Any ideas on this one? Thanks, Doug Burks
On Nov 12, 2:29 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > What happens on the list stays on the list. ;) > > > > On Thu, Nov 11, 2010 at 9:15 PM, Chris Decker <deckmo...@gmail.com> wrote: > > I'm interested in such a decoder as well, so any effort expended to help > > Doug would also help me and countless others I'm sure. > > > On Wed, Nov 10, 2010 at 3:55 PM, dan (ddp) <ddp...@gmail.com> wrote: > > >> On Wed, Nov 10, 2010 at 3:12 PM, Doug Burks <doug.bu...@gmail.com> wrote: > >> > Has anybody used OSSEC to monitor OpenLDAP logs? Specifically, I'd > >> > like to monitor for auth failures (err=49 in the sanitized log sample > >> > below). As you can see, one LDAP connection (conn=999999) creates > >> > multiple log entries. Further complicating the matter is the fact > >> > that there are two instances of the err=49 error in this LDAP > >> > connection. > > >> > Here's what I'd like to do. > >> > 1. Write a decoder that would: > >> > -process all of these lines together > >> > -pull out the source IP address from the "ACCEPT from > >> > IP=10.10.248.27:33957" entry > >> > -pull out the username from the "BIND > >> > dn="uid=username,ou=Department,ou=Business > >> > Unit,ou=People,dc=example,dc=com"" entry > >> > 2. Write an "Invalid credentials" rule that would look for > >> > "err=49". > > >> > Would this be possible? Would it require the multi-line log reader > >> > support added in OSSEC v2.5? If so, I haven't found any documentation > >> > on this feature. > > >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 fd=64 ACCEPT > >> > from IP=10.10.248.27:33957 (IP=10.10.241.77:389) > >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=0 EXT > >> > oid=1.3.6.1.4.1.1466.20037 > >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=0 STARTTLS > >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=0 RESULT oid= > >> > err=0 text= > >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 fd=64 TLS > >> > established tls_ssf=256 ssf=256 > >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=1 BIND > >> > dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" method=128 > >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=1 BIND > >> > dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" mech=SIMPLE ssf=0 > >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=1 RESULT > >> > tag=97 err=0 text= > >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=2 SRCH > >> > base="ou=People,dc=example,dc=com" scope=2 deref=0 > >> > filter="(uid=username)" > >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=2 ENTRY > >> > dn="uid=username,ou=Department,ou=Business > >> > Unit,ou=people,dc=example,dc=com" > >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=2 SEARCH > >> > RESULT tag=101 err=0 nentries=1 text= > >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=3 BIND > >> > anonymous mech=implicit ssf=0 > >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=3 BIND > >> > dn="uid=username,ou=Department,ou=Business > >> > Unit,ou=People,dc=example,dc=com" method=128 > >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=3 RESULT > >> > tag=97 err=49 text= > >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=4 BIND > >> > dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" method=128 > >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=4 BIND > >> > dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" mech=SIMPLE ssf=0 > >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=4 RESULT > >> > tag=97 err=0 text= > >> > Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=5 BIND > >> > anonymous mech=implicit ssf=0 > >> > Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=5 BIND > >> > dn="uid=username,ou=Department,ou=Business > >> > Unit,ou=People,dc=example,dc=com" method=128 > >> > Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=5 RESULT > >> > tag=97 err=49 text= > >> > Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=6 BIND > >> > dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" method=128 > >> > Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=6 BIND > >> > dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" mech=SIMPLE ssf=0 > >> > Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=6 RESULT > >> > tag=97 err=0 text= > >> > Jan 11 09:27:01 hostname slapd2.4[20872]: conn=999999 op=7 UNBIND > >> > Jan 11 09:27:01 hostname slapd2.4[20872]: conn=999999 fd=64 closed > > >> > Thanks, > >> > Doug Burks > > >> Gross. > > >> I was going to look into OpenLDAP at some point, now I think I see why > >> it wasn't done before. > > >> Out of curiosiry, can connection logs from different conn's be mixed > >> together? For example: > >> Jan 11 09:27:34 blah slapd: conn=99997 blahblah > >> Jan 11 09:27:35 blah slapd: conn=99998 blahblah > >> Jan 11 09:27:36 blah slapd: conn=99999 blahblah > >> Jan 11 09:27:36 blah slapd: conn=99997 More blahblah > > >> Unfortunately I haven't seem much about the multi-line log option. > >> Here's the source in logcollector that should be handling it: > > >>http://bitbucket.org/dcid/ossec-hids/src/tip/src/logcollector/read_mu... > > >> I'm going to try and get an idea of how do use it tonight, and ask > >> about it on IRC tomrrow. I'm just not sure how it'll handle multiple > >> connection logs getting mixed together. > >> It's almost like we need a log format where we can specify an > >> identifier that groups logs together (conn=ID)...
