Of course Dan, let me try to do more rules, but the default log for joomla don't have a lot information. but i will work on this.
:) El viernes, 19 de septiembre de 2014 09:20:57 UTC-4, dan (ddpbsd) escribió: > > On Thu, Sep 18, 2014 at 12:50 PM, diego subero <[email protected] > <javascript:>> wrote: > > HI team, > > > > I would like to share these simple rules for authentication failures in > > joomla 3.x (default configuration). > > > > if you have a comments let me know :) > > > > local_decorder.xml > > > > <!-- Custom Decoder --> > > <decoder name="joomla"> > > <prematch>^\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d\p\d\d:\d\d</prematch> > > </decoder> > > > > <decoder name="joomla-failure"> > > <parent>joomla</parent> > > <prematch offset="after_parent">^\t</prematch> > > <regex offset="after_prematch">(\w+)\t(\w+)</regex> > > <order>extra_data,status</order> > > </decoder> > > > > local_rules.xml > > > > > > <rule id="100100" level="0"> > > <decoded_as>joomla</decoded_as> > > <description>joomla messages grouped.</description> > > </rule> > > > > <rule id="100101" level="2"> > > <if_sid>100100</if_sid> > > <extra_data>INFO</extra_data> > > <description>Joomla Info Events</description> > > </rule> > > > > > > <rule id="100102" level="5"> > > <if_sid>100101</if_sid> > > <status>joomlafailure</status> > > <match>Username and password do not match</match> > > <description>Joomla authentication failed (admin zone).</description> > > <group>authentication_failed,</group> > > > > > > <rule id="100103" level="10" frequency="3" timeframe="120" ignore="60"> > > <if_matched_sid>100102</if_matched_sid> > > <description>Multiple Joomla authentication failures (admin > > zone).</descripti$ > > <group>authentication_failures,</group> > > </rule> > > > > > > ------- > > logtest: > > > > > > **Phase 1: Completed pre-decoding. > > full event: '2014-09-15T08:32:13+00:00 INFO joomlafailure > > Username and password do not match or you do not have an account yet.' > > hostname: 'test' > > program_name: '(null)' > > log: '2014-09-15T08:32:13+00:00 INFO joomlafailure > Username > > and password do not match or you do not have an account yet.' > > > > **Phase 2: Completed decoding. > > decoder: 'joomla' > > extra_data: 'INFO' > > status: 'joomlafailure' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '100103' > > Level: '10' > > Description: 'Multiple Joomla authentication failures (admin > zone).' > > > > --- > > > > Could you setup an account on github, clone the ossec repository > (https://github.com/ossec/ossec-hids), add your changes, and submit a > pull request? A few more log samples would be great too! > > If that's too much trouble, I can do it. Just let me know! > > > > > > > > > -- > > Diego Subero > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
