*Started the decoder/rules from scratch since the test ossec system at home
worked ok...*
*This see's the FTP log attempts + the elevation of "Brute Force" to an
active response threw route-null.cmd......... but the route-null.cmd
should be the latest updated release of this script from github...*
*But is is working, little more tunning but It works*
*Enable active response on Windows FTP IIS agent:*
<localfile>
<location>C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log</location>
<log_format>iis</log_format>
</localfile>
<active-response>
<disabled>no</disabled>
</active-response>
*Add to server ossec.conf:*
<command>
<name>win_nullroute</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>win_nullroute</command>
<location>all</location>
<rules_id>10006</rules_id>
<level>6</level>
<timeout>60</timeout>
</active-response>
*Server local_decoder.xml:*
<decoder name="msftp8">
<parent>windows-date-format</parent>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC4</
prematch>
<regex offset="after_parent">^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S
+ \S+ </regex>
<regex>\d+ (\S+) \S+ (\d+) </regex>
<order>srcip,user,action,id</order>
</decoder>
*Server local_rules.xml:*
<group name="msftp8,syslog,">
<rule id="100004" level="0">
<decoded_as>msftp8</decoded_as>
<description>Grouping for the Microsoft ftp 8 rules.</description>
</rule>
<rule id="100005" level="5">
<if_sid>100004</if_sid>
<action>PASS</action>
<id>530</id>
<description>FTP Authentication failed.</description>
<group>authentication_failed,</group>
</rule>
<rule id="100006" level="10" frequency="6" timeframe="120">
<if_matched_sid>100005</if_matched_sid>
<description>FTP brute force (multiple failed logins).</
description>
<group>authentication_failures,</group>
</rule>
</group>
On Monday, May 23, 2016 at 3:51:28 PM UTC-5, Jacob Mcgrath wrote:
>
> Here is what I have so far...
>
> *Agent config*
>
>
>
> <localfile>
> <location>C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log</location>
> <log_format>iis</log_format>
> </localfile>
>
> *Server local_decoder.xml*
>
> <decoder name="msftp8">
> <parent>windows-date-format</parent>
> <use_own_name>true</use_own_name>
> <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC</
> prematch>
> <regex offset="after_parent">^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S
> + \S+ </regex>
> <regex>\d+ (\S+) \S+ (\d+) </regex>
> <order>srcip,user,action,id</order>
> </decoder>
>
> *Server local_rules.xml*
>
> <group name="msftp8,syslog,">
> <rule id="100004" level="0">
> <decoded_as>msftp8</decoded_as>
> <description>Grouping for the Microsoft ftp 8 rules.</description>
> </rule>
>
> <rule id="100005" level="5">
> <if_sid>100004</if_sid>
> <action>PASS</action>
> <id>530</id>
> <description>FTP Authentication failed.</description>
> <group>authentication_failed,</group>
> </rule>
>
> <rule id="100006" level="10" frequency="6" timeframe="120">
> <if_matched_sid>100005</if_matched_sid>
> <description>FTP brute force (multiple failed logins).</
> description>
> <group>authentication_failures,</group>
> </rule>
>
> </group>
>
>
>
> *No My IIS 8 ftp server log looks like this for the 530 error:*
>
> 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157
> 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 -
> An+error+occurred+during+the+authentication+process.
>
>
> The plan is to check the IIS 8 FTP server log looking for brute force
> attempts and in addition drop the IP that is offending to agents.
>
> I have set these up and restarted both server and agent and run 10+ rapid
> ftp login attempts but do not see any real alerts as designed.
>
> Any direction would be welcomed...
>
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
