Weird I run the logtest and I get this: 2016-05-24 14:41:16 10.18.100.24 45491 - FTPSVC4 SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 11 0 e9bd6228-d83c-4b29-9163-e191716a1180 - An+error+occurred+during+the+authentication+process.
**Phase 1: Completed pre-decoding. full event: '2016-05-24 14:41:16 10.18.100.24 45491 - FTPSVC4 SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 11 0 e9bd6228-d83c-4b29-9163-e191716a1180 - An+error+occurred+during+the+authentication+process.' hostname: 'alamo' program_name: '(null)' log: '2016-05-24 14:41:16 10.18.100.24 45491 - FTPSVC4 SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 11 0 e9bd6228-d83c-4b29-9163-e191716a1180 - An+error+occurred+during+the+authentication+process.' **Phase 2: Completed decoding. decoder: 'windows-date-format' srcip: '10.18.100.24' dstuser: '-' action: 'PASS' id: '530' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' **Alert to be generated. On Tuesday, May 24, 2016 at 7:10:10 AM UTC-5, Jesus Linares wrote: > > Hi Jacob, > > the rule 100006 will be fired when rule 100005 fires 8 times (6+2). It > seems to work: > > **Phase 1: Completed pre-decoding. > full event: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 > SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 > 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - > An+error+occurred+during+the+authentication+process.' > hostname: 'LinMV' > program_name: '(null)' > log: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - > 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 > 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - > An+error+occurred+during+the+authentication+process.' > > > **Phase 2: Completed decoding. > decoder: 'windows-date-format' > srcip: '10.18.100.24' > dstuser: '-' > action: 'PASS' > id: '530' > > > **Phase 3: Completed filtering (rules). > Rule id: '100006' > Level: '10' > Description: 'FTP brute force (multiple failed logins).' > **Alert to be generated. > > So, your rules are fine. Maybe the problem is that you are receiving a > different log (with other format) or just you are not receiving anything. > Configure ossec to log all events: > <global> > <logall>yes</logall> > > Then, review archives/archives.log. In case you are receiving the ftp > logs, paste here some examples and we can help a little more. > > > Regards. > > On Monday, May 23, 2016 at 10:51:28 PM UTC+2, Jacob Mcgrath wrote: >> >> Here is what I have so far... >> >> *Agent config* >> >> >> >> <localfile> >> <location>C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log</location> >> <log_format>iis</log_format> >> </localfile> >> >> *Server local_decoder.xml* >> >> <decoder name="msftp8"> >> <parent>windows-date-format</parent> >> <use_own_name>true</use_own_name> >> <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC</ >> prematch> >> <regex offset="after_parent">^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S >> + \S+ </regex> >> <regex>\d+ (\S+) \S+ (\d+) </regex> >> <order>srcip,user,action,id</order> >> </decoder> >> >> *Server local_rules.xml* >> >> <group name="msftp8,syslog,"> >> <rule id="100004" level="0"> >> <decoded_as>msftp8</decoded_as> >> <description>Grouping for the Microsoft ftp 8 rules.</description> >> </rule> >> >> <rule id="100005" level="5"> >> <if_sid>100004</if_sid> >> <action>PASS</action> >> <id>530</id> >> <description>FTP Authentication failed.</description> >> <group>authentication_failed,</group> >> </rule> >> >> <rule id="100006" level="10" frequency="6" timeframe="120"> >> <if_matched_sid>100005</if_matched_sid> >> <description>FTP brute force (multiple failed logins).</ >> description> >> <group>authentication_failures,</group> >> </rule> >> >> </group> >> >> >> >> *No My IIS 8 ftp server log looks like this for the 530 error:* >> >> 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 >> 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - >> An+error+occurred+during+the+authentication+process. >> >> >> The plan is to check the IIS 8 FTP server log looking for brute force >> attempts and in addition drop the IP that is offending to agents. >> >> I have set these up and restarted both server and agent and run 10+ rapid >> ftp login attempts but do not see any real alerts as designed. >> >> Any direction would be welcomed... >> >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.