Actually, instead of using <if_matched_sid>, especially in the case that you cannot use multiple SIDs, it might be a better idea to utilize groups. So you would assign all three alerts/entries you want to monitor for in one group, you would add something like "<group>smtp_attack</group>" to each alert rule, for instance. Then in the 'master' rule you would invoke <if_matched_group>smtp_attack</if_matched_group> and then go from there. This may work out better.
On Thu, Jun 2, 2011 at 9:54 AM, Jeremy Lee <[email protected]> wrote: > This is how I'd roughly imagine it to be: > > First, you need to make sure each of the entries is being decoded properly. > I believe the "postfix" entries should have a postfix decoder for them > already. You can test this by using /var/ossec/bin/ossec-logtest > The one that you may need to work on writing a decoder for is > "zarafa-gateway" as that seems to be a unique program. > > Secondly, you will want to work on creating the rules for each of the > specific entries to uniquely match what you're looking for via regex or > keywords. Each rule will be identified by a SID that you specify. > > Lastly, you would setup a 'master' rule to trigger when the three unique > SIDS you defined are hit at least 3 times in 30 seconds from the same IP. > > I know you can set something up like this: > > <rule id="10000" level="15"> > <if_sid>9999,9998,9997</if_sid> > .... > </rule_id> > > However, I think I read that if you want to use the frequency option, you > need to use "<if_matched_sid>" and I don't know if you can match multiple > SIDs with that directive. > You also may need to use <same_source_ip /> - that should work with > <if_matched_sid> > > Hope that helps give an idea at least of another way of possibly doing it. > > > On Wed, Jun 1, 2011 at 10:47 AM, Andre Pawlowski <[email protected]> wrote: > >> Hi list, >> >> I have the following problem. >> >> Some bots (or perhaps persons) are trying to authenticate theirselfs via >> smtp on my server. Each time I've got the following log entries: >> >> Jun 1 18:30:24 GATE zarafa-gateway[15970]: Failed to login from >> 127.0.0.1 with invalid username "[email protected]" or wrong >> password. Error: 0x80040111 >> Jun 1 18:30:24 GATE postfix/smtpd[15962]: warning: SASL authentication >> failure: Password verification failed >> Jun 1 18:30:24 GATE postfix/smtpd[15962]: warning: >> unknown[205.234.236.xxx]: SASL PLAIN authentication failed: >> authentication failure >> >> Now I want to add a rule to ossec, that will trigger when these three >> entries appear for example 3 times in 30 seconds from the same IP >> 205.234.236.xxx. I was searching the wiki but I didn't find anything >> that helps me to do this. Can anyone of you give me a hint? >> >> Thanks in advance >> -- >> >> Andre Pawlowski >> >> ------------------------------------------------------------------- >> >> People should not be afraid of their governments. Governments should be >> afraid of their people. >> -V for Vendetta (V) >> > >
