Guys/Dan, I have this custom encoder & rules running for cmd5checkpw and it seems to be working well.
Of course, now I have another brute force attack going on that OSSEC doesn't seem to be catching: Apr 17 07:00:33 clients15 smtp_auth: FAILED: rob...@redacted.com - password incorrect from 62.42.15.194.dyn.user.ono.com [62.42.15.194] Anyone have a custom rule set for "smtp_auth"? It doesn't appear that OSSEC has a default set of rules for qmail. Thanks, -Nick Voth On Monday, April 8, 2013 12:25:09 PM UTC-6, dan (ddpbsd) wrote: > > On Mon, Apr 8, 2013 at 1:47 PM, Nick <nick...@gmail.com <javascript:>> > wrote: > > Guys, > > > > I am running OSSEC on a few CentOS 5 servers running Plesk and Qmail. It > > appears that OSSEC doesn't catch an SMTP brute force authentication > attempt. > > > > Here's an example from our logs: > > > > Apr 8 09:01:02 admin cmd5checkpw: SMTP connect from > > host-91-143-69-232.2i3.net [91.143.69.232] > > Apr 8 09:01:02 admin cmd5checkpw: SMTP user anonymous: auth FAILED from > > host-91-143-69-232.2i3.net [91.143.69.232] > > Apr 8 09:01:02 admin cmd5checkpw: SMTP connect from > > host-91-143-69-232.2i3.net [91.143.69.232] > > Apr 8 09:01:02 admin cmd5checkpw: SMTP user test: auth FAILED from > > host-91-143-69-232.2i3.net [91.143.69.232] > > Apr 8 09:01:05 admin cmd5checkpw: SMTP connect from > > host-91-143-69-232.2i3.net [91.143.69.232] > > Apr 8 09:01:05 admin cmd5checkpw: SMTP user 123: auth FAILED from > > host-91-143-69-232.2i3.net [91.143.69.232] > > Apr 8 09:01:05 admin cmd5checkpw: SMTP connect from > > host-91-143-69-232.2i3.net [91.143.69.232] > > Apr 8 09:01:05 admin cmd5checkpw: SMTP user test: auth FAILED from > > host-91-143-69-232.2i3.net [91.143.69.232] > > > > Looks like they are trying to authenticate with the user "123" and > "test" > > over and over. > > > > Has anyone run in to this with Qmail and/or does anyone have an example > rule > > that might work to catch this? > > > > Thanks, > > > > -Nick Voth > > > > # cat /var/ossec/etc/local_decoder.xml > <!-- > Apr 8 09:01:05 admin cmd5checkpw: SMTP connect from > host-91-143-69-232.2i3.net [91.143.69.232] > Apr 8 09:01:05 admin cmd5checkpw: SMTP user 123: auth FAILED > from host-91-143-69-232.2i3.net [91.143.69.232] > --> > > <decoder name="qmail-checkpw"> > <program_name>cmd5checkpw</program_name> > </decoder> > > <decoder name="qmail-checkpw2"> > <parent>qmail-checkpw</parent> > <regex>user (\S+): auth (\S+) from \S+ [(\d+.\d+.\d+.\d+)]</regex> > <order>dstuser, action, srcip</order> > </decoder> > > From local_rules.xml: > <rule id="500000" level="0"> > <decoded_as>qmail-checkpw</decoded_as> > <description>qmail checkpw grouping</description> > </rule> > > <rule id="500001" level="7"> > <if_sid>500000</if_sid> > <action>FAILED</action> > <group>authentication_failure,</group> > <description>Authentication failure.</description> > </rule> > > <rule id="500002" level="10" frequency="3" timeframe="120"> > <if_matched_sid>500001</if_matched_sid> > <same_source_ip /> > <description>Multiple auth failures from the same IP.</description> > <group>authentication_failures, brute_force,</group> > </rule> > > > # cat /tmp/k > Apr 8 09:01:05 admin cmd5checkpw: SMTP user 123: auth FAILED from > host-91-143-69-232.2i3.net [91.143.69.232] > # cat /tmp/k | /var/ossec/bin/ossec-logtest > 2013/04/08 14:24:29 ossec-testrule: INFO: Reading local decoder file. > 2013/04/08 14:24:29 ossec-testrule: INFO: Started (pid: 7959). > ossec-testrule: Type one log per line. > > > > **Phase 1: Completed pre-decoding. > full event: 'Apr 8 09:01:05 admin cmd5checkpw: SMTP user 123: > auth FAILED from host-91-143-69-232.2i3.net [91.143.69.232]' > hostname: 'admin' > program_name: 'cmd5checkpw' > log: 'SMTP user 123: auth FAILED from > host-91-143-69-232.2i3.net [91.143.69.232]' > > **Phase 2: Completed decoding. > decoder: 'qmail-checkpw' > dstuser: '123' > action: 'FAILED' > srcip: '91.143.69.232' > > **Phase 3: Completed filtering (rules). > Rule id: '500001' > Level: '7' > Description: 'Authentication failure.' > **Alert to be generated. > > > > If you run ossec-logtest interactively you can paste, hit enter, > paste, hit enter, etc. until 500002 is triggered. > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
