[ossec-list] joomla rules auth failures

Thu, 18 Sep 2014 11:46:10 -0700 

HI team,

I would like to share these simple rules for authentication failures in
joomla 3.x (default configuration).

if you have a comments let me know :)

local_decorder.xml

<!-- Custom Decoder -->
<decoder name="joomla">
 <prematch>^\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d\p\d\d:\d\d</prematch>
</decoder>

<decoder name="joomla-failure">
  <parent>joomla</parent>
  <prematch offset="after_parent">^\t</prematch>
  <regex offset="after_prematch">(\w+)\t(\w+)</regex>
  <order>extra_data,status</order>
</decoder>

local_rules.xml


<rule id="100100" level="0">
<decoded_as>joomla</decoded_as>
<description>joomla messages grouped.</description>
</rule>

<rule id="100101" level="2">
<if_sid>100100</if_sid>
<extra_data>INFO</extra_data>
<description>Joomla Info Events</description>
</rule>


<rule id="100102" level="5">
<if_sid>100101</if_sid>
<status>joomlafailure</status>
<match>Username and password do not match</match>
<description>Joomla authentication failed (admin zone).</description>
<group>authentication_failed,</group>


<rule id="100103" level="10" frequency="3" timeframe="120" ignore="60">
   <if_matched_sid>100102</if_matched_sid>
   <description>Multiple Joomla authentication failures (admin
zone).</descripti$
   <group>authentication_failures,</group>
 </rule>


-------
logtest:


**Phase 1: Completed pre-decoding.
       full event: '2014-09-15T08:32:13+00:00    INFO    joomlafailure
Username and password do not match or you do not have an account yet.'
       hostname: 'test'
       program_name: '(null)'
       log: '2014-09-15T08:32:13+00:00    INFO    joomlafailure    Username
and password do not match or you do not have an account yet.'

**Phase 2: Completed decoding.
       decoder: 'joomla'
       extra_data: 'INFO'
       status: 'joomlafailure'

**Phase 3: Completed filtering (rules).
       Rule id: '100103'
       Level: '10'
       Description: 'Multiple Joomla authentication failures (admin zone).'

---




-- 
Diego Subero

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to