Hey Guys,<div>I'm way behind on adoption of the whole patterndb thing, but if you're looking for log samples, here's a good resource:</div><div><a href="http://www.ossec.net/wiki/Log_Samples">http://www.ossec.net/wiki/Log_Samples</a></div>
<div><br clear="all">______________________________________________________________ <br><br>Clayton Dukes<br>______________________________________________________________<br>
<br><br><div class="gmail_quote">On Thu, Jul 15, 2010 at 3:26 PM, Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi@balabit.hu">bazsi@balabit.hu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Tue, 2010-07-13 at 12:37 -0700, Anton Chuvakin wrote:<br>
> > My target is at first is login/logout/login failure events. I'd start<br>
> > with a generic Linux installation and try to cover all applications that<br>
> > perform authentication.<br>
><br>
</div>> OK, so here are some:<br>
><br>
> OS<br>
> Linux<br>
> SSH<br>
> bad pwd<br>
> Apr 22 16:56:39 support sshd[11354]: Failed password for root from<br>
> ::ffff:10.10.10.4 port 4027 ssh2<br>
<br>
this was covered by the already existing patterns, though it was nice to<br>
see that they indeed worked with IPv6. I've added this as an example to<br>
test the pattern with.<br>
<br>
> bad user<br>
> Apr 22 13:41:22 support sshd[11320]: Failed password for illegal user<br>
> admin from ::ffff:10.10.10.135 port 45629 ssh2<br>
<br>
this was a different incarnation of "invalid user" of the previous<br>
poster, probably this message was changed within sshd. Added as a<br>
separate rule.<br>
<br>
> FTP<br>
> bad pwd<br>
> Apr 23 14:07:49 support sshd[15069]: Failed password for ftp from ::ffff:10.10.10.171 port 35621 ssh2<br>
><br>
<br>
already covered.<br>
<br>
> OS<br>
> HP-UX<br>
> bad pwd<br>
> Mar 12 08:24:51 server6 sshd[24742]: Failed password for john from 10.10.333.444 port 1420 ssh2<br>
<br>
also covered.<br>
<br>
><br>
> Web<br>
> Apache<br>
> 401<br>
> 10.10.10.100 - - [23/Apr/2007:12:29:55 -0500] "GET /olu/adm/reg.html<br>
> HTTP/1.1" 401 485<br>
><br>
<br>
I've a trouble with this one, login failures in Apache are logged to the<br>
error log, it seems to be a better source than scanning the access.log<br>
for the 401 status, especially as it is normal part of the protocol and<br>
not necessarily an immediate login failure.<br>
<br>
I don't see that access.log should be going through patterndb as it is<br>
already structured. Using a csv-parser to read that would probably be<br>
easier, probably good candidate for creating an SCL block to do just<br>
that.<br>
<font color="#888888"><br>
--<br>
Bazsi<br>
</font><div><div></div><div class="h5"><br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
</div></div></blockquote></div><br></div>