[logs] logsurfer ssh rule for attack

• Previous message: Yuri: "[logs] Infos on parallel log analysis"
• Next in thread: John Kristoff: "[logs] Re: logsurfer ssh rule for attack"
• Reply: John Kristoff: "[logs] Re: logsurfer ssh rule for attack"
• Reply: Kerry Thompson: "[logs] Re: logsurfer ssh rule for attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'm working on a logsurfer rule to notify me of an attack denoted by
10 or more accesses from a single place trying passwords. I know the
rule is ok as it works when I send it to pipe '/bin/cat'  but I'm
having problems with the context:

' sshd\[[0-9]*\]: .* Failed password for .* from .* port ' - 10 - 0
         open "$2 sshd\\[[0-9]*\\]: .* from $3" - 1800 600 3
         report "/usr/local/stow/logsurfer/sbin/startmail dave \"security incident from $2\"" " $2 unix: "
#  Also tried:
#       report "/bin/mailx -s \"security incident from $2\" dave" "$2 sshd\\[[0-9]*\\]: .* from $3"


Can someone better define the context for me?
TIA

  =-=-=-=-=-=-=-=-=-=-  generated by /dev/dave -=-=-=-=-=-=-=-=-=-=-=-=
  David Stern                                    University of Maryland
            Institute for Advanced Computer Studies
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Yuri: "[logs] Infos on parallel log analysis"
• Next in thread: John Kristoff: "[logs] Re: logsurfer ssh rule for attack"
• Reply: John Kristoff: "[logs] Re: logsurfer ssh rule for attack"
• Reply: Kerry Thompson: "[logs] Re: logsurfer ssh rule for attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Jun 03 2005 - 11:54:08 PDT