I tried to get ssh to trip an alarm using failed logins. The
sensor
picks up the failed logins, but the rule I converted doesn't
seem to
catch it. Any idea why I am getting the error? I switched
the plugin_id
from 4002 to 4003, since there doesn't seem to be a rule for
ssh failed
logins. Below this are the errors I get on the server
complaining with
the following message.
Error: event incorrect.
brian
Directive
<directive id="12" name="Possible brute
force login attempt against DST_IP"
priority="5">
<rule type="detector"
name="Authentication failure"
reliability="3"
occurrence="1" from="ANY"
to="ANY" port_from="ANY"
port_to="ANY"
time_out="10" plugin_id="4003"
plugin_sid="1,2,3,4">
<rules>
<rule type="detector"
name="Authentication failure (3 times)"
reliability="+1"
occurrence="3" from="1:SRC_IP"
to="ANY"
port_from="ANY" time_out="15"
port_to="ANY"
plugin_id="4003"
plugin_sid="1,2,3,4" sticky="true">
<rules>
<rule type="detector"
name="Authentication failure (5 times)"
reliability="+2"
occurrence="5" from="1:SRC_IP"
to="ANY"
port_from="ANY"
time_out="20" port_to="ANY"
plugin_id="4003"
plugin_sid="1,2,3,4" sticky="true">
<rules>
<rule type="detector"
name="Authentication failure (10 times)"
reliability="+2"
occurrence="10" from="1:SRC_IP"
to="ANY"
port_from="ANY"
time_out="30" port_to="ANY"
plugin_id="4003"
plugin_sid="1,2,3,4" sticky="true">
</rule>
</rules>
</rule>
</rules>
</rule>
</rules>
</rule>
</directive>
Log output
2007-09-26 14:37:26 OSSIM-Message: Event received: event
id="0" alarm="0"
type="detector" date="2007-09-26
14:38:59" plugin_id="4003"
plugin_sid="1" src_ip="192.168.1.130"
src_port="46540" dst_ip="0.0.0.0"
sensor="192.168.1.122" interface="eth0"
protocol="OTHER" asset_src="1"
asset_dst="1" log="Sep 26 14:38:59 cienfuegos
sshd[3832]: Failed password for brian from 192.168.1.130
port 46540 ssh2" username="brian"
2007-09-26 14:37:26 OSSIM-Message: Event received: event
id="0" alarm="0"
type="detector" date="2007-09-26
14:39:01" plugin_id="4004"
plugin_sid="1" src_ip="192.168.1.122"
dst_ip="0.0.0.0" sensor="192.168.1.122"
interface="eth0" protocol="OTHER"
asset_src="1" asset_dst="1"
data="uid: 0" log="Sep 26 14:39:01 cienfuegos
CRON[3834]: (pam_unix) session opened for user root by
(uid=0)" username="root"
2007-09-26 14:37:27 OSSIM-Message: Event received: event
id="0" alarm="0"
type="detector" date="2007-09-26
14:39:01" plugin_id="4003"
plugin_sid="1" src_ip="192.168.1.130"
src_port="46540" dst_ip="0.0.0.0"
sensor="192.168.1.122" interface="eth0"
protocol="OTHER" asset_src="1"
asset_dst="1" log="Sep 26 14:39:01 cienfuegos
sshd[3832]: Failed password for brian from 192.168.1.130
port 46540 ssh2" username="brian"
2007-09-26 14:37:28 OSSIM-Message: Session Sensor : REMOVED
2007-09-26 14:37:28 OSSIM-Message: Removed
IP:
192.168.1.122
2007-09-26 14:37:28 OSSIM-Message: Session Removed
2007-09-26 14:37:29 OSSIM-Message: New Session remote IP:
192.168.1.122
2007-09-26 14:37:29 OSSIM-Message: New session
2007-09-26 14:37:29 OSSIM-Message: Session Append
2007-09-26 14:37:30 OSSIM-Message: Error: event incorrect.
Please check the src ip issued from the agent:
desktop-brian
--
Brian Lavender
http://www.brie.com/brian/
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Os-sim-support mailing list
Os-sim-support lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport
|
