In message <[email protected]>,
Michael Andrus writes:
>On Fri, Feb 27, 2009 at 9:59 AM, Michael Andrus <[email protected]> wrote:
>> I've tried doing 'tail -f /var/log/secure > /tmp/sec' and
>> am receiving the same results. The test event ( I am generating this event
> myself by failing a
>> SSH login repeatedly ) is triggered by /tmp/sec, but not by /var/log/secur
>e.
>>
>
>I have configured syslog-ng to log authpriv to a named pipe, and now
>the rule seems to be working, but not as as I had expected.
>
>I think perhaps I have misunderstood the way SingleWithThreshold works...
>
>Again, here is my rule:
>
># CentOS 4 SSH PAM_OPIE Failed authentication
># Warning: This may ban an overzealous user who's having trouble w/ OPIE
># Feb 26 14:32:14 darkstar sshd[10026]: error: PAM: Authentication
>failure for admin from x.x.x.x
>type=SingleWithThreshold
>ptype=RegExp
>pattern= (\w+) sshd\[\d+\]: error: PAM: Authentication failure for \w+
>from (\d+\.\d+\.\d+\.\d+)
>desc=$0
>action=event 0 matched; write - SSH brute force attack from $2!;
>shellcmd /usr/bin/test "$2" != "`/sbin/ifconfig eth0 | /bin/grep "inet
>addr"|awk -F" " '{print $2}'| /bin/egrep -o
>"[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+"`" && /usr/local/sbin/apf -d $2
>sec.ssh ; shellcmd /bin/echo "$1: SSH BFA from $2" | /bin/mail -s "$1:
>SSH BFA from $2" r...@darkstar
>window=15
>thresh=3
>
>It appears that events are only triggered by three *exact* matching
>lines from the input, ie.
>
>Feb 26 14:32:14 darkstar sshd[10026]: error: PAM: Authentication
>failure for admin from 192.168.1.23
>Feb 26 14:32:14 darkstar sshd[10026]: error: PAM: Authentication
>failure for admin from 192.168.1.23
>Feb 26 14:32:14 darkstar sshd[10026]: error: PAM: Authentication
>failure for admin from 192.168.1.23
Your DESC parameter is $0. So the way counting works is:
parse the event using the pattern
find out if a rule with a matching DESC exists that needs incrementing
Since your desc is the entrie line ($0) only the exact same line
(including the timestamp) matches) the second step.
If you had:
desc= PAM auth fail from $2
it would keep a running count for all events from that host. Ignoring
user, timestamp etc.
>whereas I was assuming that three lines matching the regex would
>trigger the event, ie.
>
>Feb 26 14:32:14 darkstar sshd[10026]: error: PAM: Authentication
>failure for admin from 192.168.1.23
>Feb 26 14:32:16 darkstar sshd[10026]: error: PAM: Authentication
>failure for admin from 192.168.1.23
>Feb 26 14:32:18 darkstar sshd[10026]: error: PAM: Authentication
>failure for admin from 192.168.1.23
>
>Am I correct in my observation that only lines repeating exactly will
>be counted against the threshold?
Yes, with your current desc.
>If so, could someone point me in the right direction conceptually as
>to how to configure SEC to act on three similar rules ( ie. only
>timestamp changing ).
>I am guessing that this is where contexts come into play. If anyone
>has an example ruleset they wouldn't mind sharing, I would appreciate
>it immensely.
There are a few places mentioned on the sec website where there are
sample rules. James Brown's excellent tuorial included. Then there is
some paper from a guy who presented at LISA a few years back.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
