[ossec-list] Multiple Failed login thresholds (rule 5720).(SSHD,TELNET,etc)
Hello list, Some systems , in syslog logging , tend to group same messages to save space and load. For example Solaris logs failed ssh logins to syslog but issues an event that says that the last message repeated x times, like : sshd[22082]: [ID 800047 auth.notice] Failed keyboard-interactive for Feb 2 10:38:00 systemname last message repeated 1 time This way rule ID 5720 triggers at actually about 10 failed logins instead of 8. Is there a way to work around this ? Maybe lower the threshold for specific systems\platforms ? The same goes for telnet logging which does summarize a lot these events .Probably other services too . Thank you !
Re: [ossec-list] Re: Overriding composite rule (18152)
On Wed, Feb 1, 2012 at 5:02 PM, alsdks als...@gmail.com wrote:
try that 18152 rule again in your local rules with overwrite=yes
option , to overwrite the original rule and see how it goes .
(WARNING: I do not know if this will work! Try it, see if it works. Or not.)
Combined with the above, you could try adding your rule 100300 to
local_rules, and copy rule 18152 with the overwrite=yes (and no
other changes) below it.
This might move the detection order to prefer the 100300 rule over
18152 when the same user is involved. Might not though, I can't test
it at the moment.
On Feb 1, 11:20 pm, tao_zhyn taoz...@gmail.com wrote:
I want to be notified if their are 10 failed logon attempts within 2
minutes from the same user.
I know that rule 18152 sends an alert when their are 10 (8) failed
attempts within 2 minutes.
From msauth_rules.xml
rule id=18152 level=10 frequency=$MS_FREQ timeframe=240
if_matched_groupwin_authentication_failed/if_matched_group
descriptionMultiple Windows Logon Failures./description
groupauthentication_failures,/group
/rule
I have tried adding the following to my local_rules.xml
rule id=100300 level=10 frequency=8 timeframe=240
if_matched_groupwin_authentication_failed/if_matched_group
same_user /
descriptionPossible Brute force attack against windows logins
(10 failures within 2 minutes)./description
groupauthentication_failures,/group
/rule
When i use ossec_logtest the rule 18152 is fired, but never 100300.
FYI: I have a file ossec_test file with 10 lines of the same bad login
for testing.
WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT
AUTHORITY: SERVER1: Pre-authentication failed: User Name:
user1 User ID: %
{S-1-5-21-1296043670-581226567-3024351967-8251} Service Name:
krbtgt/DOMAIN.LOCAL
Pre-Authentication Type: 0x0 Failure Code: 0x19
Client
Address: 10.0.0.10
---
I also tried the following in my local_rules.xml in the hope that it
would override the one previously defined.
rule id=18152 level=10 frequency=8 timeframe=240
if_matched_groupwin_authentication_failed/if_matched_group
same_user /
descriptionMultiple Windows Logon Failures. (Same User Test)/
description
groupauthentication_failures,/group
/rule
When I use ossec_logtest the old rule is fired, does not have (Same
User Test) in the description.
--
After some playing around I went back to my first try but modified the
frequecy.
rule id=100300 level=10 frequency=5 timeframe=240
if_matched_groupwin_authentication_failed/if_matched_group
same_user /
descriptionPossible Brute force attack against windows logins
(10 failures within 2 minutes)./description
groupauthentication_failures,/group
/rule
This would trigger the rule. If I increased the frequency to 6 then
the rule 18152 would be triggered.
Any idea at what I am doing wrong or pointers on how to do this
correctly.
Thanks
Re: [ossec-list] Active-response doesn't seem to work for some rules (ipop3 specifically but some ssh and other auth failures as well)
On Wed, Feb 1, 2012 at 11:01 AM, Jon Bayless fbjbayl...@gmail.com wrote: Here are the alerts I get from ossec, so I know it sees the attacks and the level is 10 so it should be taking action. I have the active-response set for anything over level 8 I think: Check. ;) Rule: 40111 fired (level 10) - Multiple authentication failures. Portion of the log(s): Feb 1 06:39:33 server1 ipop3d[33069]: Login failed user=info auth=info host=[12.36.252.93] How are these log messages decoded? Is the IP properly decoded? Feb 1 06:39:30 server1 ipop3d[33068]: Login failed user=info auth=info host=[12.36.252.93] Feb 1 06:39:27 server1 ipop3d[33067]: Login failed user=info auth=info host=[12.36.252.93] Feb 1 06:39:20 server1 ipop3d[33065]: Login failed user=info auth=info host=[12.36.252.93] Feb 1 06:39:17 server1 ipop3d[33064]: Login failed user=info auth=info host=[12.36.252.93] Feb 1 06:39:14 server1 ipop3d[33063]: Login failed user=info auth=info host=[12.36.252.93] Rule: 5712 fired (level 10) - SSHD brute force trying to get access to the system. Portion of the log(s): Feb 1 02:57:18 server1 sshd[21791]: Invalid user mbrown from 222.87.204.13 Feb 1 02:56:40 server1 sshd[21720]: Invalid user f1astra from 222.87.204.13 Feb 1 02:56:34 server1 sshd[21703]: Invalid user dan from 222.87.204.13 Feb 1 02:56:04 server1 sshd[21668]: Invalid user janab from 222.87.204.13 Feb 1 02:55:58 server1 sshd[21633]: Invalid user r00t from 222.87.204.13 The sshd brute force one sometimes results in the host-deny and firewall-drop active response rules firing and the active-response works fine. Maybe I need to adjust the frequency or timing for these rules somehow? Thanks for any help you can give.
Re: [ossec-list] Decoding log
On Wed, Feb 1, 2012 at 7:59 AM, kumaig goj...@gmail.com wrote: I have tried for a few weeks to decode one magento log with no luck. I have searched more then 2 weeks for solution for this problem. If anyone can help i appreciate it. the log is : 2011-12-28T08:30:59+00:00 CRIT Not valid template file:frontend/base/ default/template/exacttarget/top_sub.phtml i have made several decoders but none worked for this log. decoder name=magentoCRIT #prematch^\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d\p\d\d:\d\d\.*/ prematch #prematch^\d+-\d+-\d+\w\d+:\d+:\d+\p\d+:\d+ CRIT/prematch #prematchCRIT/prematch prematch\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\. CRIT/ prematch /decoder My gues is that date format is making some sort of error.. because if i try format like this 2011-12-28 08:30:59+00:00 CRIT Not valid template file:frontend/base/ default/template/exacttarget/top_sub.phtml it finds modified decoder without \w. Thank you all! Why use the \w? Isn't it always a T?
Re: [ossec-list] day of decoder problems
On Wed, Feb 1, 2012 at 2:49 PM, Kat uncommon...@gmail.com wrote: What am I missing - it just keeps firing on the windows-date-format -- so frustrating, it must be simple, I am just blind today: Either put it before the windows-date-format decoder or make it a child of that decoder. Logentry: 2012-01-12 15:19:58 Package: attack.vector: removing(string1,string2,string3) by administrator decoder: decoder name=fw-private prematch^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d /prematch /decoder decoder name=fw-private-alert parentfw-private/parent regex offset=after_parent^Package: (\.+):\.+/regex orderdata/order /decoder And I want to store the attack.vector in 'data', but it just keeps triggering: **Phase 1: Completed pre-decoding. full event: '2012-01-12 15:19:58 Package: attack.vector: removing(string1,string2,string3) by administrator' hostname: 'ossex' program_name: '(null)' log: '2012-01-12 15:19:58 Package: attack.vector: removing(string1,string2,string3) by administrator' **Phase 2: Completed decoding. decoder: 'windows-date-format' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '0' Description: 'Unknown problem somewhere in the system.'
Re: [ossec-list] Multiple Failed login thresholds (rule 5720).(SSHD,TELNET,etc)
On Thu, Feb 2, 2012 at 5:03 AM, alsdks als...@gmail.com wrote: Hello list, Some systems , in syslog logging , tend to group same messages to save space and load. For example Solaris logs failed ssh logins to syslog but issues an event that says that the last message repeated x times, like : sshd[22082]: [ID 800047 auth.notice] Failed keyboard-interactive for Feb 2 10:38:00 systemname last message repeated 1 time This way rule ID 5720 triggers at actually about 10 failed logins instead of 8. Is there a way to work around this ? Maybe lower the threshold for specific systems\platforms ? The same goes for telnet logging which does summarize a lot these events .Probably other services too . Thank you ! Maybe you could turn off the message repeated messages. Or I guess you could use the overwrite option to the rules that are issues to lower the frequency for your environment.
Re: [ossec-list] Segfaults with overwrite
On Thu, Feb 2, 2012 at 4:06 AM, Oliver Mueller ogmuel...@gmail.com wrote: If I add the following rule to local_rules.xml and try to test it with ossec-logtest, I receive a segfault (see below): group name=apache, rule id=30109 level=9 timeframe=60 frequency=5 overwrite=yes !-- Original rule blocked user if login failed once. That's a bit too hard -- if_matched_sid30101/if_ matched_sid regexuser \S+ not found/regex descriptionAttempt to login using a non-existent user./description groupinvalid_login,/group /rule /group # ../bin/ossec-logtest 2012/01/23 08:55:06 ossec-testrule: INFO: Reading local decoder file. 2012/01/23 08:55:06 ossec-testrule: INFO: Started (pid: 32103). ossec-testrule: Type one log per line. [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ **Phase 1: Completed pre-decoding. full event: '[Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/' hostname: 'server' program_name: '(null)' log: '[error] [client 192.168.0.123] user unknownUser not found: /myapp/' **Phase 2: Completed decoding. decoder: 'apache-errorlog' srcip: '192.168.0.123' Segmentation fault What version of OSSEC? What kind of host? Is there any update planed to ossec soon? Not that I'm aware of.
Re: [ossec-list] Question - Crafting a rule to send a separate email to a paging device
On Wed, Feb 1, 2012 at 4:21 PM, Peter M Abraham peter.abra...@dynamicnet.net wrote: Good day: Given the following rule rule id=18 level=11 if_sid18107/if_sid matchLogon Type: 10/match descriptionWindows RDP Login./description groupauthentication_success,/group /rule What could we add so that if the User Name is not a specific value AND the Source Network Address is not a specific value, that an email is triggered to a specific email address? Thank you. rule id=180001 level=0 if_sid18/if_sid userUser Name/user srcipSource Network Address/srcip descriptionIgnore stuff/description /rule Then create a granular email alert for rule 18.
Re: [ossec-list] OSSEC server No Daily Reports
On Tue, Jan 31, 2012 at 8:42 PM, Macus macu...@gmail.com wrote: I have setup a daily report like below for the syscheck. it is supposed to have the report delivered to my mailbox? The syscheck is scheduled daily at 20:00 reports categorysyscheck/category titleOSSEC Daily Report: File Integrity Check Result/title ... ... I don't think ... is valid syntax. showlogsyes/showlogs /reports thanks.
Re: [ossec-list] Question about OSSEC server which reports files are changed, but the file seems unchanged
On Wed, Feb 1, 2012 at 4:56 AM, Marcos Tang marcostang2...@yahoo.com wrote: Hi OSSEC users and Dan High-level background of my current setup: - Several OSSEC servers are running on Solaris - OSSEC agents are running on Solaris and reporting to the above OSSEC servers - Running /opt/ossec/bin/agent_control -lc shows the agents are connecting to the server - File integrity check is enabled and several configuration files are being monitored. One of the files being monitored is syslog-ng.conf My problem: Recently I find more than one OSSEC servers detect changes on this syslog-ng.conf file (this file is installed on all OSSEC clients). However, when I run the below command, it doesn't tell me what exactly is changed. I have also checked the file integrity myself and I also don't see anything wrong. * Output from the OSSEC server * [root@myserver ~]# /opt/ossec/bin/syscheck_control -i 049 -f /opt/syslog-ng/conf/syslog-ng.conf Integrity changes for agent 'myagent (049) - 10.XX.XX.XXX': Detailed information for entries matching: '/opt/syslog-ng/conf/syslog-ng.conf' 2012 Jan 08 23:31:38,0 - /opt/syslog-ng/conf/syslog-ng.conf 2012 Jan 19 08:31:27,0 - /opt/syslog-ng/conf/syslog-ng.conf File changed. [root@myserver ~]# * Output from the OSSEC agent * root@myagent% pwd /opt/ossec/queue/diff/local/opt/syslog-ng/conf/syslog-ng.conf root@spewgp2c35% ls -arlt total 8 -rw-rw-r-- 1 root other 1488 Jun 28 2011 last-entry drwxrwx--- 3 root other 512 Jun 28 2011 .. drwxrwx--- 2 root other 512 Jun 28 2011 . root@myagent% My questions: Why there is no integrity change detected but OSSEC servers report the file is changed? Regards, Marcos Is there an alert associated with this? Does it mention what seems to have changed (checksum, size, etc)?
Re: [ossec-list] Segfaults with overwrite
I am using version OSSEC HIDS v2.6 - Trend Micro Inc. on an Ubuntu 11.10 oneiric. On 02.02.2012, at 14:19, dan (ddp) wrote: On Thu, Feb 2, 2012 at 4:06 AM, Oliver Mueller ogmuel...@gmail.com wrote: If I add the following rule to local_rules.xml and try to test it with ossec-logtest, I receive a segfault (see below): group name=apache, rule id=30109 level=9 timeframe=60 frequency=5 overwrite=yes !-- Original rule blocked user if login failed once. That's a bit too hard -- if_matched_sid30101/if_ matched_sid regexuser \S+ not found/regex descriptionAttempt to login using a non-existent user./description groupinvalid_login,/group /rule /group # ../bin/ossec-logtest 2012/01/23 08:55:06 ossec-testrule: INFO: Reading local decoder file. 2012/01/23 08:55:06 ossec-testrule: INFO: Started (pid: 32103). ossec-testrule: Type one log per line. [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ **Phase 1: Completed pre-decoding. full event: '[Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/' hostname: 'server' program_name: '(null)' log: '[error] [client 192.168.0.123] user unknownUser not found: /myapp/' **Phase 2: Completed decoding. decoder: 'apache-errorlog' srcip: '192.168.0.123' Segmentation fault What version of OSSEC? What kind of host? Is there any update planed to ossec soon? Not that I'm aware of.
[ossec-list] Re: Active-response doesn't seem to work for some rules (ipop3 specifically but some ssh and other auth failures as well)
How can i determine if the IP is properly decoded? With the ossec-logtest program? Here is the output I get from that: ossec-testrule: Type one log per line. Feb 1 09:02:41 server1 ipop3d[39710]: Login failed user=stud...@hammer.net auth=stud...@hammer.net host=ipx21117.ipxserver.de [212.112.234.119] **Phase 1: Completed pre-decoding. full event: 'Feb 1 09:02:41 server1 ipop3d[39710]: Login failed user=stud...@hammer.net auth=stud...@hammer.net host=ipx21117.ipxserver.de [212.112.234.119]' hostname: 'server1' program_name: 'ipop3d' log: 'Login failed user=stud...@hammer.net auth=stud...@hammer.net host=ipx21117.ipxserver.de [212.112.234.119]' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '2501' Level: '5' Description: 'User authentication failure.' **Alert to be generated. I assume that means there is no specific decoder for ipop3d logs but it seems to know what kind of problem it is and how to classify it. Does that mean ossec needs a decoder for this? Or do I need to make some kind of config change? Thanks
Re: [ossec-list] Re: Active-response doesn't seem to work for some rules (ipop3 specifically but some ssh and other auth failures as well)
On Thu, Feb 2, 2012 at 9:34 AM, Jon Bayless fbjbayl...@gmail.com wrote: How can i determine if the IP is properly decoded? With the ossec-logtest program? Here is the output I get from that: ossec-testrule: Type one log per line. Feb 1 09:02:41 server1 ipop3d[39710]: Login failed user=stud...@hammer.net auth=stud...@hammer.net host=ipx21117.ipxserver.de [212.112.234.119] **Phase 1: Completed pre-decoding. full event: 'Feb 1 09:02:41 server1 ipop3d[39710]: Login failed user=stud...@hammer.net auth=stud...@hammer.net host=ipx21117.ipxserver.de [212.112.234.119]' hostname: 'server1' program_name: 'ipop3d' log: 'Login failed user=stud...@hammer.net auth=stud...@hammer.net host=ipx21117.ipxserver.de [212.112.234.119]' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '2501' Level: '5' Description: 'User authentication failure.' **Alert to be generated. I assume that means there is no specific decoder for ipop3d logs but it seems to know what kind of problem it is and how to classify it. Does that mean ossec needs a decoder for this? Or do I need to make some kind of config change? Thanks Yes, you will need a decoder. Something like: !--Feb 1 06:39:33 server1 ipop3d[33069]: Login failed user=info auth=info host=[12.36.252.93]-- decoder name=ipop3d program_name^ipop3d/program_name /decoder decoder name=ipop3d-fail parentipop3d/parent prematch offset=after_parent^Login failed /prematch regex offset=after_prematch^user=(\S+) auth=(\S+) host=[\d+.\d+.\d+.\d+]$/regex orderdstuser, extra_data, srcip/order /decoder I haven't tested any of this though, so it may need tweaking.
[ossec-list] Re: day of decoder problems
I always wondered about that - shouldn't anything in Local... get processed before the built-in? I did have a feeling it was order dependent, and I took the route of making the rules decoded_as - windows_date_format and everything works, and this now confirms my thoughts that local did NOT get processed first, but maybe this could be something for the future - a switch for processing local BEFORE or AFTER builtin? Let the organization decided on an install basis? I could see this fixing a lot of ambiguity. thanks for the clarification..
Re: [ossec-list] Re: day of decoder problems
On Thu, Feb 2, 2012 at 9:42 AM, Kat uncommon...@gmail.com wrote: I always wondered about that - shouldn't anything in Local... get processed before the built-in? I did have a feeling it was order dependent, and I took the route of making the rules decoded_as - windows_date_format and everything works, and this now confirms my thoughts that local did NOT get processed first, but maybe this could be something for the future - a switch for processing local BEFORE or AFTER builtin? Let the organization decided on an install basis? I could see this fixing a lot of ambiguity. thanks for the clarification.. I have a bunch of decoders in local_decoders that rely on decoders in the default file. Your change breaks that. ;) You could easily add another decoder list that gets processed before decoders.xml does. Use the decoder or decoder_dir options (http://www.ossec.net/doc/syntax/head_ossec_config.rules.html).
[ossec-list] Re: Active-response doesn't seem to work for some rules (ipop3 specifically but some ssh and other auth failures as well)
Well with that custom decoder it matches the decoder now. I will try it and see if it actually catches and blocks the source IPs now. Is there any way to test whether it is decoding that source IP and will be able to use it properly? Thanks for all your help.
Re: [ossec-list] Re: Active-response doesn't seem to work for some rules (ipop3 specifically but some ssh and other auth failures as well)
On Thu, Feb 2, 2012 at 10:34 AM, Jon Bayless fbjbayl...@gmail.com wrote: Well with that custom decoder it matches the decoder now. I will try it and see if it actually catches and blocks the source IPs now. Is there any way to test whether it is decoding that source IP and will be able to use it properly? Thanks for all your help. You can find out if a srcip or username or anything like that is decoded from a log message with ossec-logtest. That info will show up in Phase 2.
[ossec-list] Re: Decoding log
it does not work with T either :( On 2 феб, 14:07, dan (ddp) ddp...@gmail.com wrote: On Wed, Feb 1, 2012 at 7:59 AM, kumaig goj...@gmail.com wrote: I have tried for a few weeks to decode one magento log with no luck. I have searched more then 2 weeks for solution for this problem. If anyone can help i appreciate it. the log is : 2011-12-28T08:30:59+00:00 CRIT Not valid template file:frontend/base/ default/template/exacttarget/top_sub.phtml i have made several decoders but none worked for this log. decoder name=magentoCRIT #prematch^\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d\p\d\d:\d\d\.*/ prematch #prematch^\d+-\d+-\d+\w\d+:\d+:\d+\p\d+:\d+ CRIT/prematch #prematchCRIT/prematch prematch\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\. CRIT/ prematch /decoder My gues is that date format is making some sort of error.. because if i try format like this 2011-12-28 08:30:59+00:00 CRIT Not valid template file:frontend/base/ default/template/exacttarget/top_sub.phtml it finds modified decoder without \w. Thank you all! Why use the \w? Isn't it always a T?
[ossec-list] Re: Overriding composite rule (18152)
I knew I was missing something simple, overwrite=yes.
I do vaguely remember reading about this option. Yes, it is here:
http://www.ossec.net/wiki/Know_How:Email_Alerts_below_7
Dan, your suggestion did not work. it was still preferring the 18152.
Although I took your suggestion and did the following.
!-- We will overwrite the default rule and
-- add a check to make sure it is the same user
--
rule id=18152 level=10 frequency=8 timeframe=240
overwrite=yes
if_matched_groupwin_authentication_failed/if_matched_group
same_user /
descriptionPossible Brute force attack against windows logins
(10 failures within 2 minutes)./description
groupauthentication_failures,/group
/rule
!-- This rule is a copy of the original 18152
-- It will capture any other multiple failed attempts at a lower
-- alert level
--
rule id=100300 level=8 frequency=10 timeframe=240
if_matched_groupwin_authentication_failed/if_matched_group
descriptionMultiple Windows Logon Failures./description
groupauthentication_failures,/group
/rule
This will fire 18152 (Possible Brute force) if the user is the same,
other wise it will fire the new rule 100300.
During my testing I do see that ossec is saying the user is SYSTEM and
not user1. I see that the decoder assigns dstuser: SYSTEM, which is
the attribute for Security.
Rule: 18139 (level 5) - 'Windows DC Logon Failure.'
User: SYSTEM
WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT
AUTHORITY: SERVER1: Pre-authentication failed: User Name: user1
User ID:%{S-1-5-21-1296043670-581226567-3024351967-8251}
Service Name: krbtgt/KEYANO.LOCAL Pre-Authentication Type: 0x0
Failure Code: 0x19 Client Address: 10.0.0.10
This means rule 100300 will never be fired, because any failed
attempts looks like it comes from the same user.
Has anyone else encountered this? I will take a look at the decoder
later today to see what is going on.
I may have to find or create a new log event for a failed logon
attempt. I have recently created a rule to ignore Pre-Authentication
fails (Failure Code: 0x18 and 0x19), since we are using windows 2003
and windows 7.
-- See:
http://www.mcbsys.com/techblog/2009/12/windows-7-causes-675-0x19-security-errors-in-windows-2003-domain/
-- See: http://www.ossec.net/wiki/Know_How:Multiple_Failures_WindowsAD
On Feb 2, 6:18 am, dan (ddp) ddp...@gmail.com wrote:
On Wed, Feb 1, 2012 at 5:02 PM, alsdks als...@gmail.com wrote:
try that 18152 rule again in your local rules with overwrite=yes
option , to overwrite the original rule and see how it goes .
(WARNING: I do not know if this will work! Try it, see if it works. Or not.)
Combined with the above, you could try adding your rule 100300 to
local_rules, and copy rule 18152 with the overwrite=yes (and no
other changes) below it.
This might move the detection order to prefer the 100300 rule over
18152 when the same user is involved. Might not though, I can't test
it at the moment.
On Feb 1, 11:20 pm, tao_zhyn taoz...@gmail.com wrote:
I want to be notified if their are 10 failed logon attempts within 2
minutes from the same user.
I know that rule 18152 sends an alert when their are 10 (8) failed
attempts within 2 minutes.
From msauth_rules.xml
rule id=18152 level=10 frequency=$MS_FREQ timeframe=240
if_matched_groupwin_authentication_failed/if_matched_group
descriptionMultiple Windows Logon Failures./description
groupauthentication_failures,/group
/rule
I have tried adding the following to my local_rules.xml
rule id=100300 level=10 frequency=8 timeframe=240
if_matched_groupwin_authentication_failed/if_matched_group
same_user /
descriptionPossible Brute force attack against windows logins
(10 failures within 2 minutes)./description
groupauthentication_failures,/group
/rule
When i use ossec_logtest the rule 18152 is fired, but never 100300.
FYI: I have a file ossec_test file with 10 lines of the same bad login
for testing.
WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT
AUTHORITY: SERVER1: Pre-authentication failed: User Name:
user1 User ID: %
{S-1-5-21-1296043670-581226567-3024351967-8251} Service Name:
krbtgt/DOMAIN.LOCAL
Pre-Authentication Type: 0x0 Failure Code: 0x19
Client
Address: 10.0.0.10
---
I also tried the following in my local_rules.xml in the hope that it
would override the one previously defined.
rule id=18152 level=10 frequency=8 timeframe=240
if_matched_groupwin_authentication_failed/if_matched_group
same_user /
descriptionMultiple Windows Logon Failures. (Same User Test)/
description
groupauthentication_failures,/group
/rule
When I use ossec_logtest the old rule is fired, does not have (Same
User Test) in the description.
--
After some playing around I went
Re: [ossec-list] Segfaults with overwrite
On 02.02.2012 10:06, Oliver Mueller wrote: If I add the following rule to local_rules.xml and try to test it with ossec-logtest, I receive a segfault (see below): .. Is there any update planed to ossec soon? works for me (RHEL 5.7 64bit): $ /var/ossec/bin/ossec-logtest -V OSSEC HIDS v2.6 - Trend Micro Inc. $ /var/ossec/bin/ossec-logtest ossec-testrule: Type one log per line. [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ **Phase 1: Completed pre-decoding. full event: '[Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/' hostname: 'myhost' program_name: '(null)' log: '[error] [client 192.168.0.123] user unknownUser not found: /myapp/' **Phase 2: Completed decoding. decoder: 'apache-errorlog' srcip: '192.168.0.123' **Phase 3: Completed filtering (rules). Rule id: '30109' Level: '9' Description: 'Attempt to login using a non-existent user.' **Alert to be generated. MfG, -ap
[ossec-list] fts or first-time cache in decoder syntax
I was going reviewing the windows decoder and noticed ftsname, location, user, system_name/fts I could not find any reference in the documentation as to what this was for. I finally found a reference to it in one of the message on this mailing list, need help on writing rules (http://groups.google.com/ group/ossec-list/browse_thread/thread/ b8bdc5dae941eb18/77f39262b2e416a3?lnk=gstq=first-time+cache#) From my understanding in the decoder fts says which attributes should be added to the First-time cache. Then in the rules you can use if_fts to check if this is the first time this attribute value has been seen. Please correct me if I am wrong. I wanted to mention it here for others to easily find. Also can this be added to the documentation somewhere? The closest I came to finding it in the documentation was here: http://www.ossec.net/doc/syntax/head_decoders.html#element-decoder
[ossec-list] Re: OSSEC server No Daily Reports
... means Ellipsis. I think the syntax is valid, because I have received the report daily for over a month. However, I couldn't receive it sometimes starting from last week. No report mean no alert? On 2月2日, 下午9時04分, dan (ddp) ddp...@gmail.com wrote: On Tue, Jan 31, 2012 at 8:42 PM, Macus macu...@gmail.com wrote: I have setup a daily report like below for the syscheck. it is supposed to have the report delivered to my mailbox? The syscheck is scheduled daily at 20:00 reports categorysyscheck/category titleOSSEC Daily Report: File Integrity Check Result/title ... ... I don't think ... is valid syntax. showlogsyes/showlogs /reports thanks.
[ossec-list] Segfaults with overwrite
If I add the following rule to local_rules.xml and try to test it with ossec-logtest, I receive a segfault (see below): group name=apache, rule id=30109 level=9 timeframe=60 frequency=5 overwrite=yes !-- Original rule blocked user if login failed once. That's a bit too hard -- if_matched_sid30101/if_ matched_sid regexuser \S+ not found/regex descriptionAttempt to login using a non-existent user./description groupinvalid_login,/group /rule /group # ../bin/ossec-logtest 2012/01/23 08:55:06 ossec-testrule: INFO: Reading local decoder file. 2012/01/23 08:55:06 ossec-testrule: INFO: Started (pid: 32103). ossec-testrule: Type one log per line. [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ **Phase 1: Completed pre-decoding. full event: '[Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/' hostname: 'server' program_name: '(null)' log: '[error] [client 192.168.0.123] user unknownUser not found: /myapp/' **Phase 2: Completed decoding. decoder: 'apache-errorlog' srcip: '192.168.0.123' Segmentation fault Is there any update planed to ossec soon?
