On Wed, Oct 31, 2018 at 9:17 AM Giorgio Biondi <biondi.gior...@gmail.com> wrote: > > Hi Dan, > > I have too small skill for adjust a decoder.. you can make this for me? I > don't known where starting for make it... >
This works for the 1 example you provided: <decoder name="dovecot-authfailed"> <parent>dovecot</parent> <prematch offset="after_parent">^pop3-login: </prematch> <regex offset="after_prematch">^Disconnected \(auth failed, \d+ attempts\): user=\<(\S+)>, \S+, rip=(\S+), lip=(\S+)$</regex> <order>user,srcip,dstip</order> </decoder> > Thanks for your time.. > > Il giorno mercoledì 31 ottobre 2018 13:56:37 UTC+1, dan (ddpbsd) ha scritto: >> >> On Wed, Oct 31, 2018 at 7:46 AM Giorgio Biondi <biondi....@gmail.com> wrote: >> > >> > Hi at all, >> > >> > I have some entry in log on the my mailserver (with installed ossec agent) >> > like this: >> > >> > Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth >> > failed, 1 attempts): user=<bwjozw...@caccabee.it>, method=PLAIN, >> > rip=222.252.6.70, lip=10.12.14.36 >> > >> > and my ossec server in the alert.log say: >> > >> > Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth >> > failed, 1 attempts): user=<bwjozw...@caccabee.it>, method=PLAIN, >> > rip=222.252.6.70, lip=10.12.14.36 >> > >> > ** Alert 1540983795.5645464: mail - >> > dovecot,invalid_login,authentication_failed, >> > 2018 Oct 31 12:03:15 (mailscanner04.tech2.it) >> > 10.12.14.36->/var/log/messages >> > Rule: 9705 (level 7) -> 'Dovecot Invalid User Login Attempt.' >> > Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth >> > failed, 1 attempts): user=<bwjozw...@caccabee.it>, method=PLAIN, >> > rip=222.252.6.70, lip=10.12.14.36 >> > >> > The problem is: rules 9705 in the dovecot rules have level 7 and in my >> > ossec.conf all rules over level 6 trigger a active response.. but not for >> > 'dovecot'.. I don't understand why.. >> > All AR working fine for ALL other rule.. http and smtp.. only for dovecot >> > don't trigger a active response.. >> > >> > Any suggest are appreciate. >> > >> > Giorgio Biondi >> > >> >> The log message you provided does not decode the IP address. >> root@buildtest:/home/ddp/src/ossec-hids# /var/ossec/bin/ossec-logtest >> 2018/10/31 12:48:38 ossec-testrule: INFO: Reading local decoder file. >> 2018/10/31 12:48:38 ossec-testrule: INFO: Started (pid: 17409). >> ossec-testrule: Type one log per line. >> >> Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth >> failed, 1 attempts): user=<bwjozw...@caccabee.it>, method=PLAIN, >> rip=222.252.6.70, lip=10.12.14.36 >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: >> Disconnected (auth failed, 1 attempts): >> user=<bwjozw...@caccabee.it>, method=PLAIN, rip=222.252.6.70, >> lip=10.12.14.36' >> hostname: 'mailscanner04' >> program_name: 'dovecot' >> log: 'pop3-login: Disconnected (auth failed, 1 attempts): >> user=<bwjozw...@caccabee.it>, method=PLAIN, rip=222.252.6.70, >> lip=10.12.14.36' >> >> **Phase 2: Completed decoding. >> decoder: 'dovecot' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '9705' >> Level: '5' >> Description: 'Dovecot Invalid User Login Attempt.' >> **Alert to be generated. >> >> The decoders will have to be adjusted for that the IP to get pulled >> out and be useful for active response. >> You might be able to adjust the <decoder name="dovecot-authfailed"> >> decoder to fit. >> >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
