On Mon, Aug 5, 2013 at 10:56 AM, <[email protected]> wrote: > We noticed that our courier pop3 service was getting attacked by the email > alerts coming from Ossec rule 40111 level 10 fired but we weren't getting > any active response actions. > > Received From: plesk1->/usr/local/psa/var/log/maillog > Rule: 40111 fired (level 10) -> "Multiple authentication failures." > Started to debug why active response wasn't working and found that when we > ran ossec-logtest on the string below we noticed no phase 2 decoder was > detected. > > echo "Aug 5 04:49:56 plesk1 courier-pop3d: LOGIN FAILED, > [email protected], ip=[::ffff:221.130.14.18]" | > /var/ossec/bin/ossec-logtest -v > > Then opened up decoder.xml, found the courier section and realized that > program_name field was the culprit. On the new courier systems it uses > courier-pop3d/pop3s/imapd/imaps which wasn't listed in the program_name > field. > > Current courier section of decoder.xml > <decoder name="courier"> > <program_name>^pop3d|^courierpop3login|^imaplogin</program_name> > </decoder> > > When then updated the program_name section and added a few more options. > <decoder name="courier"> > > <program_name>^courier-pop3d|^courier-pop3s|^courier-imapd|^courier-imaps|^pop3d|^courierpop3login|^imaplogin</program_name> > </decoder> > > After making this change, we re-ran our ossec-logtest above and was suprised > that now phase 2 decoder was detected and active response started to work. > > We wanted to post this to the internet to help others with this issue. > > Sincerely > > [email protected] >
Someone on IRC recently had this same issue, and I recommended a similar strategy to get it working. I believe the atomic corp guys were going to provide a fix at some point. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
