On Thu, Sep 18, 2014 at 12:50 PM, diego subero <[email protected]> wrote: > HI team, > > I would like to share these simple rules for authentication failures in > joomla 3.x (default configuration). > > if you have a comments let me know :) > > local_decorder.xml > > <!-- Custom Decoder --> > <decoder name="joomla"> > <prematch>^\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d\p\d\d:\d\d</prematch> > </decoder> > > <decoder name="joomla-failure"> > <parent>joomla</parent> > <prematch offset="after_parent">^\t</prematch> > <regex offset="after_prematch">(\w+)\t(\w+)</regex> > <order>extra_data,status</order> > </decoder> > > local_rules.xml > > > <rule id="100100" level="0"> > <decoded_as>joomla</decoded_as> > <description>joomla messages grouped.</description> > </rule> > > <rule id="100101" level="2"> > <if_sid>100100</if_sid> > <extra_data>INFO</extra_data> > <description>Joomla Info Events</description> > </rule> > > > <rule id="100102" level="5"> > <if_sid>100101</if_sid> > <status>joomlafailure</status> > <match>Username and password do not match</match> > <description>Joomla authentication failed (admin zone).</description> > <group>authentication_failed,</group> > > > <rule id="100103" level="10" frequency="3" timeframe="120" ignore="60"> > <if_matched_sid>100102</if_matched_sid> > <description>Multiple Joomla authentication failures (admin > zone).</descripti$ > <group>authentication_failures,</group> > </rule> > > > ------- > logtest: > > > **Phase 1: Completed pre-decoding. > full event: '2014-09-15T08:32:13+00:00 INFO joomlafailure > Username and password do not match or you do not have an account yet.' > hostname: 'test' > program_name: '(null)' > log: '2014-09-15T08:32:13+00:00 INFO joomlafailure Username > and password do not match or you do not have an account yet.' > > **Phase 2: Completed decoding. > decoder: 'joomla' > extra_data: 'INFO' > status: 'joomlafailure' > > **Phase 3: Completed filtering (rules). > Rule id: '100103' > Level: '10' > Description: 'Multiple Joomla authentication failures (admin zone).' > > --- >
Could you setup an account on github, clone the ossec repository (https://github.com/ossec/ossec-hids), add your changes, and submit a pull request? A few more log samples would be great too! If that's too much trouble, I can do it. Just let me know! > > > > -- > Diego Subero > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
