Hello Josep: Thanks for your reply. I think with your rule, I will also get alert if same user logins into the system twice or more in the given window.
I am looking for different users logging into the system from same IP address in a given window AND not alert for the same user. Hope I clarify my point, Thanks, Aashish On Thu, Apr 02, 2009 at 08:34:22AM +0200, Josep Abenza wrote: > Hi Asshish, > > IO think what you need is a SingleWithThreshold rule with the description > being: > 'Accepted publickey from IP $1' > > For example: > > type=SingleWithThreshold > ptype=RegExp > pattern=Accepted publickey for \S+ from (\S+) > desc=Login from IP $1 > action=write - two logins from IP $1 > window=10 > thresh=2 > > This way, since your description only includes the IP address, logins from > any user coming from the same IP will be correlated. > > Josep > > On Wed, Apr 1, 2009 at 11:56 PM, Aashish Sharma <[email protected]> wrote: > > > am trying to define a rule-set which alerts on multiple (> 1) user login > > from *same* IP address to one or more systems with in a certain duration. > > > > > > Apr 1 16:18:09 host-1 sshd[172120]: Accepted publickey for user1 from > > xx.yy.96.100 port 27640 ssh2 > > Apr 1 16:21:17 host-1 sshd[163958]: Accepted publickey for user2 from > > xx.yy.96.100 port 16361 ssh2 > > Apr 1 16:24:14 host-2 sshd[172142]: Accepted publickey for user1 from > > xx.yy.96.100 port 16362 ssh2 > > Apr 1 16:24:29 host-1 sshd[127194]: Accepted publickey for user3 from > > xx.yy.96.100 port 16363 ssh2 > > > > > > -- > IMPORTANT: Aquest correu és només per el(s) destinatari(s) indicats a dalt i > pot contenir informació confidencial o poc indicada per persones massa > susceptibles amb baixa auto-estima, sense sentit de l'humor o amb creences > religioses irracionals. Si no ets el destinatari correcte, la distribució o > còpia del correu és d'un mal gust irritant. > > No s'ha fet mal a animals en la transmissió d'aquest correu (però el gos del > veí fa temps que té una pota al cementiri, la veritat). Per tranquil·litzar > els seguidors d'Iker J*m*n*z, sabeu que llegir aquest avís al revés no > revelarà cap missatge ocult. Ara bé, si feu un cercle de sal al voltant > vostre i de l'ordinador us evitareu qualsevol mal a vosaltres o els vostres > peixos de colors. > > Si has rebut aquest correu per error, si us plau afegeix nou moscada i tres > clares d'ou, mescla-ho tot i posa-ho al forn quaranta minuts. Deixa-ho > refredar i serveix-lo acompanyat d'emmental. > ------------------------------------------------------------------------------ > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
