Agenda: sample-swatch-rules.txt

File sample-swatch-rules.txt, 1.1 KB (added by trac, 5 years ago)
Line 
1# Invalid SSH Login Attempts
2watchfor /(: [iI]nvalid [uU]ser )(.*)( from )(.*)$/
3        threshold track_by=$4, type=limit, count=10, seconds=600
4        mail=monitoring,subject=SSH dictionary attack
5
6watchfor /(: [fF]ailed password for )(.*)( from )(.*)( port )(.*)$/
7        threshold track_by=$4, type=limit, count=10, seconds=600
8        mail=monitoring,subject=SSH brute force attempt
9
10# Cisco config
11watchfor /SYS-5-CONFIG_I: Configured from (.*) by (.*) on (.*) (\(.*\))$/
12        mail=monitoring,subject=Router config by $2 from $4
13
14# Denied AXFRs
15watchfor /client ([0-9.:]+)\D\d+: zone transfer '(.*)\/.XFR\/IN' denied$/
16        mail=monitoring,subject=Denied AXFR for zone '$2' from $1
17        throttle threshold=3,delay=0:1:0,key=$1
18        threshold track_by=$1, type=limit, count=10, seconds=600
19
20# Portscan and/or sensitive port attempts
21watchfor /SEC-6-IPACCESSLOGP: list \d+ (permitted|denied) (tcp|udp) ([a-fA-F0-9.:]+)\((\d+)\) -> ([a-fA-F0-9.:]+)\((\d+)\), \d+ packet/
22        mail=monitoring,subject=Attempt to connect to $2/$5:$6 from $3:$4
23        threshold track_by=$3, type=limit, count=10, seconds=600
24