Hi, On Tue, 2010-07-13 at 15:29 +0200, Siem Korteweg wrote:
Hi,
Not sure whether the following should be caught.
This message is displayed when an unknown user attempts to log in:
Jul 13 14:29:34 centos53 sshd[12779]: Failed password for invalid user xxxx from 127.0.0.1 port 40102 ssh2
When the DenyGroups and/or DenyUsers keywords for sshd are used to restrict access (for users in LDAP), the following messages are displayed for users that are not allowed to login:
Jul 13 15:05:54 centos53 sshd[13031]: User siem from centos53 not allowed because listed in DenyUsers Jul 13 15:05:58 centos53 sshd[13031]: Failed password for invalid user siem from 127.0.0.1 port 53618 ssh2
and
Jul 13 15:09:15 centos53 sshd[13061]: User siem from centos53 not allowed because a group is listed in DenyGroups Jul 13 15:09:22 centos53 sshd[13061]: Failed password for invalid user siem from 127.0.0.1 port 37397 ssh2
Are both of these logged when such an event occurs? Because if it does, then a single pattern (the 2nd line) covers both, right?
When the AllowGroups and/or AllowUsers keywords are used, the following messages are displayed:
Jul 13 15:22:01 centos53 sshd[13155]: User siem from centos53 not allowed because not listed in AllowUsers Jul 13 15:22:05 centos53 sshd[13155]: Failed password for invalid user siem from 127.0.0.1 port 49085 ssh2
and
Jul 13 15:23:48 centos53 sshd[13180]: User siem from centos53 not allowed because none of user's groups are listed in AllowGroups Jul 13 15:23:53 centos53 sshd[13180]: Failed password for invalid user siem from 127.0.0.1 port 33481 ssh2
Again, from the login/logout/failure point of view, the "invalid user" log message grasps the event of an login failure. The other two messages contain additional details about the upcoming message though but in order to connect the two an additional correllation step would need to be performed, which is not in scope right now. Here's the pattern I've added based on your sample: + <rule provider="patterndb" id="1a8891ff-6b86-4da5-b937-b789c76ef353" class="system"> + <patterns> + <pattern>Failed @ESTRING:usracct.authmethod: @for invalid user @ESTRING:usracct.username: @from @ESTRING:usracct.device: @port @ESTRING:: @@ANYSTRING:usracct.service@</pattern> + </patterns> + <examples> + <example> + <test_message program="sshd">Failed password for invalid user siem from 127.0.0.1 port 37397 ssh2</test_message> + <test_values> + <test_value name="usracct.username">siem</test_value> + <test_value name="usracct.authmethod">password</test_value> + <test_value name="usracct.device">127.0.0.1</test_value> + <test_value name="usracct.service">ssh2</test_value> + </test_values> + </example> + </examples> + <values> + <value name="usracct.type">login</value> + <value name="usracct.sessionid">$PID</value> + <value name="usracct.application">$PROGRAM</value> + <value name="secevt.verdict">REJECT</value> + </values> + <tags> + <tag>usracct</tag> + <tag>secevt</tag> + </tags> + </rule> -- Bazsi