We noticed that our courier pop3 service was getting attacked by the email alerts coming from Ossec rule 40111 level 10 fired but we weren't getting any active response actions. Received From: plesk1->/usr/local/psa/var/log/maillog Rule: 40111 fired (level 10) -> "Multiple authentication failures." Started to debug why active response wasn't working and found that when we ran ossec-logtest on the string below we noticed no phase 2 decoder was detected. echo "Aug 5 04:49:56 plesk1 courier-pop3d: LOGIN FAILED, [email protected], ip=[::ffff:221.130.14.18]" | /var/ossec/bin/ossec-logtest -v Then opened up decoder.xml, found the courier section and realized that program_name field was the culprit. On the new courier systems it uses courier-pop3d/pop3s/imapd/imaps which wasn't listed in the program_name field. Current courier section of decoder.xml <decoder name="courier"> <program_name>^pop3d|^courierpop3login|^imaplogin</program_name> </decoder> When then updated the program_name section and added a few more options. <decoder name="courier"> <program_name>^courier-pop3d|^courier-pop3s|^courier-imapd|^courier-imaps|^pop3d|^courierpop3login|^imaplogin</program_name> </decoder> After making this change, we re-ran our ossec-logtest above and was suprised that now phase 2 decoder was detected and active response started to work. We wanted to post this to the internet to help others with this issue. Sincerely [email protected]
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
