On Tue, Nov 13, 2018 at 5:01 PM Giorgio Biondi <biondi.gior...@gmail.com> wrote:
> *Hi * > > > *I find many of this entry im my dovecot.log in my mailserver (iredmail):* > > Nov 13 22:42:42 imap-login: Info: Disconnected (auth failed, 1 attempts in > 5 secs): user=<administra...@cacirro.it>, method=PLAIN, rip=114.99.51.25, > lip=10.12.14.11, TLS, session=</10zspJ6euJyYzMZ> > > *I see this in the Splunk interface installed on my ossec server:* > > ** Alert 1542145364.10111054: mail - syslog,errors, > 2018 Nov 13 22:42:44 (mailserver.cacirro.it) > 10.12.14.11->/var/log/messages > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' > Nov 13 22:42:43 mailserver dovecot Nov 13 22:42:42 imap-login: Info: > Disconnected (auth failed, 1 attempts in 5 secs): user=< > administra...@cacirro.it>, method=PLAIN, rip=114.99.51.25, > lip=10.12.14.11, TLS, session=</10zspJ6euJyYzMZ> > > *If I test this on my ossec server I get this result:* > > [root@serverossec bin]# ./ossec-logtest > 2018/11/13 22:56:24 ossec-testrule: INFO: Reading local decoder file. > 2018/11/13 22:56:24 ossec-testrule: INFO: Started (pid: 2055). > ossec-testrule: Type one log per line. > > Nov 13 22:42:42 imap-login: Info: Disconnected (auth failed, 1 attempts in > 5 secs): user=<administra...@cacirro.it>, method=PLAIN, rip=114.99.51.25, > lip=10.12.14.11, TLS, session=</10zspJ6euJyYzMZ> > > > **Phase 1: Completed pre-decoding. > full event: 'Nov 13 22:42:42 imap-login: Info: Disconnected (auth > failed, 1 attempts in 5 secs): user=<administra...@cacirro.it>, > method=PLAIN, rip=114.99.51.25, lip=10.12.14.11, TLS, > session=</10zspJ6euJyYzMZ>' > hostname: 'serverossec' > program_name: 'imap-login' > log: 'Info: Disconnected (auth failed, 1 attempts in 5 secs): user=< > administra...@cacirro.it>, method=PLAIN, rip=114.99.51.25, > lip=10.12.14.11, TLS, session=</10zspJ6euJyYzMZ>' > > **Phase 2: Completed decoding. > No decoder matched. > The decoders I provided were for this log message, bot the one you tested here: Nov 13 22:42:43 mailserver dovecot Nov 13 22:42:42 imap-login: Info: Disconnected (auth failed, 1 attempts in 5 secs): user=< administra...@cacirro.it>, method=PLAIN, rip=114.99.51.25, lip=10.12.14.11, TLS, session=</10zspJ6euJyYzMZ> > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > > > I want trigger a 'active response' for this IP... > > Thanks for your time Dan.. > > gb > > > > > > Il giorno lunedì 12 novembre 2018 19:37:05 UTC+1, Giorgio Biondi ha > scritto: >> >> Hi at all, >> >> I have new issue with dovecot.. I have another mail server (Iredmail) >> with ossec agent install on it.. >> I have many record from ossec server like this: (cacirro.it It's a >> fictional domain ... I apologize for the real cacirri in the world) >> >> ** Alert 1542045111.8818974: mail - syslog,errors, 2018 Nov 12 18:51:51 ( >> mailserver.tech2.it) 10.12.14.11->/var/log/messages Rule: 1002 (level 2) >> -> 'Unknown problem somewhere in the system.' Nov 12 18:51:51 mailserver >> dovecot Nov 12 18:51:49 imap-login: Info: Disconnected (auth failed, 1 >> attempts in 6 secs): user=<i...@cacirro.it>, method=PLAIN, rip=154.64.218 >> .77, lip=10.12.14.11, TLS, session=<mYSbWnt6E9aaQNpN> >> >> >> I have try to put log in ossec-logtest.. here the result.. >> >> [root@serverossec ~]# /var/ossec/bin/ossec-logtest >> 2018/11/12 19:26:14 ossec-testrule: INFO: Reading local decoder file. >> 2018/11/12 19:26:15 ossec-testrule: INFO: Started (pid: 29461). >> ossec-testrule: Type one log per line. >> >> Nov 12 18:51:51 mailserver dovecot Nov 12 18:51:49 imap-login: Info: >> Disconnected (auth failed, 1 attempts in 6 secs): user=<i...@cacirro.it>, >> method=PLAIN, rip=154.64.218.77, lip=10.12.14.11, TLS, >> session=<mYSbWnt6E9aaQNpN> >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Nov 12 18:51:51 mailserver dovecot Nov 12 18:51:49 >> imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=< >> i...@cacirro.it>, method=PLAIN, rip=154.64.218.77, lip=10.12.14.11, TLS, >> session=<mYSbWnt6E9aaQNpN>' >> hostname: 'mailserver' >> program_name: '(null)' >> log: 'dovecot Nov 12 18:51:49 imap-login: Info: Disconnected (auth >> failed, 1 attempts in 6 secs): user=<i...@cacirro.it>, method=PLAIN, >> rip=154.64.218.77, lip=10.12.14.11, TLS, session=<mYSbWnt6E9aaQNpN>' >> >> **Phase 2: Completed decoding. >> No decoder matched. >> >> **Phase 3: Completed filtering (rules). >> Rule id: '1002' >> Level: '2' >> Description: 'Unknown problem somewhere in the system.' >> **Alert to be generated. >> >> >> I would like it to trigger an 'auth failed' rule so I can trigger active >> response. >> >> All the best. >> >> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.