[logs] Re: logsurfer ssh rule for attack

From: Kerry Thompson (kerry@private)
Date: Thu Jun 09 2005 - 14:28:26 PDT


[Tina might disregard this as the thread is getting a bit long and repeated]

dave@private said:
>[snip]
>
> Thanks to everyone that responded with some very useful tips and I
> apologize
> for not replying sooner. I reworked the rules as many of you suggested but
> consider this still development so it's not including all the cases I want
> nor is it actually only waiting for 10 iterations before the rule
> triggers.
> I'm still having problems with the open context.
>
> I tried
>
> ' ([^ ]+) sshd\[[0-9]*\]: (.*) Failed password for (.*) from (.*) port ' -
> - - 0
>         open "$2 sshd\\[[0-9]*\\]: .* from $3" - - - 0
>          report "/usr/bin/mailx -s \"Server $2 ssh attempt \" dave" " $2
> .*$3" t from $2\"" "$2 sshd\\[[0-9]*\\]: .* from $3"

That should be :
' ([^ ]+) sshd\[[0-9]*\]: (.*) Failed password for (.*) from (.*) port ' -
- - 0
   open "$2 sshd\\[[0-9]*\\]: .* from $3" - - - 0
   report "/usr/bin/mailx -s \"Server $2 ssh attempt \" dave" "$2
sshd\\[[0-9]*\\]: .* from $3"

so the second argument to report matches the context pattern.

The following post may help:
http://lists.shmoo.com/pipermail/loganalysis/2004-December/002690.html

>
>   But am still getting nothing so  I punted and sent it directly to mailx.
> So here's what I've got:
>
> ' ([^ ]+) sshd\[[0-9]*\]: (.*) Failed password for (.*) from (.*) port ' -
> - - 0
>         report "/usr/bin/mailx -s \"Server $2 ssh attempt by $4 from $5\"
> dave"
>   " $2 sshd\[[0-9]*\]: .* Failed password for $4 from $5 "
>
>
> So when it sees an ssh failure, it sends me a message including the
> hostname
> attacked, username tried and from whence it came.

Yes, that works. But the difference between using open to open a context
and a straight report is that contexts can store multiple log lines and
send them to a command, the straight rule and report function here will
only grab one matching line and fire it off.

>
> I couldn't get it to include anything in the body of the message so I must
> be
> calling it wrong(?)

Nope, you're calling it right. Its just not doing what you want.

>
> What I'd really like it to do is send only one such message after X number
> of
> attempts (I initially arbitrarily chose 10) from the same host rather than
> spewing message after message to me. So I presume I probably want a rule
> afterwards to delete the first rule, right?

Well, you'd want it to time out, and only trigger if you get more than x
log lines from sshd. Standard Logsurfer can't do that so well, in
Logsurfer+ (a version I enhanced) you can specify the minimum number of
logs lines to collect before triggering the action which is more suitable
for IDS-like functions.

See http://www.crypt.gen.nz/logsurfer
I've put some examples and doco up which may help.

>
> Currently, we parse/glom syslogs and have them sent to us hourly. While
> this
> generally tells us after the fact, at least the messages are all glommed
> into
> a single one. How do others handle this?

Logurfer relies on timing of single log lines coming in, so its much
better to have the syslog entries forwarded to you log analyser box in
real time as they actually happen.

>
> We're interested in several conditions.
> Many attacks from the same src
> Any attacks from obvious bad usernames like guest
> scanning our net ie same src hitting multiple dest in sequence

Also high rates of attack, indicating you're being specifically targeted
by some with high intent of getting in. All of these are good reasons to
have real-time log analysis.

>
> As to dumping logsurfer output, that shows the match but nothing about the
> context which is why I'm having difficulties with it. Is there any way to
> see what the open context is doing?
>

If you're not seeing anything in the contexts section of the dump, then a
context isn't getting opened. In other words, the rule didn't action the
'open' statement. Check the pattern in the rule and make sure it matches
the log lines coming in.

Regards,
Kerry

-- 
Kerry Thompson, CCNA CISSP
Information Systems Security Consultant
http://www.crypt.gen.nz  kerry@private

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Thu Jun 09 2005 - 14:59:40 PDT