We noticed that our courier pop3 service was getting attacked by the email 
alerts coming from Ossec rule 40111 level 10 fired but we weren't getting 
any active response actions.  
 
Received From: plesk1->/usr/local/psa/var/log/maillog
Rule: 40111 fired (level 10) -> "Multiple authentication failures."
Started to debug why active response wasn't working and found that when we 
ran ossec-logtest on the string below we noticed no phase 2 decoder was 
detected.
 
echo "Aug  5 04:49:56 plesk1 courier-pop3d: LOGIN FAILED, 
[email protected], ip=[::ffff:221.130.14.18]" | 
/var/ossec/bin/ossec-logtest -v
 
Then opened up decoder.xml, found the courier section and realized that 
program_name field was the culprit.  On the new courier systems it uses 
courier-pop3d/pop3s/imapd/imaps which wasn't listed in the program_name 
field.  
 
Current courier section of decoder.xml
<decoder name="courier">
  <program_name>^pop3d|^courierpop3login|^imaplogin</program_name>
</decoder>
 
When then updated the program_name section and added a few more options.
<decoder name="courier">
  
<program_name>^courier-pop3d|^courier-pop3s|^courier-imapd|^courier-imaps|^pop3d|^courierpop3login|^imaplogin</program_name>
</decoder>
 
After making this change, we re-ran our ossec-logtest above and was 
suprised that now phase 2 decoder was detected and active response started 
to work.  
 
We wanted to post this to the internet to help others with this issue.  
 
Sincerely
 
[email protected]
 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.


Reply via email to