| 1 | # Invalid SSH Login Attempts |
|---|
| 2 | watchfor /(: [iI]nvalid [uU]ser )(.*)( from )(.*)$/ |
|---|
| 3 | threshold track_by=$4, type=limit, count=10, seconds=600 |
|---|
| 4 | mail=monitoring,subject=SSH dictionary attack |
|---|
| 5 | |
|---|
| 6 | watchfor /(: [fF]ailed password for )(.*)( from )(.*)( port )(.*)$/ |
|---|
| 7 | threshold track_by=$4, type=limit, count=10, seconds=600 |
|---|
| 8 | mail=monitoring,subject=SSH brute force attempt |
|---|
| 9 | |
|---|
| 10 | # Cisco config |
|---|
| 11 | watchfor /SYS-5-CONFIG_I: Configured from (.*) by (.*) on (.*) (\(.*\))$/ |
|---|
| 12 | mail=monitoring,subject=Router config by $2 from $4 |
|---|
| 13 | |
|---|
| 14 | # Denied AXFRs |
|---|
| 15 | watchfor /client ([0-9.:]+)\D\d+: zone transfer '(.*)\/.XFR\/IN' denied$/ |
|---|
| 16 | mail=monitoring,subject=Denied AXFR for zone '$2' from $1 |
|---|
| 17 | throttle threshold=3,delay=0:1:0,key=$1 |
|---|
| 18 | threshold track_by=$1, type=limit, count=10, seconds=600 |
|---|
| 19 | |
|---|
| 20 | # Portscan and/or sensitive port attempts |
|---|
| 21 | watchfor /SEC-6-IPACCESSLOGP: list \d+ (permitted|denied) (tcp|udp) ([a-fA-F0-9.:]+)\((\d+)\) -> ([a-fA-F0-9.:]+)\((\d+)\), \d+ packet/ |
|---|
| 22 | mail=monitoring,subject=Attempt to connect to $2/$5:$6 from $3:$4 |
|---|
| 23 | threshold track_by=$3, type=limit, count=10, seconds=600 |
|---|
| 24 | |
|---|
