Hi Jacob,
the rule 100006 will be fired when rule 100005 fires 8 times (6+2). It
seems to work:
**Phase 1: Completed pre-decoding.
full event: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4
SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0
6ecb4d92-0515-44a5-ad58-9f057ff2fd18 -
An+error+occurred+during+the+authentication+process.'
hostname: 'LinMV'
program_name: '(null)'
log: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 -
10.20.199.157 12600 PASS *** 530 1326 41 101 16 0
6ecb4d92-0515-44a5-ad58-9f057ff2fd18 -
An+error+occurred+during+the+authentication+process.'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
srcip: '10.18.100.24'
dstuser: '-'
action: 'PASS'
id: '530'
**Phase 3: Completed filtering (rules).
Rule id: '100006'
Level: '10'
Description: 'FTP brute force (multiple failed logins).'
**Alert to be generated.
So, your rules are fine. Maybe the problem is that you are receiving a
different log (with other format) or just you are not receiving anything.
Configure ossec to log all events:
<global>
<logall>yes</logall>
Then, review archives/archives.log. In case you are receiving the ftp logs,
paste here some examples and we can help a little more.
Regards.
On Monday, May 23, 2016 at 10:51:28 PM UTC+2, Jacob Mcgrath wrote:
>
> Here is what I have so far...
>
> *Agent config*
>
>
>
> <localfile>
> <location>C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log</location>
> <log_format>iis</log_format>
> </localfile>
>
> *Server local_decoder.xml*
>
> <decoder name="msftp8">
> <parent>windows-date-format</parent>
> <use_own_name>true</use_own_name>
> <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC</
> prematch>
> <regex offset="after_parent">^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S
> + \S+ </regex>
> <regex>\d+ (\S+) \S+ (\d+) </regex>
> <order>srcip,user,action,id</order>
> </decoder>
>
> *Server local_rules.xml*
>
> <group name="msftp8,syslog,">
> <rule id="100004" level="0">
> <decoded_as>msftp8</decoded_as>
> <description>Grouping for the Microsoft ftp 8 rules.</description>
> </rule>
>
> <rule id="100005" level="5">
> <if_sid>100004</if_sid>
> <action>PASS</action>
> <id>530</id>
> <description>FTP Authentication failed.</description>
> <group>authentication_failed,</group>
> </rule>
>
> <rule id="100006" level="10" frequency="6" timeframe="120">
> <if_matched_sid>100005</if_matched_sid>
> <description>FTP brute force (multiple failed logins).</
> description>
> <group>authentication_failures,</group>
> </rule>
>
> </group>
>
>
>
> *No My IIS 8 ftp server log looks like this for the 530 error:*
>
> 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157
> 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 -
> An+error+occurred+during+the+authentication+process.
>
>
> The plan is to check the IIS 8 FTP server log looking for brute force
> attempts and in addition drop the IP that is offending to agents.
>
> I have set these up and restarted both server and agent and run 10+ rapid
> ftp login attempts but do not see any real alerts as designed.
>
> Any direction would be welcomed...
>
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
