SecurityLogAnalysis is a network security demo that models a common way to look at authentication alerts in three log files (syslog, ftp authentication, and /var/log/secure log). This example demonstrates various kinds of alerts.
Alert 1: five (5) failures that have:
The same source.
The same destination.
The same user name.
Generates a low priority alert. Somebody may have forgotten their password, or is trying to guess a password.
Alert 2: seven (7) or more failures that have:
The same source.
Different destinations.
The same user name.
Generates a low priority alert. Somebody may have forgotten the same password for multiple systems, or is trying to guess a password.
Alert 3: four (4) or more failures that have:
The same source.
The same, or different destinations.
Different user names.
Generates a medium priority alert. Somebody is clearly trying to guess the user name and password.
Alert 4: three (3) or more failures that have:
The same source.
The same, or different destinations.
Different user names.
Followed by one (1) event that has:
The same source as before.
The same destination as before.
One of the user names tried before.
Generates a high priority alert. Somebody tried to guess the name and password, and has succeeded.