On Jul 11, 2014 10:02 AM, <sgtz...@googlemail.com> wrote:
>
> Dan, you say "Look at rule 5720 (although I'm not sure why it doesn't have a frequency, is that even valid?). It won't detect the multiple user IDs part, but is that really necessary if it can catch a single host failing repeatedly?". That's an SSHD rule of course. The equivalent for Pam I think is rule 5551.
>
> <rule id="5551" level="10" frequency="6" timeframe="180">
> <if_matched_sid>5503</if_matched_sid>
> <same_source_ip />
> <description>Multiple failed logins in a small period of time.</description>
> <group>authentication_failures,</group>
> </rule>
>
> This has a timeframe, but 5720 does not (and the latter does have a frequency, no? "<rule id="5720" level="10" frequency="6">").
>
I meant timeframe. Sorry, trying to do too many things at once.
> You ask, is it really necessary to detect multiple user IDs? I'd say yes, because I want to avoid false positives. We have several fine, upstanding clients on our servers with incorrectly configured devices that regular poll the server with an incorrect user name and/or password. They seem oblivious. But we don't want to ban them. So just overriding rule 5551 by abandoning the timeframe seems a poor solution. But repeated failures by the same IP with differing user IDs seems like a reliable signature for a bad guy.
>
If you ban the incorrectly configured systems they will have motivation to fix them.
On Jul 11, 2014 10:24 AM, <sgtz...@googlemail.com> wrote:
>
> > If you ban the incorrectly configured systems they will have motivation to fix them.
>
> I'm afraid we don't see eye to eye on that Dan. I take the view that we shouldn't make the lives of the good guys harder because we can't (or are unwilling) to make our systems more fit for purpose in holding off the bad guys.
>
If they're not willing to do their jobs, force them. :)
You can add the option to make this functionality possible. I'd encourage it being added. Someone else might want to sweep issues under the rug.
> > I meant timeframe. Sorry, trying to do too many things at once.
>
> Those poor folks with incorrectly configured systems (the good guys) are probably just like you and me: just trying to do too many things at once.
>
It sounds like what you're really looking for is a distinct option,
which OSSEC does not have. There may be some other creative way around
it like adding a username to a CDB list then doing a subsequent lookup,
but it's all going to have to be custom.
I added this to decoders.xml before "pam-host":
<decoder name="pam-ruser">
<parent>pam</parent>
<prematch> ruser</prematch>
<regex offset="after_prematch">^=(\S+) </regex>
<order>user</order>
</decoder>
<decoder name="pam-ruser">
<parent>pam</parent>
<regex> rhost=(\S+)$</regex>
<order>srcip</order>
</decoder>
Please do some testing and report back.
<decoder name="pam-ruser">
<parent>pam</parent>
<prematch> ruser</prematch>
<regex offset="after_prematch">^=(\S+) </regex>
<order>user</order>
</decoder>
<decoder name="pam-ruser">
<parent>pam</parent>
<regex> rhost=(\S+)$</regex>
<order>srcip</order>
</decoder>
Please do some testing and report back.