On Fri, 2010-09-24 at 14:42 +0200, Peter Czanik wrote:
Hello,
On 09/23/2010 06:07 PM, Peter Czanik wrote:
Hello,
Attached are the vsftpd login/login failure events I found. There was no trace of logout in the logs.
One more rule, for a situation not addressed yesterday: invalid username:
HOST=linux-6y8u MESSAGE=gkr-pam: error looking up user information for: asdf PROGRAM=vsftpd PID=1 LEGACY_MSGHDR=vsftpd[1]: .classifier.class=system .classifier.rule_id=ac8c7834-c7d5-11df-bb3c-000c298c9ba2 usracct.username=asdf usracct.type=login usracct.sessionid=1 usracct.application=vsftpd secevt.verdict=REJECT
<rule provider="patterndb" id="ac8c7834-c7d5-11df-bb3c-000c298c9ba2" class="system"> <patterns> <pattern>gkr-pam: error looking up user information for: @ANYSTRING:usracct.username@</pattern> </patterns> <examples> <example> <test_message>gkr-pam: error looking up user information for: asdf</test_message> <test_values> <test_value name="usracct.username">asdf</test_value> </test_values> </example> </examples> <values> <value name="usracct.type">login</value> <value name="usracct.sessionid">$PID</value> <value name="usracct.application">$PROGRAM</value> <value name="secevt.verdict">REJECT</value> </values> <tags> <tag>usracct</tag> <tag>secevt</tag> </tags> </rule>
Applied. Some notes: * test_message should contain a program="programname" attribute in order for pdbtool test actually try to test the pattern * ANYSTRING should be avoided where possible: it eats up the complete remainder of the message * the fastest solution is usually using the ESTRING parser, I'm thinking about changing the parser syntax to make it easier to use type-specific parsers but currently the best bet is to use the @ESTRING@ parser if there's a definite ending of the value in question. One question: you sent a generic user login failure message and another with more specific information. Are these happening right after the other, or only one of them is displayed? -- Bazsi