[syslog-ng] patterndb: collect login/logout samples

Anton Chuvakin anton at chuvakin.org
Tue Jul 13 21:37:28 CEST 2010


> My target is at first is login/logout/login failure events. I'd start
> with a generic Linux installation and try to cover all applications that
> perform authentication.

OK, so here are some:

OS
Linux
SSH
bad pwd
Apr 22 16:56:39 support sshd[11354]: Failed password for root from
::ffff:10.10.10.4 port 4027 ssh2
bad user
Apr 22 13:41:22 support sshd[11320]: Failed password for illegal user
admin from ::ffff:10.10.10.135 port 45629 ssh2
FTP
bad pwd
Apr 23 14:07:49 support sshd[15069]: Failed password for ftp from
::ffff:10.10.10.171 port 35621 ssh2

OS
HP-UX
bad pwd
Mar 12 08:24:51 server6 sshd[24742]: Failed password for john from
10.10.333.444 port 1420 ssh2

Web
Apache
401
10.10.10.100 - - [23/Apr/2007:12:29:55 -0500] "GET /olu/adm/reg.html
HTTP/1.1" 401 485


Is login success next, hopefully?

-- 
Dr. Anton Chuvakin
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
LinkedIn: http://www.linkedin.com/in/chuvakin
Consulting: http://www.securitywarriorconsulting.com
Twitter: @anton_chuvakin
Google Voice: +1-510-771-7106


More information about the syslog-ng mailing list