[logs] Re: logsurfer ssh rule for attack

• Previous message: Wen Pei (Betty) Liu: "[logs] logs threshold program"
• In reply to: dave@private: "[logs] logsurfer ssh rule for attack"
• Next in thread: Klaus Moeller: "[logs] Re: logsurfer ssh rule for attack"
• Reply: Klaus Moeller: "[logs] Re: logsurfer ssh rule for attack"
• Reply: dave@private: "[logs] Re: logsurfer ssh rule for attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Fri, 2005-06-03 at 08:11 -0400, dave@private wrote:
> I'm working on a logsurfer rule to notify me of an attack denoted by
> 10 or more accesses from a single place trying passwords. I know the
> rule is ok as it works when I send it to pipe '/bin/cat'  but I'm
> having problems with the context:
> 
> ' sshd\[[0-9]*\]: .* Failed password for .* from .* port ' - 10 - 0
>          open "$2 sshd\\[[0-9]*\\]: .* from $3" - 1800 600 3
>          report "/usr/local/stow/logsurfer/sbin/startmail dave \"security incident from $2\"" " $2 unix: "
> #  Also tried:
> #       report "/bin/mailx -s \"security incident from $2\" dave" "$2 sshd\\[[0-9]*\\]: .* from $3"
> 

Couple of things here. Firstly, the second argument to the report action
needs to match the context regex just after the 'open', so " $2 unix: "
should be "$2 sshd\\[[0-9]*\\]: .* from $3".

Second, the initial rule regex needs a pattern to match the hostname
string which comes just before sshd[]. Also, there's usually only one
space after sshd[]: and "Failed", so that regex probably won't match.

Here's what it should look like (beware of line wrapping):

' ([^ ]+) sshd\[[0-9]*\]: Failed password for invalid user .* from (.*)
port ' - 10 - 0
         open "$2 sshd\\[[0-9]*\\]: .* from $3" - 1800 600 3
         report "/usr/local/stow/logsurfer/sbin/startmail dave
\"security incident from $2\"" "$2 sshd\\[[0-9]*\\]: .* from $3"

Which checks out OK on my system here. mailx should also be used instead
of startmail, although its remotely feasible that someone could remotely
inject meta escapes into mailx.

A useful function in Logsurfer is the state dumping. sending a SIGUSR1
to Logsurfer will make it dump its state to the dump file configured on
the command line - this will show the active contexts and the log lines
that they have stored. If there's no context active, then chances are
the initial rule regex didn't match anything.

Kerry



_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Wen Pei (Betty) Liu: "[logs] logs threshold program"
• In reply to: dave@private: "[logs] logsurfer ssh rule for attack"
• Next in thread: Klaus Moeller: "[logs] Re: logsurfer ssh rule for attack"
• Reply: Klaus Moeller: "[logs] Re: logsurfer ssh rule for attack"
• Reply: dave@private: "[logs] Re: logsurfer ssh rule for attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Sat Jun 04 2005 - 02:37:34 PDT