Here is what I have so far...
*Agent config*
<localfile>
<location>C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log</location>
<log_format>iis</log_format>
</localfile>
*Server local_decoder.xml*
<decoder name="msftp8">
<parent>windows-date-format</parent>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC</
prematch>
<regex offset="after_parent">^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S
+ \S+ </regex>
<regex>\d+ (\S+) \S+ (\d+) </regex>
<order>srcip,user,action,id</order>
</decoder>
*Server local_rules.xml*
<group name="msftp8,syslog,">
<rule id="100004" level="0">
<decoded_as>msftp8</decoded_as>
<description>Grouping for the Microsoft ftp 8 rules.</description>
</rule>
<rule id="100005" level="5">
<if_sid>100004</if_sid>
<action>PASS</action>
<id>530</id>
<description>FTP Authentication failed.</description>
<group>authentication_failed,</group>
</rule>
<rule id="100006" level="10" frequency="6" timeframe="120">
<if_matched_sid>100005</if_matched_sid>
<description>FTP brute force (multiple failed logins).</
description>
<group>authentication_failures,</group>
</rule>
</group>
*No My IIS 8 ftp server log looks like this for the 530 error:*
2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157
12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 -
An+error+occurred+during+the+authentication+process.
The plan is to check the IIS 8 FTP server log looking for brute force
attempts and in addition drop the IP that is offending to agents.
I have set these up and restarted both server and agent and run 10+ rapid
ftp login attempts but do not see any real alerts as designed.
Any direction would be welcomed...
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
