Jeff,
sorry for somewhat late answer. What is this ruleset designed for? Should it
report all SSH login failures, or rather the failures that have occurred after
the threshold has been crossed?
If you are after the second goal, I would create a context without a lifetime
in the 'action' field, and I would also report and delete the context in the
'action2' field. In addition, I would include the $1 variable (the name of the
logging host) in the context name. This would ensure that each counting
operation would have a separate context, and that context from a terminated
counting operation would not interfere with future operations.
with kind regards,
risto
> Our firewalls are occasionally brute
> forced and we are looking to
> monitor those using sec. I've got it mostly working with
> the config
> below but there is one issue:
>
> ############# Firewall Brute Force Detector ##############
> #pattern=^<\d+> \w+ \d{2} \d{2}:\d{2}:\d{2}\.\d{3}
> ([\w\.]+)
> [\w\d]+\[\d+\]: %AUTH-\d+: Failed password for ([\w\d]+)
> from
> ([\d\.]+) port \d+ (\w+)$
> type=SingleWithThreshold
> ptype=RegExp
> pattern=^\w+ \d{2} \d{2}:\d{2}:\d{2}\.\d{3} ([\w\.]+)
> [\w\d]+\[\d+\]:
> %AUTH-\d+: Failed password for ([\w\d]+) from ([\d\.]+)
> port \d+
> (\w+)$
> desc=Possible brute force attack (ssh) on $1 from $3
> window=60
> thresh=5
> context=!FIREWALL_BRUTE_FROM_$3
> action=create FIREWALL_BRUTE_FROM_$3 60 (report
> FIREWALL_BRUTE_FROM_$3
> /bin/mail -s "ssh brute force attack on $1 from $3" m...@email.com); add
> FIREWALL_BRUTE_FROM_$3 5 failed ssh attempts within 60
> seconds
> detected; add FIREWALL_BRUTE_FROM_$3 $0
>
> # Add extra events to the FIREWALL_BRUTE_FROM_HOST context
> type=Single
> ptype=RegExp
> pattern=^\w+ \d{2} \d{2}:\d{2}:\d{2}\.\d{3} ([\w\.]+)
> [\w\d]+\[\d+\]:
> %AUTH-\d+: Failed password for ([\w\d]+) from ([\d\.]+)
> port \d+
> (\w+)$
> desc=Possible brute force attack (ssh) on $1 from $3
> context=FIREWALL_BRUTE_FROM_$3
> action=add FIREWALL_BRUTE_FROM_$3 "$0"; set
> FIREWALL_BRUTE_FROM_$3 30
> (report FIREWALL_BRUTE_FROM_$3 /bin/mail -s "ssh brute
> force attack on
> $1 from $3" m...@email.com);
> ##########################################################
>
> An example log entry would look like this:
> Jul 15 00:02:00.000 f01p.blah.int sshd[46042]: %AUTH-6:
> Failed
> password for admin from 220.136.15.64 port 34756 ssh2
>
> So after 5 events, a FIREWALL_BRUTE_FROM_220.136.15.64
> context is
> created. After 60 seconds have passed, it will shoot out an
> email. The
> contents of that email contains the very first of the first
> 5 events,
> and then anything that follows after the original context
> is created.
>
> I'm running sec like this:
> ./sec-2.5.3.pl -input=- -debug=6 -conf=brute.conf
>
> And feeding it this fake log:
> Jul 15 00:02:00.000 f01p.blah.int sshd[46043]: %AUTH-6:
> Failed
> password for root from 220.136.15.64 port 34784 ssh2
> Jul 15 00:02:01.001 f01p.blah.int sshd[46043]: %AUTH-6:
> Failed
> password for root from 220.136.15.64 port 34784 ssh2
> Jul 15 00:02:02.002 f01p.blah.int sshd[46043]: %AUTH-6:
> Failed
> password for root from 220.136.15.64 port 34784 ssh2
> Jul 15 00:02:03.003 f01p.blah.int sshd[46043]: %AUTH-6:
> Failed
> password for root from 220.136.15.64 port 34784 ssh2
> Jul 15 00:02:04.004 f01p.blah.int sshd[46043]: %AUTH-6:
> Failed
> password for root from 220.136.15.64 port 34784 ssh2
> Jul 15 00:02:05.005 f01p.blah.int sshd[46043]: %AUTH-6:
> Failed
> password for root from 220.136.15.64 port 34784 ssh2
> Jul 15 00:02:06.006 f01p.blah.int sshd[46043]: %AUTH-6:
> Failed
> password for root from 220.136.15.64 port 34784 ssh2
>
> The email looks like this, but I'm trying to make it send
> all of the events:
> 5 failed ssh attempts within 60 seconds detected
> Jul 15 00:02:00.000 f01p.blah.int sshd[46043]: %AUTH-6:
> Failed
> password for root from 220.136.15.64 port 34784 ssh2
> "Jul 15 00:02:05.005 f01p.blah.int sshd[46043]: %AUTH-6:
> Failed
> password for root from 220.136.15.64 port 34784 ssh2"
> "Jul 15 00:02:06.006 f01p.blah.int sshd[46043]: %AUTH-6:
> Failed
> password for root from 220.136.15.64 port 34784 ssh2"
>
> What am I doing wrong here?
>
>
> --
> Jeff Schroeder
>
> Don't drink and derive, alcohol and analysis don't mix.
> http://www.digitalprognosis.com
>
> ------------------------------------------------------------------------------
> The Palm PDK Hot Apps Program offers developers who use
> the
> Plug-In Development Kit to bring their C/C++ apps to Palm
> for a share
> of $1 Million in cash or HP Products. Visit us here for
> more details:
> http://p.sf.net/sfu/dev2dev-palm
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
This SF.net email is sponsored by
Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
