On Tue, 2010-07-13 at 12:37 -0700, Anton Chuvakin wrote:
My target is at first is login/logout/login failure events. I'd start with a generic Linux installation and try to cover all applications that perform authentication.
OK, so here are some:
OS Linux SSH bad pwd Apr 22 16:56:39 support sshd[11354]: Failed password for root from ::ffff:10.10.10.4 port 4027 ssh2 bad user Apr 22 13:41:22 support sshd[11320]: Failed password for illegal user admin from ::ffff:10.10.10.135 port 45629 ssh2 FTP bad pwd Apr 23 14:07:49 support sshd[15069]: Failed password for ftp from ::ffff:10.10.10.171 port 35621 ssh2
OS HP-UX bad pwd Mar 12 08:24:51 server6 sshd[24742]: Failed password for john from 10.10.333.444 port 1420 ssh2
Web Apache 401 10.10.10.100 - - [23/Apr/2007:12:29:55 -0500] "GET /olu/adm/reg.html HTTP/1.1" 401 485
Is login success next, hopefully?
Ahh, I might have put the wording wrong. I've meant login AND logout and login failure. So let those coming as well. Great to receive these patterns. I really appreciate them. I hope to get your submissions into shape hopefully today, but worst case this week. -- Bazsi