> Do you mean not every entry includes a "source IP?"
Yes, sorry I was in a rush.
>
> The only way I could see is if the program/app has a way of outputting
the source IP into the log. That will depend on "zarafa-gateway"
No there is no way (until I rewrite the source code ;) )
>
> BTW: are there times where log messages like "Jun 1 18:30:24 GATE
postfix/smtpd[15962]: warning: unknown[205.234.236.xxx]: SASL PLAIN
authentication failed: authentication failure" show *outside* of the
context of the three entries you originally posted? My logic is, if it
*only* show up in that sequence, then you may not even need to alert on
and group all three of those entries together. It would definitely save
you the extra effort. Then you can fully rely on same_source_ip at that
point and still set the frequency to 3 times in 30 seconds.
That's a good point. Honestly, for the moment I can't imagine a
situation where this entry appears outside this sequence. But first I
will check it.
>
> You may have to tweak the decoder or rules though to read
"[205.234.236.xxx]" (in the context above) as a "src ip" however. I'm
assuming that is the IP you would want to block based on, correct?
Yes that is correct.
Andre Pawlowski
-------------------------------------------------------------------
Willst du den Charakter eines Menschen erkennen,
so gib ihm Macht.
-Abraham Lincoln
On 06/02/2011 10:14 PM, Jeremy Lee wrote:
>
>
>
> On Thu, Jun 2, 2011 at 12:55 PM, Andre Pawlowski <[email protected]> wrote:
> Thanks for all your help. This brings me a big step forward. Yes, not
> every entry includes the source entry. Perhaps I can find a workaround ...
>
>
> Andre Pawlowski
>
> -------------------------------------------------------------------
>
> Wenn unsere Götter und Hoffnungen nichts als wissenschaftliche Phänomene
> sind, dann müssen wir unsere Liebe auch als Wissenschaft bezeichnen.
> -L'eve Future
>
>
> On 06/02/2011 08:14 PM, dan (ddp) wrote:
>> I think you have the right idea.
>>
>> The multiple sid thing won't work, so the rules should be written to
>> use a command group. Then do a frequency rule using that group.
>>
>> Unfortunately, it doesn't look like all of the logs in the original
>> message include the source IP, so <same_source_ip /> may not work out.
>>
>> On Thu, Jun 2, 2011 at 1:04 PM, Jeremy Lee <[email protected]> wrote:
>>> Actually, instead of using <if_matched_sid>, especially in the case that you
>>> cannot use multiple SIDs, it might be a better idea to utilize groups. So
>>> you would assign all three alerts/entries you want to monitor for in one
>>> group, you would add something like "<group>smtp_attack</group>" to each
>>> alert rule, for instance. Then in the 'master' rule you would invoke
>>> <if_matched_group>smtp_attack</if_matched_group> and then go from there.
>>> This may work out better.
>>>
>>> On Thu, Jun 2, 2011 at 9:54 AM, Jeremy Lee <[email protected]> wrote:
>>>>
>>>> This is how I'd roughly imagine it to be:
>>>>
>>>> First, you need to make sure each of the entries is being decoded
>>>> properly. I believe the "postfix" entries should have a postfix decoder for
>>>> them already. You can test this by using /var/ossec/bin/ossec-logtest
>>>> The one that you may need to work on writing a decoder for is
>>>> "zarafa-gateway" as that seems to be a unique program.
>>>>
>>>> Secondly, you will want to work on creating the rules for each of the
>>>> specific entries to uniquely match what you're looking for via regex or
>>>> keywords. Each rule will be identified by a SID that you specify.
>>>>
>>>> Lastly, you would setup a 'master' rule to trigger when the three unique
>>>> SIDS you defined are hit at least 3 times in 30 seconds from the same IP.
>>>>
>>>> I know you can set something up like this:
>>>>
>>>> <rule id="10000" level="15">
>>>> <if_sid>9999,9998,9997</if_sid>
>>>> ....
>>>> </rule_id>
>>>>
>>>> However, I think I read that if you want to use the frequency option, you
>>>> need to use "<if_matched_sid>" and I don't know if you can match multiple
>>>> SIDs with that directive.
>>>> You also may need to use <same_source_ip /> - that should work with
>>>> <if_matched_sid>
>>>>
>>>> Hope that helps give an idea at least of another way of possibly doing it.
>>>>
>>>> On Wed, Jun 1, 2011 at 10:47 AM, Andre Pawlowski <[email protected]> wrote:
>>>>>
>>>>> Hi list,
>>>>>
>>>>> I have the following problem.
>>>>>
>>>>> Some bots (or perhaps persons) are trying to authenticate theirselfs via
>>>>> smtp on my server. Each time I've got the following log entries:
>>>>>
>>>>> Jun 1 18:30:24 GATE zarafa-gateway[15970]: Failed to login from
>>>>> 127.0.0.1 with invalid username "[email protected]" or wrong
>>>>> password. Error: 0x80040111
>>>>> Jun 1 18:30:24 GATE postfix/smtpd[15962]: warning: SASL authentication
>>>>> failure: Password verification failed
>>>>> Jun 1 18:30:24 GATE postfix/smtpd[15962]: warning:
>>>>> unknown[205.234.236.xxx]: SASL PLAIN authentication failed:
>>>>> authentication failure
>>>>>
>>>>> Now I want to add a rule to ossec, that will trigger when these three
>>>>> entries appear for example 3 times in 30 seconds from the same IP
>>>>> 205.234.236.xxx. I was searching the wiki but I didn't find anything
>>>>> that helps me to do this. Can anyone of you give me a hint?
>>>>>
>>>>> Thanks in advance
>>>>> --
>>>>>
>>>>> Andre Pawlowski
>>>>>
>>>>> -------------------------------------------------------------------
>>>>>
>>>>> People should not be afraid of their governments. Governments should be
>>>>> afraid of their people.
>>>>> -V for Vendetta (V)
>>>>
>>>
>>>
>
>
>
>
>
