+++ /dev/null
-[sudo: all]
-log 1 pass = Apr 27 15:22:23 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast
-log 2 pass = Apr 14 10:59:01 enigma sudo: dcid : TTY=ttyp3 ; PWD=/home/dcid/ossec-hids.0.1a/src/analysisd ; USER=root ; COMMAND=/bin/cp -pr ../../bin/addagent ../../bin/osaudit-logaudit ../../bin/ossec-execd ../../bin/ossec-logcollector ../../bin/ossec-maild ../../bin/ossec-remoted /var/ossec/bin
-log 3 pass = Apr 19 14:52:02 enigma sudo: dcid : TTY=ttyp3 ; PWD=/var/www/alex ; USER=root ; COMMAND=/sbin/chown dcid.dcid .
-log 4 pass = Dec 30 19:36:11 rheltest sudo: cplummer : TTY=pts/2 ; PWD=/home/cplummer1 ; USER=root ; TSID=0000UM ; COMMAND=/bin/bash
-
-rule = 5403
-alert = 4
-decoder = sudo
-
-[Failed attempt to run sudo]
-log 1 pass = Jun 25 15:51:13 precise32 sudo: mike : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/ls
-
-rule = 5401
-alert = 5
-decoder = sudo
-
-[First time user executed sudo]
-log 1 pass = Jun 25 15:48:21 precise32 sudo: mike : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/su -
-
-rule = 5403
-alert = 4
-decoder = sudo
-
-[3 incorrect password attempts]
-log 1 pass = Jun 25 16:15:45 precise32 sudo: mike : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/ls
-
-rule = 5404
-alert = 10
-decoder = sudo
-
-[unauthorized user]
-log 1 pass = Apr 13 08:36:31 ix sudo: ddp2 : user NOT in sudoers ; TTY=ttypZ ; PWD=/home/ddp2 ; USER=root ; COMMAND=/bin/ls
-
-rule = 5405
-alert = 5
-decoder = sudo
-