I can run 8-10 failed logins and do get email alerts for them so I believe the decoder is working but the rules are not being applied and the fall back is rule:1002 for some reason????
OSSEC HIDS Notification. 2016 May 24 15:32:13 Received From: (spmedia1) 10.20.199.157->\inetpub\logs\LogFiles\FTPSVC4\u_ex160524.log Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): 2016-05-24 15:31:20 10.18.100.24 46986 - FTPSVC4 SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 10 16 ffbd0e67-ff45-4c49-b29f-26692a1975da - An+error+occurred+during+the+authentication+process. --END OF NOTIFICATION On Monday, May 23, 2016 at 3:51:28 PM UTC-5, Jacob Mcgrath wrote: > > Here is what I have so far... > > *Agent config* > > > > <localfile> > <location>C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log</location> > <log_format>iis</log_format> > </localfile> > > *Server local_decoder.xml* > > <decoder name="msftp8"> > <parent>windows-date-format</parent> > <use_own_name>true</use_own_name> > <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC</ > prematch> > <regex offset="after_parent">^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S > + \S+ </regex> > <regex>\d+ (\S+) \S+ (\d+) </regex> > <order>srcip,user,action,id</order> > </decoder> > > *Server local_rules.xml* > > <group name="msftp8,syslog,"> > <rule id="100004" level="0"> > <decoded_as>msftp8</decoded_as> > <description>Grouping for the Microsoft ftp 8 rules.</description> > </rule> > > <rule id="100005" level="5"> > <if_sid>100004</if_sid> > <action>PASS</action> > <id>530</id> > <description>FTP Authentication failed.</description> > <group>authentication_failed,</group> > </rule> > > <rule id="100006" level="10" frequency="6" timeframe="120"> > <if_matched_sid>100005</if_matched_sid> > <description>FTP brute force (multiple failed logins).</ > description> > <group>authentication_failures,</group> > </rule> > > </group> > > > > *No My IIS 8 ftp server log looks like this for the 530 error:* > > 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 > 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - > An+error+occurred+during+the+authentication+process. > > > The plan is to check the IIS 8 FTP server log looking for brute force > attempts and in addition drop the IP that is offending to agents. > > I have set these up and restarted both server and agent and run 10+ rapid > ftp login attempts but do not see any real alerts as designed. > > Any direction would be welcomed... > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
