Warning of successful login after failed logins
648 views
Skip to first unread message
Rob Kooper
Nov 30, 2009, 2:12:51 PM11/30/09
to ossec...@googlegroups.com
Right now OSSEC is setup to send me a message when I have multiple
failed logins in a small period of time. This is nice, but what I
really want to see is if somebody has a successful login after failing
say 4 or 5 logins first. This way I can see if a brute force attack
eventually hit lucky.
Is there a way to set up a rule that says if failed logins and the
successful login then send email?
Rob
failed logins in a small period of time. This is nice, but what I
really want to see is if somebody has a successful login after failing
say 4 or 5 logins first. This way I can see if a brute force attack
eventually hit lucky.
Is there a way to set up a rule that says if failed logins and the
successful login then send email?
Rob
Jeremy Lee
Nov 30, 2009, 3:10:29 PM11/30/09
to ossec...@googlegroups.com
I think this already exists:
Rule: 40112 fired (level 12) -> "Multiple authentication failures followed by a success."
Justin C. Klein Keane
Nov 30, 2009, 3:57:38 PM11/30/09
to ossec...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rule 40112 should fire on just this condition:
Rule: 40112 fired (level 12) -> "Multiple authentication failures
followed by a success."
Justin C. Klein Keane
Sr. Information Security Specialist
Information Security and Unix Systems
University of Pennsylvania
School of Arts and Sciences
3600 Market St.
Room 520
Philadelphia, PA 19104
215.898.0236(p)
215.573.3166(f)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAksUMcEACgkQR4a3EW2yjlQWzgCeI8GaCX+fv5etstI0QNBgazk4
wiUAn0bVx/k+KpAyc2fsBg4CbDCKv5Va
=KvuN
-----END PGP SIGNATURE-----
Hash: SHA1
Rule 40112 should fire on just this condition:
Rule: 40112 fired (level 12) -> "Multiple authentication failures
followed by a success."
Sr. Information Security Specialist
Information Security and Unix Systems
University of Pennsylvania
School of Arts and Sciences
3600 Market St.
Room 520
Philadelphia, PA 19104
215.898.0236(p)
215.573.3166(f)
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAksUMcEACgkQR4a3EW2yjlQWzgCeI8GaCX+fv5etstI0QNBgazk4
wiUAn0bVx/k+KpAyc2fsBg4CbDCKv5Va
=KvuN
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages