...except you'd use "if_matched_sid" (rather than "if_sid") in the STUFF1 rule, right?
On Jan 7, 2012, at 10:42 AM, dan (ddp) wrote: > On Fri, Jan 6, 2012 at 10:49 PM, murf <[email protected]> wrote: >> Here I am again. I have a machine where the "big brother" stuff is > > People still use big brother? > >> being used to probe the >> sshd server. That generates, every 5 minutes, a message in /var/log/ >> secure: >> >> Jan 6 21:20:01 sysname sshd[3567]: Bad protocol version >> identification 'quit' from UNKNOWN >> >> Which triggers the 5701 rule in the rules. >> 5701's match is: "Bad Protocol version idendification" >> >> and it retaliates by trying to block the "UNKNOWN" ip in iptables.... >> not cool. >> >> What I'd like to do is intro a new rule that is more specific to this >> situation, >> >> <match>Bad protocol version identification 'quit' from UNKNOWN</match> >> >> and only alarm if it's more frequent than 1 in 5 minutes. >> >> The existing 5701 should then kick in if there was no more specific >> match. >> >> How exactly (or even roughly) would this sort of thing be achieved? >> >> murf > > What do you have so far? > > Untested: > <rule id="STUFF" level="0"> > <if_sid>5701</if_sid> > <match>Bad protocol version identification 'quit' from UNKNOWN$</match> > <description>Ignore from bb</description> > </rule> > > <rule id="STUFF1" level="7" frequency="0" timeframe="300"> > <if_sid>STUFF</if_sid> > <description>More than 1 STUFF in 5 minutes</description> > </rule>
