Hello, I found that one of our log lines of the form
Apr 7 11:17:09 localhost sshd[24580]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.230 was triggering rule 2502 but it wasn't picking up the IP address, so I added a decoder to local_decoder.xml: <!-- Add IP address for rule 2502 --> <decoder name="ssh-more-authentication-failures"> <parent>sshd</parent> <prematch offset="after_parent">PAM \d+ more authentication failures</prematch> <regex offset="after_prematch">rhost=(\S+)</regex> <order>srcip</order> </decoder> which seems to work. Just in case anyone else finds it useful. My system is Ubuntu 12 LTS. I'm new to OSSEC, so I'm sure this can be improved. By the way I followed http://www.amazon.co.uk/Instant-Host-based-Intrusion-Detection-System/dp/1782167641/ which is great, giving you just enough info to get going without swamping you. Oliver -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
