Hey Guys, I'm way behind on adoption of the whole patterndb thing, but if you're looking for log samples, here's a good resource: http://www.ossec.net/wiki/Log_Samples ______________________________________________________________ Clayton Dukes ______________________________________________________________ On Thu, Jul 15, 2010 at 3:26 PM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Tue, 2010-07-13 at 12:37 -0700, Anton Chuvakin wrote:
My target is at first is login/logout/login failure events. I'd start with a generic Linux installation and try to cover all applications that perform authentication.
OK, so here are some:
OS Linux SSH bad pwd Apr 22 16:56:39 support sshd[11354]: Failed password for root from ::ffff:10.10.10.4 port 4027 ssh2
this was covered by the already existing patterns, though it was nice to see that they indeed worked with IPv6. I've added this as an example to test the pattern with.
bad user Apr 22 13:41:22 support sshd[11320]: Failed password for illegal user admin from ::ffff:10.10.10.135 port 45629 ssh2
this was a different incarnation of "invalid user" of the previous poster, probably this message was changed within sshd. Added as a separate rule.
FTP bad pwd Apr 23 14:07:49 support sshd[15069]: Failed password for ftp from ::ffff:10.10.10.171 port 35621 ssh2
already covered.
OS HP-UX bad pwd Mar 12 08:24:51 server6 sshd[24742]: Failed password for john from 10.10.333.444 port 1420 ssh2
also covered.
Web Apache 401 10.10.10.100 - - [23/Apr/2007:12:29:55 -0500] "GET /olu/adm/reg.html HTTP/1.1" 401 485
I've a trouble with this one, login failures in Apache are logged to the error log, it seems to be a better source than scanning the access.log for the 401 status, especially as it is normal part of the protocol and not necessarily an immediate login failure.
I don't see that access.log should be going through patterndb as it is already structured. Using a csv-parser to read that would probably be easier, probably good candidate for creating an SCL block to do just that.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html