This is how I'd roughly imagine it to be: First, you need to make sure each of the entries is being decoded properly. I believe the "postfix" entries should have a postfix decoder for them already. You can test this by using /var/ossec/bin/ossec-logtest The one that you may need to work on writing a decoder for is "zarafa-gateway" as that seems to be a unique program.
Secondly, you will want to work on creating the rules for each of the specific entries to uniquely match what you're looking for via regex or keywords. Each rule will be identified by a SID that you specify. Lastly, you would setup a 'master' rule to trigger when the three unique SIDS you defined are hit at least 3 times in 30 seconds from the same IP. I know you can set something up like this: <rule id="10000" level="15"> <if_sid>9999,9998,9997</if_sid> .... </rule_id> However, I think I read that if you want to use the frequency option, you need to use "<if_matched_sid>" and I don't know if you can match multiple SIDs with that directive. You also may need to use <same_source_ip /> - that should work with <if_matched_sid> Hope that helps give an idea at least of another way of possibly doing it. On Wed, Jun 1, 2011 at 10:47 AM, Andre Pawlowski <[email protected]> wrote: > Hi list, > > I have the following problem. > > Some bots (or perhaps persons) are trying to authenticate theirselfs via > smtp on my server. Each time I've got the following log entries: > > Jun 1 18:30:24 GATE zarafa-gateway[15970]: Failed to login from > 127.0.0.1 with invalid username "[email protected]" or wrong > password. Error: 0x80040111 > Jun 1 18:30:24 GATE postfix/smtpd[15962]: warning: SASL authentication > failure: Password verification failed > Jun 1 18:30:24 GATE postfix/smtpd[15962]: warning: > unknown[205.234.236.xxx]: SASL PLAIN authentication failed: > authentication failure > > Now I want to add a rule to ossec, that will trigger when these three > entries appear for example 3 times in 30 seconds from the same IP > 205.234.236.xxx. I was searching the wiki but I didn't find anything > that helps me to do this. Can anyone of you give me a hint? > > Thanks in advance > -- > > Andre Pawlowski > > ------------------------------------------------------------------- > > People should not be afraid of their governments. Governments should be > afraid of their people. > -V for Vendetta (V) >
