Also, this rule already exists:
<rule id="40112" level="12" timeframe="240">
<if_group>authentication_success</if_group>
<if_matched_group>authentication_failures</if_matched_group>
<same_source_ip />
<description>Multiple authentication failures followed </
description>
<description>by a success.</description>
</rule>
On Jan 3, 3:25 pm, BP9906 <[email protected]> wrote:
> You could use this ossec default rule as a way to create it. This rule
> triggers when the "attacks" group gets triggered 4 times (frequency +
> 2) within 300 seconds (5 minutes) AND the group "adduser" is
> triggered.
>
> <group name="syslog,elevation_of_privilege,">
> <rule id="40501" level="15" timeframe="300" frequency="2">
> <if_group>adduser</if_group>
> <if_matched_group>attacks</if_matched_group>
> <description>Attacks followed by the addition </description>
> <description>of an user.</description>
> </rule>
> </group> <!-- SYSLOG, ELEVATION_OF_PRIVILEGE, -->
>
> On Dec 30 2011, 12:08 pm, Phil Cox <[email protected]> wrote:
>
>
>
>
>
>
>
> > Anyway to use OSSEC to write a rule that would alert on the following:
>
> > "If > X failed SSH login attempts, then Success -> Send alert"
>
> > Any pointers are appreciated.
>
> > Phil
> > --
> > Director of Security and Compliance
> > RightScale Inc -http://www.rightscale.com
> > 805-243-0942
> > Skype: phil.cox.rs
> > Twitter: @sec_prof
