Changes should probably be sent to the dev mailing list, but this list is fine in a pinch. On Sep 21, 2012 8:32 AM, "Juergen Kahnert" <[email protected]> wrote:
> Hi, > > where to send unexpected or faulty behaviour of default rules? > > For example having a running SSH scan against one host and on another > host someone installs a package which needs a new group: > > Sep 21 14:11:00 loginhost sshd[14364]: pam_krb5(sshd:auth): authentication > failure; logname=jinji uid=0 euid=0 tty=ssh ruser= rhost=example.com > Sep 21 14:11:03 loginhost sshd[14368]: pam_krb5(sshd:auth): authentication > failure; logname=sato uid=0 euid=0 tty=ssh ruser= rhost=example.com > Sep 21 14:11:08 loginhost sshd[14370]: pam_krb5(sshd:auth): authentication > failure; logname=ida uid=0 euid=0 tty=ssh ruser= rhost=example.com > Sep 21 14:11:11 loginhost sshd[14372]: pam_krb5(sshd:auth): authentication > failure; logname=asano uid=0 euid=0 tty=ssh ruser= rhost=example.com > Sep 21 14:11:16 loginhost sshd[14417]: pam_krb5(sshd:auth): authentication > failure; logname=otsuka uid=0 euid=0 tty=ssh ruser= rhost=example.com > Sep 21 14:11:20 loginhost sshd[14420]: pam_krb5(sshd:auth): authentication > failure; logname=suganuma uid=0 euid=0 tty=ssh ruser= rhost=example.com > Sep 21 14:11:23 loginhost sshd[14426]: pam_krb5(sshd:auth): authentication > failure; logname=h-miki uid=0 euid=0 tty=ssh ruser= rhost=example.com > Sep 21 14:11:27 loginhost sshd[14428]: pam_krb5(sshd:auth): authentication > failure; logname=kita uid=0 euid=0 tty=ssh ruser= rhost=example.com > Sep 21 14:11:31 loginhost sshd[14430]: pam_krb5(sshd:auth): authentication > failure; logname=tarui uid=0 euid=0 tty=ssh ruser= rhost=example.com > Sep 21 14:11:35 loginhost sshd[14432]: pam_krb5(sshd:auth): authentication > failure; logname=ykona uid=0 euid=0 tty=ssh ruser= rhost=example.com > Sep 21 14:11:39 loginhost sshd[14438]: pam_krb5(sshd:auth): authentication > failure; logname=maju uid=0 euid=0 tty=ssh ruser= rhost=example.com > Sep 21 14:11:43 loginhost sshd[14442]: pam_krb5(sshd:auth): authentication > failure; logname=eunioo uid=0 euid=0 tty=ssh ruser= rhost=example.com > Sep 21 14:11:54 desktop01 groupadd[10578]: new group: name=winbindd_priv, > GID=118 > > This fires a level 15 alarm: > Rule: 40501 (level 15) -> 'Attacks followed by the addition of an user.' > > Isn't there a <same_location /> missing in rule 40501? > > There are many other rules / decoders which need some tweaking. > > Sincerely, > > Jürgen Kahnert > > >
