From: Risto Vaarandi [mailto:risto.vaara...@gmail.com]
Sent: Tuesday, May 26, 2015 3:29 PM
To: Sadettin ARSLAN
Subject: Re: SEC
Can you post this question to the SEC mailing list, not my personal e-mail? In
that way, others will benefit from the discussion. Thanks!
risto
2015-05-26 12:09 GMT+03:00 <arsl...@hvkk.tsk.tr<mailto:arsl...@hvkk.tsk.tr>>:
Hi;
We have events about logins in /var/log/secure file. They are like below.
May 26 May 26 09:25:57 localhost unix_chkpwd[1947]: password check failed for
user (sec)
May 26 09:25:57 localhost gdm-password]: pam_unix(gdm-password:auth):
authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
user=sec
May 26 09:26:05 localhost unix_chkpwd[1952]: password check failed for user
(sec)
May 26 09:26:05 localhost gdm-password]: pam_unix(gdm-password:auth):
authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
user=sec
May 26 09:26:13 localhost unix_chkpwd[1966]: password check failed for user
(sec)
May 26 09:26:13 localhost gdm-password]: pam_unix(gdm-password:auth):
authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
user=sec
May 26 09:26:19 localhost gdm-password]: pam_unix(gdm-password:session):
session opened for user sec by (unknown)(uid=0)
I failed at login on purpose to get those event logs. I want to display them in
terminal using action=write - %s in A.rules.
I want it to correlate the login logs from 1 week ago to now. This means it
won’t be real time. I want to write the command sec--conf=/etc/sec/A.rules
--input=/var/log/secure –bufsize=1 in Terminal and see the failed login
attempts if it is possible.
What should I write in A.rules?
Thank you, Best Regards.
Sadettin ARSLAN
From: Risto Vaarandi
[mailto:risto.vaara...@gmail.com<mailto:risto.vaara...@gmail.com>]
Sent: Monday, May 25, 2015 4:12 PM
To: Sadettin ARSLAN
Cc:
Simple-evcorr-users@lists.sourceforge.net<mailto:Simple-evcorr-users@lists.sourceforge.net>
Subject: Re: SEC
hi,
what kind of events are we talking about? Whatever rules you want to write for
sec, the events need to be recognized somehow, and in order to write a regular
expression (or other pattern) for this purpose, the event format needs to be
known.
Also, do you want to react to failed login events that happen in real-time, or
is your intention to search the past logs (say, 1 hour, 1 day or 1 week old)?
If you intend to search past log data for off-line incident analysis, sec is
probably not the right tool, since it is designed for analyzing and correlating
real-time events.
So if you could clarify your question a bit further, we might be able to
provide more assistance.
kind regards,
risto
2015-05-25 12:06 GMT+03:00 <arsl...@hvkk.tsk.tr<mailto:arsl...@hvkk.tsk.tr>>:
Hi;
I am new in SEC. I want to set a ruleset to display the last failed login
attempt in Terminal. How can I display the outcome in Terminal? If you help me
I will be glad.
Best Regards.
Sadettin ARSLAN
Bu e-posta mesajı ve ekleri sadece gönderildiği kişi veya kuruma özeldir. Eğer
doğru kişiye ulaşmadığını düşünüyorsanız, bu mesajın yönlendirilmesi,
kopyalanması veya herhangi bir şekilde kullanılması yasaktır.Mesaj içeriğinde
bulunan fikir ve yorumlar, sadece göndericiye aittir. Bu mesaj bilinen tüm
virüslere karsı taranmıştır.
This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed. If
you are not the intended recipient you are hereby notified that any
dissemination, copying or use of the information is prohibited. The opinions
expressed in this message belong to sender alone. This e-mail has been scanned
for all known computer viruses.
Bu e-posta mesajı ve ekleri sadece gönderildiği kişi veya kuruma özeldir. Eğer
doğru kişiye ulaşmadığını düşünüyorsanız, bu mesajın yönlendirilmesi,
kopyalanması veya herhangi bir şekilde kullanılması yasaktır.Mesaj içeriğinde
bulunan fikir ve yorumlar, sadece göndericiye aittir. Bu mesaj bilinen tüm
virüslere karsı taranmıştır.
This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed. If
you are not the intended recipient you are hereby notified that any
dissemination, copying or use of the information is prohibited. The opinions
expressed in this message belong to sender alone. This e-mail has been scanned
for all known computer viruses.
Bu e-posta mesajı ve ekleri sadece gönderildiği kişi veya kuruma özeldir. Eğer
doğru kişiye ulaşmadığını düşünüyorsanız, bu mesajın yönlendirilmesi,
kopyalanması veya herhangi bir şekilde kullanılması yasaktır.Mesaj içeriğinde
bulunan fikir ve yorumlar, sadece göndericiye aittir. Bu mesaj bilinen tüm
virüslere karsı taranmıştır.
This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed. If
you are not the intended recipient you are hereby notified that any
dissemination, copying or use of the information is prohibited. The opinions
expressed in this message belong to sender alone. This e-mail has been scanned
for all known computer viruses.
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
