On Saturday 04 June 2005 04:13, Kerry Thompson wrote: > Here's what it should look like (beware of line wrapping): > > ' ([^ ]+) sshd\[[0-9]*\]: Failed password for invalid user .* from > (.*) port ' - 10 - 0 > open "$2 sshd\\[[0-9]*\\]: .* from $3" - 1800 600 3 > report "/usr/local/stow/logsurfer/sbin/startmail dave > \"security incident from $2\"" "$2 sshd\\[[0-9]*\\]: .* from $3" There are actually two different lines sshd uses to report passwort guessing, the one above for non-existant users and another for users that exist in the system: ... sshd[30910]: Failed password for illegal user demo from 160.79.87.3 port 46942 ssh2 ... sshd[30921]: Failed password for simon from 160.79.87.3 port 47582 ssh2 So, a more precise rule would be ' ([^ ]+) sshd\[[0-9]*\]: Failed password( for invalid user | ).* from (.*) port ' - 10 - 0 Regards, Klaus Moeller, DFN-CERT -- Dipl. Inform. Klaus Moeller (CSIRT) DFN-CERT Services GmbH https://www.dfn-cert.de/ +49-40-808077-555 PGP RSA/2048, 0BB7C8F9, 6D CC 59 0F 86 0C 58 4D 35 D7 0C 55 EF 4F 42 23
_______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Mon Jun 06 2005 - 11:44:04 PDT