On Fri, Jan 6, 2012 at 10:49 PM, murf <[email protected]> wrote: > Here I am again. I have a machine where the "big brother" stuff is
People still use big brother? > being used to probe the > sshd server. That generates, every 5 minutes, a message in /var/log/ > secure: > > Jan 6 21:20:01 sysname sshd[3567]: Bad protocol version > identification 'quit' from UNKNOWN > > Which triggers the 5701 rule in the rules. > 5701's match is: "Bad Protocol version idendification" > > and it retaliates by trying to block the "UNKNOWN" ip in iptables.... > not cool. > > What I'd like to do is intro a new rule that is more specific to this > situation, > > <match>Bad protocol version identification 'quit' from UNKNOWN</match> > > and only alarm if it's more frequent than 1 in 5 minutes. > > The existing 5701 should then kick in if there was no more specific > match. > > How exactly (or even roughly) would this sort of thing be achieved? > > murf What do you have so far? Untested: <rule id="STUFF" level="0"> <if_sid>5701</if_sid> <match>Bad protocol version identification 'quit' from UNKNOWN$</match> <description>Ignore from bb</description> </rule> <rule id="STUFF1" level="7" frequency="0" timeframe="300"> <if_sid>STUFF</if_sid> <description>More than 1 STUFF in 5 minutes</description> </rule>
