[Simple-evcorr-users] Help with a rule

Wed, 01 Apr 2009 15:35:04 -0700 

Hello Group:

I am trying to define a rule-set which alerts on multiple (> 1) user login from 
*same* IP address to one or more systems with in a certain duration. 


Apr  1 16:18:09 host-1 sshd[172120]: Accepted publickey for user1 from 
xx.yy.96.100 port 27640 ssh2 
Apr  1 16:21:17 host-1 sshd[163958]: Accepted publickey for user2 from 
xx.yy.96.100 port 16361 ssh2
Apr  1 16:24:14 host-2 sshd[172142]: Accepted publickey for user1 from 
xx.yy.96.100 port 16362 ssh2
Apr  1 16:24:29 host-1 sshd[127194]: Accepted publickey for user3 from 
xx.yy.96.100 port 16363 ssh2


Side note: 

I tried using contexts and was not quite successful. I ended up just creating a 
rule which would trigger if *a* user is logging several times from same IP 
address until inactivity period of 240 seconds. 

Here is the rules for that:  

type=Single
ptype=RegExp
pattern=(\S+)\s+(\d+)\s+(\S+)\s+(\S+)\s+sshd\[(\d+)\]:(\s*\[ID\s+\d+\s+auth.info\])?\s*Accepted\s+(\S+)\s+for\s+(\S+)\s+from\s*(::ffff:)?\s*(\
d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+port\s+(\d+)\s*((\S+))?
context=!MULTIPLE_LOGIN_FROM_$8_$10
continue=TakeNext
desc=First of multiple login from $8 $10
action=create INACTIVITY_TIMER_$8_$10; create MULTIPLE_LOGIN_FROM_$8_$10 600 \
( report MULTIPLE_LOGIN_FROM_$8_$10  /bin/mail -s "SEC: Multiple logins for $8" 
[email protected];  \
delete INACTIVITY_TIMER_$8_$10; )

# Save "BAD LOGIN FROM host" event to its context, and expand the
# lifetime of the INACTIVITY_TIMER_host context for another 4 min
# (note that this will indirectly expand the lifetime of the
# MULTIPLE_LOGIN_FROM_host context for the same amount of time)


type=Single
ptype=RegExp
pattern=(\S+)\s+(\d+)\s+(\S+)\s+(\S+)\s+sshd\[(\d+)\]:(\s*\[ID\s+\d+\s+auth.info\])?\s*Accepted\s+(\S+)\s+for\s+(\S+)\s+from\s*(::ffff:)?\s*(\
d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+port\s+(\d+)\s*((\S+))?
context=MULTIPLE_LOGIN_FROM_$8_$10
desc=Bad login from $8 $10
action=add MULTIPLE_LOGIN_FROM_$8_$10 $0; \
set INACTIVITY_TIMER_$8_$10 240 ( delete MULTIPLE_LOGIN_FROM_$8_$10; )
 

I appreciate your help, 

Thanks 
Aashish 

------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to