[logs] Re: logsurfer ssh rule for attack

• Previous message: Klaus Moeller: "[logs] Re: logsurfer ssh rule for attack"
• In reply to: Kerry Thompson: "[logs] Re: logsurfer ssh rule for attack"
• Next in thread: Kerry Thompson: "[logs] Re: logsurfer ssh rule for attack"
• Reply: Kerry Thompson: "[logs] Re: logsurfer ssh rule for attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Sat, 4 Jun 2005, Kerry Thompson wrote:

> On Fri, 2005-06-03 at 08:11 -0400, dave@private wrote:
>> I'm working on a logsurfer rule to notify me of an attack denoted by
>> 10 or more accesses from a single place trying passwords. I know the
>> rule is ok as it works when I send it to pipe '/bin/cat'  but I'm
>> having problems with the context:
>>
>> ' sshd\[[0-9]*\]: .* Failed password for .* from .* port ' - 10 - 0
>>          open "$2 sshd\\[[0-9]*\\]: .* from $3" - 1800 600 3
>>          report "/usr/local/stow/logsurfer/sbin/startmail dave \"security incident from $2\"" " $2 unix: "
>> #  Also tried:
>> #       report "/bin/mailx -s \"security incident from $2\" dave" "$2 sshd\\[[0-9]*\\]: .* from $3"
>>
>
> Couple of things here. Firstly, the second argument to the report action
> needs to match the context regex just after the 'open', so " $2 unix: "
> should be "$2 sshd\\[[0-9]*\\]: .* from $3".
>
> Second, the initial rule regex needs a pattern to match the hostname
> string which comes just before sshd[]. Also, there's usually only one
> space after sshd[]: and "Failed", so that regex probably won't match.
>
> Here's what it should look like (beware of line wrapping):
>
> ' ([^ ]+) sshd\[[0-9]*\]: Failed password for invalid user .* from (.*)
> port ' - 10 - 0
>         open "$2 sshd\\[[0-9]*\\]: .* from $3" - 1800 600 3
>         report "/usr/local/stow/logsurfer/sbin/startmail dave
> \"security incident from $2\"" "$2 sshd\\[[0-9]*\\]: .* from $3"
>
> Which checks out OK on my system here. mailx should also be used instead
> of startmail, although its remotely feasible that someone could remotely
> inject meta escapes into mailx.
>
> A useful function in Logsurfer is the state dumping. sending a SIGUSR1
> to Logsurfer will make it dump its state to the dump file configured on
> the command line - this will show the active contexts and the log lines
> that they have stored. If there's no context active, then chances are
> the initial rule regex didn't match anything.
>
> Kerry
>
>
>

Thanks to everyone that responded with some very useful tips and I apologize
for not replying sooner. I reworked the rules as many of you suggested but
consider this still development so it's not including all the cases I want 
nor is it actually only waiting for 10 iterations before the rule triggers. 
I'm still having problems with the open context.

I tried

' ([^ ]+) sshd\[[0-9]*\]: (.*) Failed password for (.*) from (.*) port ' - - - 0
        open "$2 sshd\\[[0-9]*\\]: .* from $3" - - - 0
         report "/usr/bin/mailx -s \"Server $2 ssh attempt \" dave" " $2 .*$3" t from $2\"" "$2 sshd\\[[0-9]*\\]: .* from $3"

  But am still getting nothing so  I punted and sent it directly to mailx.
So here's what I've got:

' ([^ ]+) sshd\[[0-9]*\]: (.*) Failed password for (.*) from (.*) port ' - - - 0
        report "/usr/bin/mailx -s \"Server $2 ssh attempt by $4 from $5\" dave"
  " $2 sshd\[[0-9]*\]: .* Failed password for $4 from $5 "


So when it sees an ssh failure, it sends me a message including the hostname
attacked, username tried and from whence it came.

I couldn't get it to include anything in the body of the message so I must be
calling it wrong(?)

What I'd really like it to do is send only one such message after X number of
attempts (I initially arbitrarily chose 10) from the same host rather than
spewing message after message to me. So I presume I probably want a rule
afterwards to delete the first rule, right?

Currently, we parse/glom syslogs and have them sent to us hourly. While this
generally tells us after the fact, at least the messages are all glommed into
a single one. How do others handle this?

We're interested in several conditions.
Many attacks from the same src
Any attacks from obvious bad usernames like guest
scanning our net ie same src hitting multiple dest in sequence

As to dumping logsurfer output, that shows the match but nothing about the
context which is why I'm having difficulties with it. Is there any way to
see what the open context is doing?

Thanks

  =-=-=-=-=-=-=-=-=-=-  generated by /dev/dave -=-=-=-=-=-=-=-=-=-=-=-=
  David Stern                                    University of Maryland
            Institute for Advanced Computer Studies
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Klaus Moeller: "[logs] Re: logsurfer ssh rule for attack"
• In reply to: Kerry Thompson: "[logs] Re: logsurfer ssh rule for attack"
• Next in thread: Kerry Thompson: "[logs] Re: logsurfer ssh rule for attack"
• Reply: Kerry Thompson: "[logs] Re: logsurfer ssh rule for attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Wed Jun 08 2005 - 14:34:58 PDT