Thanks for all your help. This brings me a big step forward. Yes, not
every entry includes the source entry. Perhaps I can find a workaround ...
Andre Pawlowski
-------------------------------------------------------------------
Wenn unsere Götter und Hoffnungen nichts als wissenschaftliche Phänomene
sind, dann müssen wir unsere Liebe auch als Wissenschaft bezeichnen.
-L'eve Future
On 06/02/2011 08:14 PM, dan (ddp) wrote:
> I think you have the right idea.
>
> The multiple sid thing won't work, so the rules should be written to
> use a command group. Then do a frequency rule using that group.
>
> Unfortunately, it doesn't look like all of the logs in the original
> message include the source IP, so <same_source_ip /> may not work out.
>
> On Thu, Jun 2, 2011 at 1:04 PM, Jeremy Lee <[email protected]> wrote:
>> Actually, instead of using <if_matched_sid>, especially in the case that you
>> cannot use multiple SIDs, it might be a better idea to utilize groups. So
>> you would assign all three alerts/entries you want to monitor for in one
>> group, you would add something like "<group>smtp_attack</group>" to each
>> alert rule, for instance. Then in the 'master' rule you would invoke
>> <if_matched_group>smtp_attack</if_matched_group> and then go from there.
>> This may work out better.
>>
>> On Thu, Jun 2, 2011 at 9:54 AM, Jeremy Lee <[email protected]> wrote:
>>>
>>> This is how I'd roughly imagine it to be:
>>>
>>> First, you need to make sure each of the entries is being decoded
>>> properly. I believe the "postfix" entries should have a postfix decoder for
>>> them already. You can test this by using /var/ossec/bin/ossec-logtest
>>> The one that you may need to work on writing a decoder for is
>>> "zarafa-gateway" as that seems to be a unique program.
>>>
>>> Secondly, you will want to work on creating the rules for each of the
>>> specific entries to uniquely match what you're looking for via regex or
>>> keywords. Each rule will be identified by a SID that you specify.
>>>
>>> Lastly, you would setup a 'master' rule to trigger when the three unique
>>> SIDS you defined are hit at least 3 times in 30 seconds from the same IP.
>>>
>>> I know you can set something up like this:
>>>
>>> <rule id="10000" level="15">
>>> <if_sid>9999,9998,9997</if_sid>
>>> ....
>>> </rule_id>
>>>
>>> However, I think I read that if you want to use the frequency option, you
>>> need to use "<if_matched_sid>" and I don't know if you can match multiple
>>> SIDs with that directive.
>>> You also may need to use <same_source_ip /> - that should work with
>>> <if_matched_sid>
>>>
>>> Hope that helps give an idea at least of another way of possibly doing it.
>>>
>>> On Wed, Jun 1, 2011 at 10:47 AM, Andre Pawlowski <[email protected]> wrote:
>>>>
>>>> Hi list,
>>>>
>>>> I have the following problem.
>>>>
>>>> Some bots (or perhaps persons) are trying to authenticate theirselfs via
>>>> smtp on my server. Each time I've got the following log entries:
>>>>
>>>> Jun 1 18:30:24 GATE zarafa-gateway[15970]: Failed to login from
>>>> 127.0.0.1 with invalid username "[email protected]" or wrong
>>>> password. Error: 0x80040111
>>>> Jun 1 18:30:24 GATE postfix/smtpd[15962]: warning: SASL authentication
>>>> failure: Password verification failed
>>>> Jun 1 18:30:24 GATE postfix/smtpd[15962]: warning:
>>>> unknown[205.234.236.xxx]: SASL PLAIN authentication failed:
>>>> authentication failure
>>>>
>>>> Now I want to add a rule to ossec, that will trigger when these three
>>>> entries appear for example 3 times in 30 seconds from the same IP
>>>> 205.234.236.xxx. I was searching the wiki but I didn't find anything
>>>> that helps me to do this. Can anyone of you give me a hint?
>>>>
>>>> Thanks in advance
>>>> --
>>>>
>>>> Andre Pawlowski
>>>>
>>>> -------------------------------------------------------------------
>>>>
>>>> People should not be afraid of their governments. Governments should be
>>>> afraid of their people.
>>>> -V for Vendetta (V)
>>>
>>
>>
