Open jrossi opened 10 years ago
FYI, we do have same_source_ip, same_user and same_location. But some of the others you mentioned such as same_subject would be useful.
Note: This comment has been automatically migrated from Bitbucket Created by mstarks01 on 2013-12-19 17:42:09+00:00
Thanks. I wasn't aware of "same_user"; it's not documented on the Rules Syntax page on ossec.net.
Note: This comment has been automatically migrated from Bitbucket Created by chris_hembrow on 2013-12-20 09:01:44+00:00
Rules support the "same_source_port", "same_dst_port" and "same_location". This should be extended to cover the other decoded fields, in particular "srcip", "user", "action" and "status". This would allow for more options when looking for events by frequency.
For example, as we have a relatively large user base we see a significant volume of failed logins in short time periods. If it was possible to use "same_user" as part of a rule, it should be possible to identify brute force attempts.
This could also facilitate looking for bulk phishing attacks by looking at SMTP logs, as discussed here - https://groups.google.com/forum/#!topic/ossec-list/GCkyMeJsCtU
Note: This issue has been automatically migrated from Bitbucket Created by chris_hembrow on 2013-12-18 16:54:13+00:00, last updated: 2014-01-06 18:06:38+00:00