;# Copyright (C) 2005 by Gottfried Rudorfer
;#
;# 3422 Greifenstein, Austria
;# office@rudorfer.co.at
;# http://rudorfer.homedns.org/eaud/
;#
;# Permission to use, copy, modify, and distribute this software and its
;# documentation for any purpose and without fee is hereby granted, provided
;# that the above copyright notice appears in all copies and that both that
;# copyright notice and this permission notice appear in all supporting
;# documentation. This software is provided "as is" without expressed or
;# implied warranty.
;#
;# Date: Sun, Oct 30 2005
;# Author: Gottfried Rudorfer
;# 

;-------------------------------------------------------------------------------------
Rule RuleFailed

Exclude Int
                 _$PIDSSHFailedLogin_%Location%_%Src% exists
Exclude Int
                 Info Not ~ "^Failed password"

                 Do Int Define _$PIDSSHFailedLogin_%Location%_%Src%
                 Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% ExpireIn(60) Notify(1)
                 Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% SummaryInfo ("Failure")
                 Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% RI_Severity (2)
                 Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% Severity (2)

;-------------------------------------------------------------------------------------
Rule RuleRetry


Exclude Int
		_$PIDSSHFailedLogin_%Location%_%Src% Not exists
Exclude Int 
		SummaryInfo Not ~ "Failure"
Exclude Int
                Info Not ~ "^Accepted password"


                Do Int Define _$PIDSSHFailedLogin_%Location%_%Src% 
		Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% SummaryInfo ("Retry")
                Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% RI_Severity (25)
                Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% Severity (1)


                Do Int NewEvent _$PIDSSHFailedLogin_%Location%_%Src%
		
;-------------------------------------------------------------------------------------
Rule RuleLogonOK

Exclude Int
		_$PIDSSHFailedLogin_%Location%_%Src% exists
Exclude Int
		SummaryInfo ~ "Retry"
Exclude Int
		SummaryInfo ~ "Failure"
Exclude Int 
		Info Not ~ "^Accepted password"

                 Do Int Define _$PIDSSHFailedLogin_%Location%_%Src%
                 Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% SummaryInfo ("Logon ok")
                 Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% RI_Severity (26)
                 Do Int Set _$PIDSSHFailedLogin_%Location%_%Src% Severity (0)


                 Do Int NewEvent _$PIDSSHFailedLogin_%Location%_%Src%
           	
;-------------------------------------------------------------------------------------
Rule Display

Include Int
		SummaryInfo exists 
		Do Int Delete _$PIDSSHFailedLogin_%Location%_%Src%
SCRIPT_ACTION