;# Copyright (C) 2005 by Gottfried Rudorfer ;# ;# 3422 Greifenstein, Austria ;# office@rudorfer.co.at ;# http://rudorfer.homedns.org/eaud/ ;# ;# Permission to use, copy, modify, and distribute this software and its ;# documentation for any purpose and without fee is hereby granted, provided ;# that the above copyright notice appears in all copies and that both that ;# copyright notice and this permission notice appear in all supporting ;# documentation. This software is provided "as is" without expressed or ;# implied warranty. ;# ;# Date: Sun, Oct 30 2005 ;# Author: Gottfried Rudorfer ;# ;------------------------------------------------------------------------------------- ; ; For this to work correctly the following SYSLOG.MP-settings before the definition of GENERAL_NO_SRC are necessary: ; ;; Nov 02 11:33:32 server httpd: PAM_httpd: authentication failure; root(uid=65534) -> admin for httpd service ; HTTP_FAILURE_PAM ; { ; Name = HTTP_FAILURE_PAM ; KeyVal = GENERAL%%httpd ; Type = RECORD ; Regex = PAM_httpd\: authentication failure\; -> for httpd service ; Key = HTTP_FAILURE_PAM ; ReplaceSpace = TRUE ; Process ; { ; format = .* ; } ; AddToken1 = Info:PAM_httpd: authentication failure\; -> for httpd service ; } ; ;; Nov 02 11:33:32 server httpd: HTTP login from 192.168.0.1 as admin ; HTTP_OK_PAM ; { ; Name = HTTP_OK_PAM ; KeyVal = GENERAL%%httpd ; Type = RECORD ; Regex = HTTP login from as ; Key = HTTP_OK_PAM ; ReplaceSpace = TRUE ; From ; { ; format = [a-zA-Z0-9_\.\-]* ; } ; AddToken1 = Info:HTTP login from as ; } ; Rule RuleFailed Exclude Int _$PIDHTTPFailedLogin_%Location%_%User% exists Exclude Int Info Not ~ "httpd: authentication failure" Do Int Define _$PIDHTTPFailedLogin_%Location%_%User% Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% ExpireIn(6) Notify(1) Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% SummaryInfo ("Failure") Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% RI_Severity (2) Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% Severity (2) ;------------------------------------------------------------------------------------- Rule RuleRetry Exclude Int _$PIDHTTPFailedLogin_%Location%_%User% Not exists Exclude Int SummaryInfo Not ~ "Failure" Exclude Int Info Not ~ "HTTP login from" Do Int Define _$PIDHTTPFailedLogin_%Location%_%User% Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% SummaryInfo ("Retry") Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% RI_Severity (1) Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% Severity (1) Do Int NewEvent _$PIDHTTPFailedLogin_%Location%_%User% ;------------------------------------------------------------------------------------- Rule RuleLogonOK Exclude Int _$PIDHTTPFailedLogin_%Location%_%User% exists Exclude Int SummaryInfo ~ "Retry" Exclude Int SummaryInfo ~ "Failure" Exclude Int Info Not ~ "HTTP login from" Do Int Define _$PIDHTTPFailedLogin_%Location%_%User% Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% SummaryInfo ("Logon ok") Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% RI_Severity (26) Do Int Set _$PIDHTTPFailedLogin_%Location%_%User% Severity (0) Do Int NewEvent _$PIDHTTPFailedLogin_%Location%_%User% ;------------------------------------------------------------------------------------- Rule Display Include Int SummaryInfo exists Do Int Delete _$PIDHTTPFailedLogin_%Location%_%User% SCRIPT_ACTION