Hi,
what fields do you need?.
Dec 19 17:20:08 ny dovecot: pop3-login: Aborted login (auth failed, 2
attempts in 18 secs): *user*=<test>, method=PLAIN, *rip*=1.2.3.4, *lip*=1.2.
3.4, session=<i8uMIAZEDrdtycjJ>
**Phase 1: Completed pre-decoding.
full event: 'Dec 19 17:20:08 ny dovecot: pop3-login: Aborted login
(auth failed, 2 attempts in 18 secs): user=<test>, method=PLAIN,
rip=1.2.3.4, lip=1.2.3.4, session=<i8uMIAZEDrdtycjJ>'
hostname: 'ny'
program_name: 'dovecot'
log: 'pop3-login: Aborted login (auth failed, 2 attempts in 18
secs): user=<test>, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4,
session=<i8uMIAZEDrdtycjJ>'
**Phase 2: Completed decoding.
decoder: 'dovecot'
dstuser: 'test'
srcip: '1.2.3.4'
dstip: '1.2.3.4'
proto: 'session=<i8uMIAZEDrdtycjJ>'
**Phase 3: Completed filtering (rules).
Rule id: '9705'
Level: '5'
Description: 'Dovecot Invalid User Login Attempt.'
**Alert to be generated.
You can change the decoder
<https://github.com/wazuh/wazuh-ruleset/blob/master/decoders/0085-dovecot_decoders.xml#L43-L48>to
extract the *method *field, but it seems the rest of fields are decoded.
I hope it helps.
Regards.
On Tuesday, June 6, 2017 at 7:58:55 PM UTC+2, dan (ddpbsd) wrote:
>
>
>
> On Jun 6, 2017 1:56 PM, <nno...@cloudlinux.com <javascript:>> wrote:
>
> Hi all,
>
> have problem with dovecot decoder
>
> Example log:
> Dec 19 17:20:08 ny dovecot: pop3-login: Aborted login (auth failed, 2
> attempts in 18 secs): user=<test>, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4,
> session=<i8uMIAZEDrdtycjJ>
>
> Default dovecot decoder
>
> <decoder name="dovecot-aborted">
> <parent>dovecot</parent>
> <prematch offset="after_parent">^\w\w\w\w-login: Aborted login</prematch>
> <regex offset="after_prematch">: user=\p(\S+)\p, method=\S+,
> rip=::ffff:(\d+.\d+.\d+.\d+), lip=::ffff:(\d+.\d+.\d+.\d+)$</regex>
>
>
> Try changing the rip and lip to "(\S+)"
> What's there now seems very wrong.
>
> <order>user, srcip, dstip</order>
> </decoder>
>
> Is it possible to create additional decoder that extracts same fields as
> in the above decoder if regex tag not matches but prematch was matched?
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com <javascript:>.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
