You could use this ossec default rule as a way to create it. This rule
triggers when the "attacks" group gets triggered 4 times (frequency +
2) within 300 seconds (5 minutes) AND the group "adduser" is
triggered.
<group name="syslog,elevation_of_privilege,">
<rule id="40501" level="15" timeframe="300" frequency="2">
<if_group>adduser</if_group>
<if_matched_group>attacks</if_matched_group>
<description>Attacks followed by the addition </description>
<description>of an user.</description>
</rule>
</group> <!-- SYSLOG, ELEVATION_OF_PRIVILEGE, -->
On Dec 30 2011, 12:08 pm, Phil Cox <[email protected]> wrote:
> Anyway to use OSSEC to write a rule that would alert on the following:
>
> "If > X failed SSH login attempts, then Success -> Send alert"
>
> Any pointers are appreciated.
>
> Phil
> --
> Director of Security and Compliance
> RightScale Inc -http://www.rightscale.com
> 805-243-0942
> Skype: phil.cox.rs
> Twitter: @sec_prof
