dan (ddp) wrote: > On Thu, Jan 21, 2010 at 11:14 AM, Dennis Golden > <dgol...@golden-consulting.com> wrote: >> I have discovered a serious problem with the subject rules. here is the >> result >> running ossec-logtest: >> >> -- >> Dennis Golden2010/01/21 09:49:16 ossec-testrule: INFO: Started (pid: 20196). >> ossec-testrule: Type one log per line. >> >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Jan 20 21:45:23 dg-linux2 sshd[29397]: reverse mapping >> checking getaddrinfo for 115.118.6.19.static-ttsl-hyderabad.vsnl.net.in >> [115.118.6.19] failed - POSSIBLE BREAK-IN ATTEMPT!' >> hostname: 'dg-linux2' >> program_name: 'sshd' >> log: 'reverse mapping checking getaddrinfo for >> 115.118.6.19.static-ttsl-hyderabad.vsnl.net.in [115.118.6.19] failed - >> POSSIBLE >> BREAK-IN ATTEMPT!' >> >> **Phase 2: Completed decoding. >> decoder: 'sshd' >> srcip: '115.118.6.19.static-ttsl-hyderabad.vsnl.net.in' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '5702' >> Level: '5' >> Description: 'Reverse lookup error (bad ISP or attack).' >> **Alert to be generated. >> >> Needless to say that if active response tries to use the address that has >> already failed it will also fail; therefore, the attack can continue forever. >> >> Dennis >> -- >> Golden Consulting Services, Inc. >> > > Ok, this will require a little bit of surgery on the decoder.xml file. > I'd rather not > have to change it on my setups, but I'm not sure how to get around that here. > This means you'll have to do a bit more work when it comes time to upgrade, > unless we can get these decoders added to the decoder.xml file. > > In $OSSEC_HOME/etc/decoder.xml add the following ABOVE the > <decoder name="ssh-reverse-mapping"> entry: > > <decoder name="ssh-reverse-mapping2"> > <parent>sshd</parent> > <prematch>^reverse mapping checking getaddrinfo for \S+ > [\d+.\d+.\d+.\d+] failed</prematch> > <regex offset="after_parent">reverse mapping checking getaddrinfo > for \S+ [(\d+.\d+.\d+.\d+)] failed</regex> > <order>srcip</order> > </decoder> > > If anyone else reading this has other variations on the above sample event, > feel free to forward them on to me. I'll try to adjust decoders and submit > them > for inclusion. > dan >
I've already modified the decoder on my system so it works correctly; however, I don't know how to modify it to work with multiple formats of the syslog message. Regards, Dennis -- Dennis Golden Golden Consulting Services, Inc.