Thank you very much for your information. The logs are showing as coming from the correct source, but I didn't know if OSSEC was treating them correctly. Below is the main example that I've come across.This is also true for the Windows multiple failed logins. It's correlating 2 different servers and 2 different user names together and then in the final alert info, only shows the latest. Does this look right to you?
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Level:10 - Multiple SSHD authentication failures. Rule Id: 5720 Location: vm1->/var/log/secure Src IP: 192.168.1.1 User: user1 Sep 16 13:53:01 vm1 sshd[25275]: Failed password for user1 from 192.168.1.1 port 1344 ssh2 Sep 16 13:55:36 server2 sshd[13616]: Failed password for joe from 10.2.2.2 port 1342 ssh2 Sep 16 13:52:59 vm1 sshd[25275]: Failed password for user1 from 192.168.1.1 port 1344 ssh2 Sep 16 13:55:34 server2 sshd[13616]: Failed password for joe from 10.2.2.2 port 1342 ssh2 Sep 16 13:55:29 server2 sshd[13616]: Failed password for joe from 10.2.2.2 port 1342 ssh2 Sep 16 13:52:20 vm1 sshd[25271]: Failed password for user1 from 192.168.1.1 port 1327 ssh2 Sep 16 13:52:18 vm1 sshd[25271]: Failed password for user1 from 192.168.1.1 port 1327 ssh2 Sep 16 13:52:15 vm1 sshd[25271]: Failed password for user1 from 192.168.1.1 port 1327 ssh2 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- I have also tried the open source version of AlienVault, but everything I read about it and after doing a small POC, I didn't think it could handle the events per second we needed. On Monday, September 16, 2013 3:39:20 PM UTC-4, Michael Starks wrote: > > On 16.09.2013 14:04, Eric wrote: > > ... > > > My main fear is since I'm not > > using OSSEC's agent portion of it, it looks like the only agent is > > localhost and is therefore going to combine a lot of the traffic we > > see into 1 big alert. If I get login failures from server1 and > > server2, it will treat this as the same source and correlate it a lot > > faster than it would if it treated them as separate servers. > > I have layered OSSEC on top of an existing syslog server in several > environments. As long as the log messages themselves don't look like > they are all coming from the same place, OSSEC will see them as separate > systems. The hostname portion of the syslog is extracted like any other > field, so it will work. > > By not using agents, you will lose some functionality; namely, active > response, integrity checking and rootkit detection. > > If you're looking for SIEM-like functionality (asset valuation, etc), > try the solution from AlienVault. OSSEC is deeply integrated into their > solution and they have contributed back to OSSEC. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
