Michael Andrus wrote: > On Fri, Feb 27, 2009 at 9:59 AM, Michael Andrus <[email protected]> wrote: >> I've tried doing 'tail -f /var/log/secure > /tmp/sec' and >> am receiving the same results. The test event ( I am generating this event >> myself by failing a >> SSH login repeatedly ) is triggered by /tmp/sec, but not by /var/log/secure. >> > > I have configured syslog-ng to log authpriv to a named pipe, and now > the rule seems to be working, but not as as I had expected. > > I think perhaps I have misunderstood the way SingleWithThreshold works... > > Again, here is my rule: > > # CentOS 4 SSH PAM_OPIE Failed authentication > # Warning: This may ban an overzealous user who's having trouble w/ OPIE > # Feb 26 14:32:14 darkstar sshd[10026]: error: PAM: Authentication > failure for admin from x.x.x.x > type=SingleWithThreshold > ptype=RegExp > pattern= (\w+) sshd\[\d+\]: error: PAM: Authentication failure for \w+ > from (\d+\.\d+\.\d+\.\d+) > desc=$0 > action=event 0 matched; write - SSH brute force attack from $2!; > shellcmd /usr/bin/test "$2" != "`/sbin/ifconfig eth0 | /bin/grep "inet > addr"|awk -F" " '{print $2}'| /bin/egrep -o > "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+"`" && /usr/local/sbin/apf -d $2 > sec.ssh ; shellcmd /bin/echo "$1: SSH BFA from $2" | /bin/mail -s "$1: > SSH BFA from $2" r...@darkstar > window=15 > thresh=3 > > It appears that events are only triggered by three *exact* matching > lines from the input, ie. > > Feb 26 14:32:14 darkstar sshd[10026]: error: PAM: Authentication > failure for admin from 192.168.1.23 > Feb 26 14:32:14 darkstar sshd[10026]: error: PAM: Authentication > failure for admin from 192.168.1.23 > Feb 26 14:32:14 darkstar sshd[10026]: error: PAM: Authentication > failure for admin from 192.168.1.23 > > whereas I was assuming that three lines matching the regex would > trigger the event, ie. > > Feb 26 14:32:14 darkstar sshd[10026]: error: PAM: Authentication > failure for admin from 192.168.1.23 > Feb 26 14:32:16 darkstar sshd[10026]: error: PAM: Authentication > failure for admin from 192.168.1.23 > Feb 26 14:32:18 darkstar sshd[10026]: error: PAM: Authentication > failure for admin from 192.168.1.23 > > Am I correct in my observation that only lines repeating exactly will > be counted against the threshold?
yes, you are absolutely correct -- you are seeing this behavior because the 'desc' field of the rule has been set to $0 (entire line, that is, *including* timestamps!). However, the 'desc' parameter does not merely serve as a free form description of the rule, but has a much more important function -- it sets the event correlation key which defines the scope of event correlation (i.e., how many operations a rule can start and which events get correlated by each individual operation). SEC man page contains a separate section about how to set event correlation keys -- have a look at http://simple-evcorr.sourceforge.net/sec.pl.html#lbAV This section contains a discussion about rules and event correlation operations + examples. hth, risto > > If so, could someone point me in the right direction conceptually as > to how to configure SEC to act on three similar rules ( ie. only > timestamp changing ). > I am guessing that this is where contexts come into play. If anyone > has an example ruleset they wouldn't mind sharing, I would appreciate > it immensely. > > Thanks! > > - Michael A. > > ------------------------------------------------------------------------------ > Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA > -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise > -Strategies to boost innovation and cut costs with open source participation > -Receive a $600 discount off the registration fee with the source code: SFAD > http://p.sf.net/sfu/XcvMzF8H > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
