my las Active responce log is from Mon Jun 4 21:23:43 EDT 2012 ups:| thas bad
attached are ossec.conf and asterisk rules Thanks On Wed, Jul 11, 2012 at 9:48 PM, dan (ddp) <ddp...@gmail.com> wrote: > > On Jul 11, 2012 9:43 PM, "cosmaschi cristian" <cristicosmas...@gmail.com> > wrote: > > > > i see that the rules are being processed , but when i check ip tables > to se if the host was blocked ... nothing... > > > > its used to work util 2 days ago... > > > > What changed? What is your configuration? How did you check iptables? > Anything in the active response log? Why didn't you include that info? > > > > > Results: > > Total alerts found: 424 > > > > > > > > Alert list > > 2012 Jul 11 20:56:00 Rule Id: 6212 level: 10 > > Location: (Hp22) 209.217.109.82->/var/log/messages > > Src IP: 0:55:41 hp22 asterisk[11715]: NOTICE[11747]: chan_sip.c:24170 in > handle_request_register: Registration from '<sip:1...@hp22.xxx.com:5060>' > failed for '99.251.108.141:5060' - No matching peer found > > Login session failed (invalid extension). ** Alert 1342054561.21049945: > - syslog,asterisk, > > > > It looks like you're using the broken web ui. Stop that. Either fix it or > don't use it, and definitely give me an un-messed up alert. > > > > > > > On Wed, Jul 11, 2012 at 9:33 PM, dan (ddp) <ddp...@gmail.com> wrote: > >> > >> > >> On Jul 11, 2012 9:31 PM, "cosmaschi cristian" < > cristicosmas...@gmail.com> wrote: > >> > > >> > Hello , > >> > > >> > Im trying to debug on ossec , following > >> > http://www.ossec.net/doc/faq/unexpected.html > >> > > >> > example If you have logs similar to the following in > /var/ossec/queue/ossec/queue: > >> > > >> > when i run > >> > > >> > tail -f /var/ossec/queue/ossec/queue > >> > > >> > > >> > >> That page does not tell you to do that. It probably wants you to tail > the logfile: > >> `tail -f /var/ossec/logs/ossec.log` > >> > >> > i get > >> > > >> > tail: cannot open `/var/ossec/queue/ossec/queue' for reading: No such > device or address > >> > tail: no files remaining > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > > > > >
<!-- @(#) $Id$ - Official Asterisk rules for OSSEC. - - Copyright (C) 2009 Trend Micro Inc. - All rights reserved. - - This program is a free software; you can redistribute it - and/or modify it under the terms of the GNU General Public - License (version 2) as published by the FSF - Free Software - Foundation. - - License details: http://www.ossec.net/en/licensing.html --> <!-- Asterisk Log messages --> <group name="syslog,asterisk,"> <rule id="6200" level="0"> <decoded_as>asterisk</decoded_as> <description>Asterisk messages grouped.</description> </rule> <rule id="6201" level="0"> <if_sid>6200</if_sid> <match>^NOTICE</match> <description>Asterisk notice messages grouped.</description> </rule> <rule id="6202" level="3"> <if_sid>6200</if_sid> <match>^WARN</match> <description>Asterisk warning message.</description> </rule> <rule id="6203" level="3"> <if_sid>6200</if_sid> <match>^ERROR</match> <description>Asterisk error message.</description> </rule> <rule id="6210" level="10"> <if_sid>6201</if_sid> <match>Wrong password</match> <description>Login session failed.</description> <group>authentication_failed,</group> </rule> <rule id="6211" level="10"> <if_sid>6201</if_sid> <match>Username/auth name mismatch</match> <description>Login session failed (invalid user).</description> <group>invalid_login,</group> </rule> <rule id="6212" level="10"> <if_sid>6201</if_sid> <match>No matching peer found</match> <description>Login session failed (invalid extension).</description> <group>invalid_login,</group> </rule> <rule id="6250" level="10" frequency="3" timeframe="30000"> <if_matched_sid>6211</if_matched_sid> <same_source_ip /> <description>Multiple failed logins (user enumeration in process).</description> </rule> <rule id="6251" level="10" frequency="3" timeframe="2000"> <if_matched_sid>6210</if_matched_sid> <same_source_ip /> <description>Multiple failed logins.</description> </rule> <rule id="6252" level="10" frequency="6" timeframe="30000"> <if_matched_sid>6212</if_matched_sid> <same_source_ip /> <description>Extension enumeration.</description> </rule> <!--From Javi Benito jabi.ben...@gmail.com--> <!--http://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/--> <rule id="6253" level="10"> <if_sid>6201</if_sid> <match>No registration for peer</match> <description>Login session failed (invalid iax user).</description> <group>invalid_login,</group> </rule> <!--From Javi Benito jabi.ben...@gmail.com--> <rule id="6254" level="10" frequency="3" timeframe="30000"> <if_matched_sid>6253</if_matched_sid> <same_source_ip /> <description>Extension IAX Enumeration.</description> </rule> <!--From Javi Benito jabi.ben...@gmail.com--> <rule id="6255" level="10"> <if_sid>6202</if_sid> <match>Don't know how to respond via</match> <description>Possible Registration Hijacking.</description> <group>invalid_login,</group> </rule> <!--From Javi Benito jabi.ben...@gmail.com--> <rule id="6256" level="10"> <if_sid>6201</if_sid> <match>failed MD5 authentication</match> <description>IAX peer Wrong Password.</description> <group>invalid_login,</group> </rule> <!--From Javi Benito jabi.ben...@gmail.com--> <rule id="6257" level="10" frequency="3" timeframe="2000"> <if_matched_sid>6256</if_matched_sid> <same_source_ip /> <description>Multiple failed logins.</description> </rule> </group> <!-- ASTERISK --> <!-- EOF -->
ossec.conf
Description: Binary data