Newbie: Several rules in config-file
22 views
Skip to first unread message
text-dude
May 10, 2008, 8:22:25 PM5/10/08
to grok-users
Dear author/someone,
I downloaded grok because I have an ssh-server running and I made a
python-script that popups up everytime 1) a user try to hack me or 2)
when a user logins in.
I think the configuration file doesn't work with 2 rules, is that
true?
---------
mac$ cat grok_test.conf
file "/var/log/secure.log" {
type "bad password" {
match = "Failed keyboard-interactive/pam for";
threshold = 0;
interval = 100;
reaction = "info_dialog.py
SSH_LOGIN_WRONG_PASSWORD_VAR_LOG_SECURE.LOG!";
};
};
file "/var/log/secure.log" {
type "correct login" {
match = "Accepted keyboard-interactive/pam for";
threshold = 0;
interval = 100;
reaction = "info_dialog.py USER_LOGGED_IN_WITH_SSH!";
};
};
---------
Unfortunately, I'm far from a perl-expert, so I can't really debug
this code... The above configuration file, seem only to work for the
last rule - is this really true?
I downloaded grok because I have an ssh-server running and I made a
python-script that popups up everytime 1) a user try to hack me or 2)
when a user logins in.
I think the configuration file doesn't work with 2 rules, is that
true?
---------
mac$ cat grok_test.conf
file "/var/log/secure.log" {
type "bad password" {
match = "Failed keyboard-interactive/pam for";
threshold = 0;
interval = 100;
reaction = "info_dialog.py
SSH_LOGIN_WRONG_PASSWORD_VAR_LOG_SECURE.LOG!";
};
};
file "/var/log/secure.log" {
type "correct login" {
match = "Accepted keyboard-interactive/pam for";
threshold = 0;
interval = 100;
reaction = "info_dialog.py USER_LOGGED_IN_WITH_SSH!";
};
};
---------
Unfortunately, I'm far from a perl-expert, so I can't really debug
this code... The above configuration file, seem only to work for the
last rule - is this really true?
text-dude
May 10, 2008, 8:29:03 PM5/10/08
to grok-users
On May 11, 2:22 am, text-dude <newsbo...@gmail.com> wrote:
> Dear author/someone,
>
> I downloaded grok because I have an ssh-server running and I made a
> python-script that popups up everytime 1) a user try to hack me or 2)
> when a user logins in.
Sorry, no problem... This is the right syntax:
> Dear author/someone,
>
> I downloaded grok because I have an ssh-server running and I made a
> python-script that popups up everytime 1) a user try to hack me or 2)
> when a user logins in.
file "/var/log/secure.log" {
type "correct login" {
match = "Accepted keyboard-interactive/pam for";
threshold = 0;
interval = 100;
reaction = "info_dialog.py USER_LOGGED_IN_WITH_SSH!";
};
type "bad password" {
match = "Failed keyboard-interactive/pam for";
threshold = 0;
interval = 100;
reaction = "info_dialog.py
SSH_LOGIN_WRONG_PASSWORD_VAR_LOG_SECURE.LOG!";
};
};
have to see if I can learn some perl...
Jordan Sissel
May 12, 2008, 12:50:23 PM5/12/08
to grok-...@googlegroups.com
Glad you could get it working :)
For what it's worth, the perl version of grok will be going away. I'm
working on a new version of grok that will provide language bindings
for python (and possibly other languages)
The config file syntax will not change much, so old configs should
(hopefully) still work in the new version, when it gets written.
-Jordan
-Jordan
text-dude
May 13, 2008, 7:20:04 AM5/13/08
to grok-users
On May 12, 6:50 pm, "Jordan Sissel" <psio...@gmail.com> wrote:
> The config file syntax will not change much, so old configs should
> (hopefully) still work in the new version, when it gets written.
Ok. I just have one small other problem:
My python-script pops up with a warning when somebody tries to hack me
so if I (in a terminal/console window) write this:
root# info_dialog.py "hi there, man"
Then the python program takes the first argument and shows it
graphically using pythonw ( with text=wx.StaticText(panel, -1,
sys.argv[1]) ), and because of the " "-signs, the first argument is:
"hi there, man" instead of just "hi". So using " "-signs allows me to
have spaces to put everything into first argument which pythonw reads
and displays...
So in the reaction line I wrote:
reaction = "info_dialog.py \"SSH LOGIN\" !"
With backslash before "-signs, but the python-script only sees the
word "SSH" as the first argument... If I could get the program to
understand spaces, I could perhaps use the lines in my log file:
May 11 02:43:13 Apple sshd[2050]: Accepted keyboard-interactive/pam
for mac from 192.38.95.23 port 38839 ssh2
May 11 16:35:11 Apple sshd[2550]: Failed keyboard-interactive/pam for
invalid user root from 192.168.1.100 port 52828 ssh2
Get this behaviour (this is what I would type in a terminal window):
root# info_dialog.py "Successful ssh-login by (user) from (IP-
address)"
root# info_dialog.py "Failed ssh-login by (user) from (IP-address)"
Where (user) and (IP-address) perhaps was inserted by grok...
Is this behaviour possible? I would like to learn perl some day, but I
have a lot of other things at the moment, so until now I just live
with the underscore-solution and no info about which user/IP is being
used when logging in/hacking...
> On Sat, May 10, 2008 at 5:29 PM, text-dude <newsbo...@gmail.com> wrote:
> > That seem to work... Nice program, btw... I appreciate it... I just
> > have to see if I can learn some perl...
>
> Glad you could get it working :)
>
> For what it's worth, the perl version of grok will be going away. I'm
> working on a new version of grok that will provide language bindings
> for python (and possibly other languages)
Ok.
> > That seem to work... Nice program, btw... I appreciate it... I just
> > have to see if I can learn some perl...
>
> Glad you could get it working :)
>
> For what it's worth, the perl version of grok will be going away. I'm
> working on a new version of grok that will provide language bindings
> for python (and possibly other languages)
> The config file syntax will not change much, so old configs should
> (hopefully) still work in the new version, when it gets written.
My python-script pops up with a warning when somebody tries to hack me
so if I (in a terminal/console window) write this:
root# info_dialog.py "hi there, man"
Then the python program takes the first argument and shows it
graphically using pythonw ( with text=wx.StaticText(panel, -1,
sys.argv[1]) ), and because of the " "-signs, the first argument is:
"hi there, man" instead of just "hi". So using " "-signs allows me to
have spaces to put everything into first argument which pythonw reads
and displays...
So in the reaction line I wrote:
reaction = "info_dialog.py \"SSH LOGIN\" !"
With backslash before "-signs, but the python-script only sees the
word "SSH" as the first argument... If I could get the program to
understand spaces, I could perhaps use the lines in my log file:
May 11 02:43:13 Apple sshd[2050]: Accepted keyboard-interactive/pam
for mac from 192.38.95.23 port 38839 ssh2
May 11 16:35:11 Apple sshd[2550]: Failed keyboard-interactive/pam for
invalid user root from 192.168.1.100 port 52828 ssh2
Get this behaviour (this is what I would type in a terminal window):
root# info_dialog.py "Successful ssh-login by (user) from (IP-
address)"
root# info_dialog.py "Failed ssh-login by (user) from (IP-address)"
Where (user) and (IP-address) perhaps was inserted by grok...
Is this behaviour possible? I would like to learn perl some day, but I
have a lot of other things at the moment, so until now I just live
with the underscore-solution and no info about which user/IP is being
used when logging in/hacking...
Jordan Sissel
May 13, 2008, 12:32:35 PM5/13/08
to grok-...@googlegroups.com
If you posted your code I might be able to help better.
Are you saying doing the following works as you expect?
info_dialog.py "foo bar baz"
But doing the same in grok.conf fails?
reaction = 'info_dialog.py "foo bar baz"'; ?
-Jordan
text-dude
May 13, 2008, 2:41:44 PM5/13/08
to grok-users
On May 13, 6:32 pm, "Jordan Sissel" <psio...@gmail.com> wrote:
> On Tue, May 13, 2008 at 4:20 AM, text-dude <newsbo...@gmail.com> wrote:
...
> > root# info_dialog.py "Successful ssh-login by (user) from (IP-
> > address)"
>
> > root# info_dialog.py "Failed ssh-login by (user) from (IP-address)"
>
> If you posted your code I might be able to help better.
Ok:
-----------------------------------
root# cat `which info_dialog.py`
#!/usr/bin/pythonw
import wx
import sys
import time
class MyFrame(wx.Frame):
"""
This is MyFrame. It just shows a few controls on a wxPanel,
and has a simple menu.
"""
def __init__(self, parent, title):
wx.Frame.__init__(self, parent, -1, title,
pos=(150, 150), size=(550, 200))
# Now create the Panel to put the other controls on.
panel = wx.Panel(self)
# and a few controls
if len(sys.argv) <= 1:
print 'Use 1 command line argument!'
time.sleep(2)
sys.exit()
text = wx.StaticText(panel, -1, sys.argv[1])
text.SetFont(wx.Font(14, wx.SWISS, wx.NORMAL, wx.BOLD))
text.SetSize(text.GetBestSize())
btn = wx.Button(panel, -1, "Close")
# bind the button events to handlers
self.Bind(wx.EVT_BUTTON, self.OnTimeToClose, btn)
# Use a sizer to layout the controls, stacked vertically and
with
# a 10 pixel border around each
sizer = wx.BoxSizer(wx.VERTICAL)
sizer.Add(text, 0, wx.ALL, 10)
sizer.Add(btn, 0, wx.ALL, 10)
panel.SetSizer(sizer)
panel.Layout()
def OnTimeToClose(self, evt):
"""Event handler for the button click."""
self.Close()
class MyApp(wx.App):
def OnInit(self):
frame = MyFrame(None, "Simple wxPython App")
self.SetTopWindow(frame)
frame.Show(True)
return True
app = MyApp(redirect=True)
app.MainLoop()
-----------------------------------
> Are you saying doing the following works as you expect?
> info_dialog.py "foo bar baz"
>
> But doing the same in grok.conf fails?
> reaction = 'info_dialog.py "foo bar baz"'; ?
Ah, great suggestion... It partly works... This is my config-file:
--------------------------
file "/var/log/secure.log" {
type "correct login valid user" {
match = "Accepted keyboard-interactive/pam for %USER% from %IP%";
};
type "bad password valid user" {
match = "Failed keyboard-interactive/pam for %USER% from %IP%";
%!"';
};
type "INVALID user" {
match = "PAM: Authentication failure for illegal user %USER%
from";
};
};
--------------------------
The above works! But: I don't understand why the last match doesn't
work if it instead say:
type "INVALID user" {
match = "PAM: Authentication failure for illegal user %USER% from
%IP%";
%IP%"';
};
Then no reaction appears for the last match....
I must be really stupid or else something is wrong. Log example:
----------------------------
May 11 02:06:36 Apple com.apple.SecurityServer: authinternal
authenticated user macster (uid 502).
May 11 02:06:36 Apple com.apple.SecurityServer: Succeeded authorizing
right system.login.tty by process /usr/sbin/sshd for authorization
created by /usr/sbin/sshd.
May 11 02:06:36 Apple sshd[1748]: Accepted keyboard-interactive/pam
for macster from 192.38.95.23 port 38045 ssh2
May 13 20:25:24 Apple sshd[4519]: error: PAM: Authentication failure
for illegal user bg from localhost
May 13 20:25:24 Apple sshd[4519]: Failed keyboard-interactive/pam for
invalid user bg from 127.0.0.1 port 59703 ssh2
May 13 20:26:04 Apple sshd[4531]: Invalid user bg from 127.0.0.1
May 13 20:26:04 Apple sshd[4531]: Failed none for invalid user bg from
127.0.0.1 port 59705 ssh2
May 13 20:26:05 Apple com.apple.SecurityServer: authinternal failed to
authenticate user bg.
May 13 20:26:05 Apple com.apple.SecurityServer: Failed to authorize
right system.login.tty by process /usr/sbin/sshd for authorization
created by /usr/sbin/sshd.
May 13 20:26:05 Apple sshd[4531]: error: PAM: Authentication failure
for illegal user bg from localhost
May 13 20:26:05 Apple sshd[4531]: Failed keyboard-interactive/pam for
invalid user bg from 127.0.0.1 port 59705 ssh2
May 13 20:28:03 Apple sshd[4535]: error: ssh_msg_send: write
May 13 20:28:03 Apple sshd[4535]: error: ssh_msg_send: write
May 13 20:28:03 Apple sshd[4535]: error: ssh_msg_send: write
May 13 20:30:36 Apple sshd[4541]: Invalid user bg from 127.0.0.1
May 13 20:30:36 Apple sshd[4541]: Failed none for invalid user bg from
127.0.0.1 port 59717 ssh2
May 13 20:30:37 Apple com.apple.SecurityServer: authinternal failed to
authenticate user bg.
May 13 20:30:37 Apple com.apple.SecurityServer: Failed to authorize
right system.login.tty by process /usr/sbin/sshd for authorization
created by /usr/sbin/sshd.
May 13 20:30:37 Apple sshd[4541]: error: PAM: Authentication failure
for illegal user bg from localhost
May 13 20:30:37 Apple sshd[4541]: Failed keyboard-interactive/pam for
invalid user bg from 127.0.0.1 port 59717 ssh2
----------------------------
Can %IP% understand "localhost" instead of a number? Anything else
that could be wrong? hmmm.... I also tried to use %IP_first%,
%IP_second% and %IP_third% if perhaps grok wanted that... But no
luck.... hmmm...
Oh, well - in all cases everything works except that I didn't/don't
get the IP-address for the last match/case...
> On Tue, May 13, 2008 at 4:20 AM, text-dude <newsbo...@gmail.com> wrote:
...
> > root# info_dialog.py "Successful ssh-login by (user) from (IP-
> > address)"
>
> > root# info_dialog.py "Failed ssh-login by (user) from (IP-address)"
>
> If you posted your code I might be able to help better.
-----------------------------------
root# cat `which info_dialog.py`
#!/usr/bin/pythonw
import wx
import sys
import time
class MyFrame(wx.Frame):
"""
This is MyFrame. It just shows a few controls on a wxPanel,
and has a simple menu.
"""
def __init__(self, parent, title):
wx.Frame.__init__(self, parent, -1, title,
pos=(150, 150), size=(550, 200))
# Now create the Panel to put the other controls on.
panel = wx.Panel(self)
# and a few controls
if len(sys.argv) <= 1:
print 'Use 1 command line argument!'
time.sleep(2)
sys.exit()
text = wx.StaticText(panel, -1, sys.argv[1])
text.SetFont(wx.Font(14, wx.SWISS, wx.NORMAL, wx.BOLD))
text.SetSize(text.GetBestSize())
btn = wx.Button(panel, -1, "Close")
# bind the button events to handlers
self.Bind(wx.EVT_BUTTON, self.OnTimeToClose, btn)
# Use a sizer to layout the controls, stacked vertically and
with
# a 10 pixel border around each
sizer = wx.BoxSizer(wx.VERTICAL)
sizer.Add(text, 0, wx.ALL, 10)
sizer.Add(btn, 0, wx.ALL, 10)
panel.SetSizer(sizer)
panel.Layout()
def OnTimeToClose(self, evt):
"""Event handler for the button click."""
self.Close()
class MyApp(wx.App):
def OnInit(self):
frame = MyFrame(None, "Simple wxPython App")
self.SetTopWindow(frame)
frame.Show(True)
return True
app = MyApp(redirect=True)
app.MainLoop()
-----------------------------------
> Are you saying doing the following works as you expect?
> info_dialog.py "foo bar baz"
>
> But doing the same in grok.conf fails?
> reaction = 'info_dialog.py "foo bar baz"'; ?
--------------------------
file "/var/log/secure.log" {
type "correct login valid user" {
match = "Accepted keyboard-interactive/pam for %USER% from %IP%";
threshold = 0;
interval = 100;
reaction = 'info_dialog.py "SSH: %USER% LOGGED IN FROM %IP%!"';
interval = 100;
};
type "bad password valid user" {
match = "Failed keyboard-interactive/pam for %USER% from %IP%";
threshold = 0;
interval = 100;
reaction = 'info_dialog.py "SSH: WRONG PASSWORD FOR %USER% FROM %IP
interval = 100;
%!"';
};
type "INVALID user" {
match = "PAM: Authentication failure for illegal user %USER%
from";
threshold = 0;
interval = 100;
reaction = 'info_dialog.py "SSH: INVALID USER %USER% HACKING?"';
interval = 100;
};
};
--------------------------
The above works! But: I don't understand why the last match doesn't
work if it instead say:
type "INVALID user" {
match = "PAM: Authentication failure for illegal user %USER% from
%IP%";
threshold = 0;
interval = 100;
reaction = 'info_dialog.py "SSH: INVALID USER %USER% HACKING? FROM
interval = 100;
%IP%"';
};
Then no reaction appears for the last match....
I must be really stupid or else something is wrong. Log example:
----------------------------
May 11 02:06:36 Apple com.apple.SecurityServer: authinternal
authenticated user macster (uid 502).
May 11 02:06:36 Apple com.apple.SecurityServer: Succeeded authorizing
right system.login.tty by process /usr/sbin/sshd for authorization
created by /usr/sbin/sshd.
May 11 02:06:36 Apple sshd[1748]: Accepted keyboard-interactive/pam
for macster from 192.38.95.23 port 38045 ssh2
May 13 20:25:24 Apple sshd[4519]: error: PAM: Authentication failure
for illegal user bg from localhost
May 13 20:25:24 Apple sshd[4519]: Failed keyboard-interactive/pam for
invalid user bg from 127.0.0.1 port 59703 ssh2
May 13 20:26:04 Apple sshd[4531]: Invalid user bg from 127.0.0.1
May 13 20:26:04 Apple sshd[4531]: Failed none for invalid user bg from
127.0.0.1 port 59705 ssh2
May 13 20:26:05 Apple com.apple.SecurityServer: authinternal failed to
authenticate user bg.
May 13 20:26:05 Apple com.apple.SecurityServer: Failed to authorize
right system.login.tty by process /usr/sbin/sshd for authorization
created by /usr/sbin/sshd.
May 13 20:26:05 Apple sshd[4531]: error: PAM: Authentication failure
for illegal user bg from localhost
May 13 20:26:05 Apple sshd[4531]: Failed keyboard-interactive/pam for
invalid user bg from 127.0.0.1 port 59705 ssh2
May 13 20:28:03 Apple sshd[4535]: error: ssh_msg_send: write
May 13 20:28:03 Apple sshd[4535]: error: ssh_msg_send: write
May 13 20:28:03 Apple sshd[4535]: error: ssh_msg_send: write
May 13 20:30:36 Apple sshd[4541]: Invalid user bg from 127.0.0.1
May 13 20:30:36 Apple sshd[4541]: Failed none for invalid user bg from
127.0.0.1 port 59717 ssh2
May 13 20:30:37 Apple com.apple.SecurityServer: authinternal failed to
authenticate user bg.
May 13 20:30:37 Apple com.apple.SecurityServer: Failed to authorize
right system.login.tty by process /usr/sbin/sshd for authorization
created by /usr/sbin/sshd.
May 13 20:30:37 Apple sshd[4541]: error: PAM: Authentication failure
for illegal user bg from localhost
May 13 20:30:37 Apple sshd[4541]: Failed keyboard-interactive/pam for
invalid user bg from 127.0.0.1 port 59717 ssh2
----------------------------
Can %IP% understand "localhost" instead of a number? Anything else
that could be wrong? hmmm.... I also tried to use %IP_first%,
%IP_second% and %IP_third% if perhaps grok wanted that... But no
luck.... hmmm...
Oh, well - in all cases everything works except that I didn't/don't
get the IP-address for the last match/case...
Jordan Sissel
May 13, 2008, 3:13:21 PM5/13/08
to grok-...@googlegroups.com
You probably want %IPORHOST% instead of %IP%.
-Jordan
text-dude
May 13, 2008, 8:45:56 PM5/13/08
to grok-users
On May 13, 9:13 pm, "Jordan Sissel" <psio...@gmail.com> wrote:
> On Tue, May 13, 2008 at 11:41 AM, text-dude <newsbo...@gmail.com> wrote:
....
You're right.... THANKS!
But I just don't understand why the problem only was seen in the 3rd
kind of match... When I have %IPORHOST% everywhere, everything seem to
work....
Great tool, by the way... It's cool to be able to real-time monitor
these log files without having to worry if strange things happen!
> On Tue, May 13, 2008 at 11:41 AM, text-dude <newsbo...@gmail.com> wrote:
....
But I just don't understand why the problem only was seen in the 3rd
kind of match... When I have %IPORHOST% everywhere, everything seem to
work....
Great tool, by the way... It's cool to be able to real-time monitor
these log files without having to worry if strange things happen!
Reply all
Reply to author
Forward
0 new messages