Hello List, I have added Dovecot support and was hoping for some help testing it out. The decoder and rules should support most, if not all, versions of Dovecot in both the Dovecot native log and syslog format. But maybe there are versions that output logs with slight differences that the decoder or rules don't catch. Here's how to implement:
1. Open the dovecot_decoder_0.1.xml file and append it to your local_decoders.xml file. Something like this ought to work (untested-pay attention to the OSSEC path): cat dovecot_decoder_0.1.xml >> /var/ossec/etc/local_decoder.xml. This may create a local_decoder if you don't already have one, so watch the permissions. They should look like this: -r--r----- 1 root ossec 5104 Jun 29 12:50 etc/local_decoder.xml 2. Next, copy the dovecot_rules_beta_0.1.xml file to the rules directory: cp dovecot_rules_beta_0.1.xml /var/ossec/rules Again, make sure the permissions look good. They should look like this (watch for wrapping): -r-xr-x--- 1 root ossec 2026 Jun 29 12:36 rules/dovecot_rules_beta_0.1.xml 3. Add the dovecot_rules_beta_0.1.xml line to your ossec.conf file under the rules section. It should look like this: <include>dovecot_rules_beta_0.1.xml</include> 4. Finally, restart OSSEC: /var/ossec/bin/ossec-control restart Note that I uses a rule ID range starting at 100,500. This shouldn't conflict with most people's local rules, but if you already have rules in that range you'll need to adjust accordingly. The rules and decoder are released under the terms of the GNU GPL v3. That's about it. Feedback is appreciated.
<!-- Dovecot Decoder Beta 0.1 Copyright (C) Michael Starks 2009 Will extract all fields possible, whenever possible (username, src IP, dst IP, etc) Jun 17 10:15:24 hostname dovecot: Dovecot v1.2.rc3 starting up (core dumps disabled) Jun 17 10:15:24 hostname dovecot: Fatal: auth(default): Support not compiled in for passdb driver 'ldap' Jun 17 10:15:24 hostname dovecot: Fatal: Auth process died too early - shutting down dovecot: Jun 23 15:04:05 Info: imap-login: Login: user=<username>, method=PLAIN, rip=1.2.3.4, lip=1.2.3.5 Authentication Failure: Jan 11 03:42:09 hostname dovecot: auth-worker(default): sql([email protected],1.2.3.4): Password mismatch dovecot: Jan 07 14:46:28 Warn: auth(default): userdb(username,::ffff:127.0.0.1): user not found from userdb dovecot: Mar 13 15:25:07 Info: auth(default): pam([email protected],::ffff:1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module dovecot: Mar 13 15:25:07 Info: auth(default): passwd-file([email protected],::ffff:1.2.3.4): unknown user Jan 11 03:45:09 hostname dovecot: auth-worker(default): sql(username,1.2.3.4): unknown user Jan 11 03:42:09 hostname dovecot: auth(default): pam([email protected],1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module Jul 4 17:30:51 hostname dovecot[2992]: pop3-login: Disconnected: rip=1.2.3.4, lip=1.2.3.5 dovecot: Jun 23 15:04:06 Info: IMAP(username): Disconnected: Logged out bytes=59/566 dovecot: May 31 09:43:57 Info: pop3-login: Aborted login (1 authentication attempts): user=<username>, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5, secured Jan 30 09:37:55 hostname dovecot: pop3-login: Aborted login: user=<username>, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5 --> <decoder name="dovecot"> <program_name>^dovecot</program_name> </decoder> <decoder name="dovecot"> <prematch>^dovecot: \w\w\w \d\d \d\d:\d\d:\d\d </prematch> <regex offset="after_prematch">^Info: |Warn: |Err: |Crit: </regex> <order>extra_data</order> </decoder> <decoder name="dovecot-success"> <parent>dovecot</parent> <prematch offset="after_parent">\w\w\w\w-login: Login: </prematch> <regex offset="after_prematch">^user=\p(\S+)\p, method=\S+, rip=::ffff:(\d+.\d+.\d+.\d+), lip=::ffff:(\d+.\d+.\d+.\d+), (\S+)$|</regex> <regex>^user=\p(\S+)\p, method=\S+, rip=(\d+.\d+.\d+.\d+), lip=(\d+.\d+.\d+.\d+)$</regex> <order>user, srcip, dstip, protocol</order> </decoder> <decoder name="dovecot-aborted"> <parent>dovecot</parent> <prematch offset="after_parent">\w\w\w\w-login: Aborted login</prematch> <regex offset="after_prematch">^ \(\d+ authentication attempts\): user=\p(\S+)\p, method=\S+, rip=::ffff:(\d+.\d+.\d+.\d+), lip=::ffff:(\d+.\d+.\d+.\d+)|</regex> <regex>^: user=\p(\S+)\p, method=\S+, rip=::ffff:(\d+.\d+.\d+.\d+), lip=::ffff:(\d+.\d+.\d+.\d+)$</regex> <order>user, srcip, dstip</order> </decoder> <decoder name="dovecot-fail"> <parent>dovecot</parent> <prematch offset="after_parent">auth\(default\): |auth-worker\(default\): </prematch> <regex offset="after_prematch">^\S+\((\S+),::ffff:(\d+.\d+.\d+.\d+)\):|</regex> <regex>^\S+\((\S+),(\d+.\d+.\d+.\d+)\)</regex> <order>user, srcip</order> </decoder> <decoder name="dovecot-disconnect"> <parent>dovecot</parent> <prematch offset="after_parent">\w\w\w\w-login: Disconnected: </prematch> <regex offset="after_prematch">^rip=(\d+.\d+.\d+.\d+), lip=(\d+.\d+.\d+.\d+)|^Logged out</regex> <order>srcip, dstip</order> </decoder> <decoder name="dovecot-disconnect2"> <parent>dovecot</parent> <regex offset="after_parent">\w\w\w\w\((\S+)\): Disconnected</regex> <order>user, srcip, dstip</order> </decoder>
<!-- Copyright (C) 2009 Michael Starks - This program is a free software; you can redistribute it - and/or modify it under the terms of the GNU General Public - License (version 3) as published by the FSF - Free Software - Foundation. --> <!-- Dovecot Rules Beta 0.1 --> <group name="dovecot,"> <rule id="100500" level="0"> <decoded_as>dovecot</decoded_as> <description>Dovecot Messages Grouped</description> </rule> <rule id="100501" level="3"> <if_sid>100500</if_sid> <match>-login: Login: </match> <description>Dovecot Authentication Success</description> <group>authentication_success,</group> </rule> <rule id="100502" level="5"> <if_sid>100500</if_sid> <match>Password mismatch$</match> <description>Dovecot Authentication Failed</description> <group>authentication_failed,dovecot_authentication_failed,</group> </rule> <rule id="100503" level="3"> <if_sid>100500</if_sid> <match>starting up</match> <description>Dovecot is Starting Up</description> </rule> <rule id="100504" level="2"> <if_sid>100500</if_sid> <match>^Fatal: </match> <options>alert_by_email</options> <description>Dovecot Fatal Failure</description> </rule> <rule id="100505" level="5"> <if_sid>100500</if_sid> <match>user not found|User not known|unknown user</match> <description>Dovecot Invalid User Login Attempt</description> <group>invalid_login,dovecot_authentication_failed,</group> </rule> <rule id="100506" level="5"> <if_sid>100500</if_sid> <match>: Disconnected: </match> <description>Dovecot Session Disconnected</description> </rule> <rule id="100507" level="5"> <if_sid>100500</if_sid> <match>: Aborted login</match> <description>Dovecot Aborted Login</description> <group>invalid_login,</group> </rule> <!-- Composite rules --> <rule id="100508" level="10" frequency="6" timeframe="120"> <if_matched_group>dovecot_authentication_failed</if_matched_group> <same_source_ip /> <description>Dovecot Multiple Authentication Failures</description> <group>attack,authentication_failures,</group> </rule> </group>
