On Fri, Sep 19, 2014 at 11:08 AM, cracksub <[email protected]> wrote: > Of course Dan, let me try to do more rules, but the default log for joomla > don't have a lot information. > but i will work on this. > > :)
Much appreciated! Let me know if you need any assistance. > El viernes, 19 de septiembre de 2014 09:20:57 UTC-4, dan (ddpbsd) escribió: >> >> On Thu, Sep 18, 2014 at 12:50 PM, diego subero <[email protected]> >> wrote: >> > HI team, >> > >> > I would like to share these simple rules for authentication failures in >> > joomla 3.x (default configuration). >> > >> > if you have a comments let me know :) >> > >> > local_decorder.xml >> > >> > <!-- Custom Decoder --> >> > <decoder name="joomla"> >> > <prematch>^\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d\p\d\d:\d\d</prematch> >> > </decoder> >> > >> > <decoder name="joomla-failure"> >> > <parent>joomla</parent> >> > <prematch offset="after_parent">^\t</prematch> >> > <regex offset="after_prematch">(\w+)\t(\w+)</regex> >> > <order>extra_data,status</order> >> > </decoder> >> > >> > local_rules.xml >> > >> > >> > <rule id="100100" level="0"> >> > <decoded_as>joomla</decoded_as> >> > <description>joomla messages grouped.</description> >> > </rule> >> > >> > <rule id="100101" level="2"> >> > <if_sid>100100</if_sid> >> > <extra_data>INFO</extra_data> >> > <description>Joomla Info Events</description> >> > </rule> >> > >> > >> > <rule id="100102" level="5"> >> > <if_sid>100101</if_sid> >> > <status>joomlafailure</status> >> > <match>Username and password do not match</match> >> > <description>Joomla authentication failed (admin zone).</description> >> > <group>authentication_failed,</group> >> > >> > >> > <rule id="100103" level="10" frequency="3" timeframe="120" ignore="60"> >> > <if_matched_sid>100102</if_matched_sid> >> > <description>Multiple Joomla authentication failures (admin >> > zone).</descripti$ >> > <group>authentication_failures,</group> >> > </rule> >> > >> > >> > ------- >> > logtest: >> > >> > >> > **Phase 1: Completed pre-decoding. >> > full event: '2014-09-15T08:32:13+00:00 INFO joomlafailure >> > Username and password do not match or you do not have an account yet.' >> > hostname: 'test' >> > program_name: '(null)' >> > log: '2014-09-15T08:32:13+00:00 INFO joomlafailure >> > Username >> > and password do not match or you do not have an account yet.' >> > >> > **Phase 2: Completed decoding. >> > decoder: 'joomla' >> > extra_data: 'INFO' >> > status: 'joomlafailure' >> > >> > **Phase 3: Completed filtering (rules). >> > Rule id: '100103' >> > Level: '10' >> > Description: 'Multiple Joomla authentication failures (admin >> > zone).' >> > >> > --- >> > >> >> Could you setup an account on github, clone the ossec repository >> (https://github.com/ossec/ossec-hids), add your changes, and submit a >> pull request? A few more log samples would be great too! >> >> If that's too much trouble, I can do it. Just let me know! >> >> > >> > >> > >> > -- >> > Diego Subero >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
