The rule when the user's login failed does not match in some cases #228

bah07 · 2018-11-02T15:30:02Z

When trying to establish an ssh connection to a machine the password can be failed up to 3 times. The log that appears for the 2nd and 3rd time is different from that of the first time.

pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1
PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1

The match field for rule 5503 is authentication failure; logname= so it would only match the first event, discarding the following two. It is necessary for this rule to match both cases.

The text was updated successfully, but these errors were encountered:

bah07 added the bug label Nov 2, 2018

bah07 added this to To do in Wazuh 3.7 via automation Nov 2, 2018

DanielMorLoz assigned DanielMorLoz and unassigned DanielMorLoz Feb 22, 2019

Lopuiz self-assigned this Mar 11, 2019

Lopuiz removed this from To do in Wazuh 3.7 Mar 11, 2019

Lopuiz added this to To do in Wazuh 4.0.0 via automation Mar 11, 2019

Lopuiz moved this from To do to In progress in Wazuh 4.0.0 Mar 11, 2019

Lopuiz removed their assignment Mar 15, 2019

albertomn86 moved this from In progress to To do in Wazuh 4.0.0 Mar 20, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

The rule when the user's login failed does not match in some cases #228

The rule when the user's login failed does not match in some cases #228

bah07 commented Nov 2, 2018

The rule when the user's login failed does not match in some cases #228

The rule when the user's login failed does not match in some cases #228

Comments

bah07 commented Nov 2, 2018