Re: [ossec-list] ssh connection problems with certificate

Thu, 11 Oct 2012 12:55:37 -0700 

On Thu, Oct 11, 2012 at 3:47 PM, Carlos Palacios
<[email protected]> wrote:
> You can give me some insight on how to achieve more, with some reference
> manual, or an example you have already done? ... in any case thanks for the
> support
>
> att.
>

I feel like I do this about every week.


log message: Oct 11 12:51:09 web-jmv sshd[24268]: Failed none for
www-data from 10.16.1.3 port 52567 ssh2

ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
       full event: 'Oct 11 12:51:09 web-jmv sshd[24268]: Failed none
for www-data from 10.16.1.3 port 52567 ssh2'
       hostname: 'web-jmv'
       program_name: 'sshd'
       log: 'Failed none for www-data from 10.16.1.3 port 52567 ssh2'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       dstuser: 'www-data'
       srcip: '10.16.1.3'

**Phase 3: Completed filtering (rules).
       Rule id: '5716'
       Level: '5'
       Description: 'SSHD authentication failed.'
**Alert to be generated.

Add this to local_rules.xml:
  <rule id="110007" level="0">
    <if_sid>5716</if_sid>
    <srcip>10.16.1.3</srcip>
    <user>www-data</user>
    <match>^Failed none for</match>
    <description>Normal behavior</description>
  </rule>


Retest:
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
       full event: 'Oct 11 12:51:09 web-jmv sshd[24268]: Failed none
for www-data from 10.16.1.3 port 52567 ssh2'
       hostname: 'web-jmv'
       program_name: 'sshd'
       log: 'Failed none for www-data from 10.16.1.3 port 52567 ssh2'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       dstuser: 'www-data'
       srcip: '10.16.1.3'

**Phase 3: Completed filtering (rules).
       Rule id: '110007'
       Level: '0'
       Description: 'Normal behavior'



> 2012/10/11 dan (ddp) <[email protected]>
>
>> Write a rule to put this log message at a lower level. Use
>> ossec-logtest to help you.
>
>
>
>
> --
> _________________________________
>
> http://www.esin.net.ve
> Carlos Palacios
> Linux User# 395648
> Consultor Software Libre
> tlf: 0416-6.18.35.68
> Esp. en Redes y Linux Debian

Reply via email to