Here I am again. I have a machine where the "big brother" stuff is being used to probe the sshd server. That generates, every 5 minutes, a message in /var/log/ secure:
Jan 6 21:20:01 sysname sshd[3567]: Bad protocol version identification 'quit' from UNKNOWN Which triggers the 5701 rule in the rules. 5701's match is: "Bad Protocol version idendification" and it retaliates by trying to block the "UNKNOWN" ip in iptables.... not cool. What I'd like to do is intro a new rule that is more specific to this situation, <match>Bad protocol version identification 'quit' from UNKNOWN</match> and only alarm if it's more frequent than 1 in 5 minutes. The existing 5701 should then kick in if there was no more specific match. How exactly (or even roughly) would this sort of thing be achieved? murf
