[ossec-list] Re: IIS 8 FTP log monitor & alert

2016-05-25 Thread Jacob Mcgrath 


*Started the decoder/rules from scratch since the test ossec system at home 
worked ok...*


*This see's the FTP log attempts + the elevation of "Brute Force" to an 
active response threw route-null.cmd.  but the route-null.cmd 
should be the latest updated release of this script from github...*



*But is is working,  little more tunning but It works*



*Enable active response on Windows FTP IIS  agent:*



C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log

iis



 



no



 

 

*Add to server ossec.conf:*

 



win_nullroute

route-null.cmd

srcip

yes



 



win_nullroute

all

10006

6

60



 

*Server local_decoder.xml:*

 

 

  windows-date-format 

  true 

  ^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC4 

  ^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S 

+ \S+  

  \d+ (\S+) \S+ (\d+)  

  srcip,user,action,id 

 

 

*Server local_rules.xml:*

 

 

  

msftp8 

Grouping for the Microsoft ftp 8 rules. 

   

 

   

14 

PASS 

530 

FTP Authentication failed. 

authentication_failed, 

   

 

   

15 

FTP brute force (multiple failed logins). 

authentication_failures, 

  

 







On Monday, May 23, 2016 at 3:51:28 PM UTC-5, Jacob Mcgrath wrote:
>
> Here is what I have so far...
>
> *Agent config*
>
>
>
> 
> C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log
> iis
> 
>
> *Server local_decoder.xml*
>
>  
>   windows-date-format 
>   true 
>   ^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC prematch> 
>   ^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S 
> + \S+  
>   \d+ (\S+) \S+ (\d+)  
>   srcip,user,action,id 
>  
>
> *Server local_rules.xml*
>
>  
>
> msftp8 
> Grouping for the Microsoft ftp 8 rules. 
>
>
>
> 14 
> PASS 
> 530 
> FTP Authentication failed. 
> authentication_failed, 
>
>
>
> 15 
> FTP brute force (multiple failed logins). description> 
> authentication_failures, 
>   
>
>  
>
>
>
> *No My IIS 8 ftp server log looks like this for the 530 error:*
>
> 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 
> 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - 
> An+error+occurred+during+the+authentication+process.
>
>
> The plan is to check the IIS 8 FTP server log looking for brute force 
> attempts and in addition drop the IP that is offending to agents.
>
> I have set these up and restarted both server and agent and run 10+ rapid 
> ftp login attempts but do not see any real alerts as designed.
>
> Any direction would be welcomed...
>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Monitoring defacement on highly dynamic websites with OSSEC

2016-05-25 Thread Tahir Hafiz 
Hi Joe, 

Apologies for the late reply. 

Basically, there is a file here:
/var/ossec/etc/internal_options.conf

It contains these parameters:
syscheck.sleep=2
syscheck.sleep_after=15

By changing those it is possible to decrease the time of any syscheck 
considerably. 

I think it is possible to run a md5 checksum against a set of files and 
compare it to the ones listed in a file as a one liner bash shell command 
within the OSSEC server in the following way:
https://blog.rootshell.be/2011/10/25/detecting-defaced-websites-with-ossec/

Do you think the above sounds reasonable?

Cheers,
Tahir









On Monday, 2 May 2016 19:01:31 UTC+1, joe.co...@wazuh.com wrote:
>
> Tahir,
>
> There are two scans which run, depending on the size of your environment 
> this can take some time (in your case 30 min).
>
> 1) rootcheck
> 2) syscheck
>
> This configuration is located in your ossec.conf:
>  
> 
> 79200
>
> If you have changed the frequency or forced the scan and noticed it is 
> still taking a while to finish, this is due to the fact that root check 
> needs to finish in order to establish a "baseline". You can disable the 
> root check scans in the ossec.conf, if you aren't using them with.
>
> 
> yes
>
> As far as the noise goes. There are a couple paths you could probably 
> go,but I think what your referring to is a cdb list of known (authorized) 
> md5 hashes from the publishing platform to check against the files that 
> changed? Am i understanding you correctly?
>
>
>
> On Sunday, April 24, 2016 at 7:04:49 PM UTC-4, Tahir Hafiz wrote:
>>
>> Hi all, 
>>
>> I have got OSSEC doing real time monitoring on my /srv/dir* wev 
>> directories. 
>> However, even though the /srv/ dir* is being monitored in real time - it 
>> seems to a long time to baseline (30minutes). 
>> Why does it take 30 minutes to basline, I restricted OSSE to just md5sums 
>> and it still took half an hour?
>>
>>
>> The /sr/* web directory resyncs itself to an s3 bucket which has fresh 
>> html pages, therefore it is very difficult to establish a baseline as the 
>> site is dynamic and the File Integrity Level 7 alerts happen a lot - too 
>> many false positives. 
>>
>> Does anyone know of a way for OSSEC to monitor a dynamically changing 
>> website for defacement when it constantly syncs from AWS S3 every 2 
>> minutes? We are thinking the following 3 may work in some way (what do you 
>> think?). :
>>
>> 1. Add a file to the S3 bucket with a metatag that has to be there i.e. 
>> index.html page . 
>>
>> 2.  Get baseline down to 10 minutes and corresponding syncs down as well 
>> to 15 minutes. Restart OSSEC on each sync. 
>>
>> 3. Get md5sums from the publishing platform into OSSEC.  Can OSSEC get 
>> md5sum values for directories and files directly and then crosscheck with 
>> the downloaded ones??
>>
>>
>> Cheers and thank you for any assistance,
>> Tahir
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Best ways to test OSSEC in an environment

2016-05-25 Thread Tahir Hafiz 


On Wednesday, 25 May 2016 12:48:01 UTC+1, dan (ddpbsd) wrote:
>
> On Wed, May 25, 2016 at 4:59 AM, Tahir Hafiz  > wrote: 
> > Thanks but I think this is not quite what I am after as this seems more 
> like 
> > a log parser tool. 
> > I think what I am looking for is an "automated intruder" tool, like a 
> script 
> > that can be run which will cause alerts to happen at the various OSSEC 
> alert 
> > levels from 0 to 16. 
> > 
> > I will see if a google search or two can find me an automated intruder 
> tool. 
> > 
>
> Like nessus, nmap, or nexpose? 
>

Not really, I am just looking for a script that I can run on a box (could 
be the OSSEC server box itself, could be a box where the OSSEC agents are 
installed) and the script runs and triggers alerts at various levels, this 
is just to demo that OSSEC works basically for the high level alerts.
What I will do is code a python script (I am not a coder but can do a few 
basic things) that does that and let you guys know when it's done and if 
you want to incorporate it into the OSSEC code repo itself you are more 
than welcome to it. 

Every tool I have found is completely over-specced and over-laboured for 
the basic task I need to do (Pytbull comes close I think), such as:
https://www.reddit.com/r/sysadmin/comments/xi13l/what_are_good_ids_testing_tools/





 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Best ways to test OSSEC in an environment

2016-05-25 Thread dan (ddp) 
On Wed, May 25, 2016 at 4:59 AM, Tahir Hafiz  wrote:
> Thanks but I think this is not quite what I am after as this seems more like
> a log parser tool.
> I think what I am looking for is an "automated intruder" tool, like a script
> that can be run which will cause alerts to happen at the various OSSEC alert
> levels from 0 to 16.
>
> I will see if a google search or two can find me an automated intruder tool.
>

Like nessus, nmap, or nexpose?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: OSSEC Email-notification: multiple email-addresses/recipients possible?

2016-05-25 Thread Ioan Corneliu SALISTEANU 
In this case the email will contain multiple To: headers which will cause 
problems with AV and AS systems. Right?

vineri, 28 septembrie 2007, 03:41:12 UTC+3, Daniel Cid a scris:
>
> Hi,
>
> Actually, this format will not work. You need to specify each email
> address on its
> own "email_to" tag:
>
> per...@mydomain.com 
> per...@mydomain.com 
> xxx
>
> Hope it helps.
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 9/27/07, tswmme...@gmail.com   > wrote:
> >
> > Yes it is.
> >
> > Try adding something like this to your ossec.conf file.
> >
> > 
> >per...@mydomain.com ,per...@mydomain.com 
> 
> >12
> >
> >
> >  
> >
> >
> >
> > On Sep 21, 5:08 pm, Verlag Neue Stadt  wrote:
> > > Hello,
> > >
> > > is it possible to define serveral email-addresses/recipients (were
> > > email-notifications are beeing sent) ?
> > >
> > > Thank's a lot for your feedback!
> > >
> > > John
> >
> >
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Best ways to test OSSEC in an environment

2016-05-25 Thread Tahir Hafiz 
Thanks but I think this is not quite what I am after as this seems more 
like a log parser tool. 
I think what I am looking for is an "automated intruder" tool, like a 
script that can be run which will cause alerts to happen at the various 
OSSEC alert levels from 0 to 16. 

I will see if a google search or two can find me an automated intruder tool.

Cheers,
Tahir



On Tuesday, 24 May 2016 18:15:42 UTC+1, dan (ddpbsd) wrote:
>
> On Tue, May 24, 2016 at 12:44 PM, Tahir Hafiz  > wrote: 
> > Thanks I found the link earlier on. 
> > 
> > I have read through the document but I am not sure how to do the tests 
> > (using Ubuntu 14.04 LTS). 
> > I have downloaded the OSSEC version that we are using (2.8.2): 
> > wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz 
> > 
> > I have unpacked the tarball, moved the ossec-testing directory that was 
> in 
> > the tarball to /var/ossec/contrib, and then changed my working directory 
> to 
> > that directory. 
> > I have started the tests by executing as root: 
> > python runtests.py 
> > 
> > I looked in /var/ossec/alerts/alerts.log, but I did not see the alerts 
> going 
> > off there. 
> > 
>
> It does not create alerts. It uses ossec-logtest to see if the log 
> messages produce the expected result. 
> If you do not see ossec-logtest output, everything is working as expected. 
>
> > Also, in my ossec-testing/tests directory I can only see two test files: 
> > named.ini 
> > sshd.ini 
> > 
> > Should there not be more? As in as many as the number of rules files. 
> > I am just not sure how to run the runtests.py and have more .ini test 
> files 
> > and have the alerts showing in /var/ossec/logs/alerts/alerts.log. 
> > 
>
> Should there be more? Of course. But these tests aren't free.They take 
> time and effort. 
>
> Looks like there's 25 in the current development source, but they're 
> underpopulated. 
> I'm guessing I just hadn't done much with them back when 2.8.2 was 
> finalized. It's a semi-new feature 
> that I only recently began to properly appreciate. 
>
> If you want more tests, I can think of 3 options: 
> 1. Do the work yourself. (and consider contributing back if you do) 
> 2. Provide me with log samples. 
> 3. Provide me with time. 
>
>
> > Cheers, 
> > Tahir 
> > 
> > 
> > 
> > 
> > 
> > 
> > On Tuesday, 24 May 2016 16:47:12 UTC+1, dan (ddpbsd) wrote: 
> >> 
> >> On Tue, May 24, 2016 at 11:33 AM, Tahir Hafiz  
> wrote: 
> >> > Hi Dan, 
> >> > 
> >> > Is there any documentation as to how to set-up and run the tests? 
> >> > Where can I find said documentation? 
> >> > 
> >> 
> >> 
> >> 
> https://ossec.github.io/docs/development/build/test-rules.html?highlight=runtests
>  
> >> 
> >> > Cheers, 
> >> > Tahir 
> >> > 
> >> > 
> >> > On Tuesday, 24 May 2016 13:55:58 UTC+1, dan (ddpbsd) wrote: 
> >> >> 
> >> >> On Tue, May 24, 2016 at 5:50 AM, Tahir Hafiz  
> >> >> wrote: 
> >> >> > Dear All, 
> >> >> > 
> >> >> > Is there a test suite available which can be used to test a fully 
> >> >> > functioning OSSEC server/client installation? 
> >> >> > I am looking to test the rule sets systematically, I know I can 
> >> >> > modify a 
> >> >> > system file and it will alert etc, but I am looking for a more 
> >> >> > automated 
> >> >> > test suite and methods across the rule sets. 
> >> >> > 
> >> >> 
> >> >> In the source tarball, there is contrib/ossec-testing. The 
> >> >> run-tests.py file uses the information in tests/*.ini to check 
> rules. 
> >> >> It'll require some setup, and plenty of log samples. There aren't a 
> >> >> lot of tests in there currently, but I try to keep it updated when I 
> >> >> see interesting log samples. 
> >> >> It's not perfect, but it can help find some issues. 
> >> >> 
> >> >> > Thank you, 
> >> >> > Tahir 
> >> >> > 
> >> >> > -- 
> >> >> > 
> >> >> > --- 
> >> >> > You received this message because you are subscribed to the Google 
> >> >> > Groups 
> >> >> > "ossec-list" group. 
> >> >> > To unsubscribe from this group and stop receiving emails from it, 
> >> >> > send 
> >> >> > an 
> >> >> > email to ossec-list+...@googlegroups.com. 
> >> >> > For more options, visit https://groups.google.com/d/optout. 
> >> > 
> >> > -- 
> >> > 
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> >> > Groups 
> >> > "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >> > an 
> >> > email to ossec-list+...@googlegroups.com. 
> >> > For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsub

[ossec-list] Re: IIS 8 FTP log monitor & alert

2016-05-25 Thread Jesus Linares 
I guess you know it, but you must restart OSSEC after changing decoder, 
rules or ossec.conf.

On Wednesday, May 25, 2016 at 10:37:49 AM UTC+2, Jesus Linares wrote:
>
> Hi Jacob,
>
> I have no idea what is happening.
>
> ossec.conf:
>   
> etc/decoder.xml
> etc/local_decoder.xml
>
> local_decoder.xml:
> 
>   windows-date-format
>   true
>   ^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC
> 
>   ^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S+ 
> \S+ 
>   \d+ (\S+) \S+ (\d+) 
>   srcip,user,action,id
> 
>
> local_rules.xml:
> 
>   
> msftp8
> Grouping for the Microsoft ftp 8 rules.
>   
>
>
>   
> 14
> PASS
> 530
> FTP Authentication failed.
> authentication_failed,
>   
>
>
>   
> 15
> FTP brute force (multiple failed logins).
> authentication_failures,
>   
>
>
> 
>
> ossec-logtest:
> 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 
> 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - 
> An+error+occurred+during+the+authentication+process.
>
>
>
>
> **Phase 1: Completed pre-decoding.
>full event: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 
> SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 
> 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - 
> An+error+occurred+during+the+authentication+process.'
>hostname: 'v280'
>program_name: '(null)'
>log: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 
> 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 
> 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - 
> An+error+occurred+during+the+authentication+process.'
>
>
> **Phase 2: Completed decoding.
>decoder: 'windows-date-format'
>srcip: '10.18.100.24'
>dstuser: '-'
>action: 'PASS'
>id: '530'
>
>
> **Phase 3: Completed filtering (rules).
>Rule id: '15'
>Level: '5'
>Description: 'FTP Authentication failed.'
> **Alert to be generated.
>
> cat /etc/ossec-init.conf
> DIRECTORY="/var/ossec"
> VERSION="v2.8"
> DATE="Wed May 25 10:13:08 CEST 2016"
> TYPE="server"
>
> I tested it with the log:
> 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 
> 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - 
> An+error+occurred+during+the+authentication+process.
>
> but in your last post, the log looks like:
> 2016-05-24 19:02:01 10.18.100.24 53101 - FTPSVC4 SPMEDIA1 - 10.20.199.157 
> 12600   PASS *** 530 1326 41 101 11 0 
> 1475ab80-1b75-43ce-9b59-d2d61cf15c63 - An+error+oc 
>  curred+during+the+authentication+process.
>
> I guess the white spaces are due to a format issue when you pasted the 
> log, or are you receiving the log with white spaces?.
>
> Regards.
>
>
> On Tuesday, May 24, 2016 at 9:05:59 PM UTC+2, Jacob Mcgrath wrote:
>>
>>
>> As far as alert.log
>>
>>
>> ** Alert 1464116536.2709526: mail  - syslog,errors,
>> 2016 May 24 19:02:16 (spmedia1) 
>> 10.20.199.157->\inetpub\logs\LogFiles\FTPSVC4\u_ 
>>  ex160524.log
>> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
>> Src IP: 10.18.100.24
>> User: -
>> 2016-05-24 19:02:01 10.18.100.24 53101 - FTPSVC4 SPMEDIA1 - 10.20.199.157 
>> 12600   PASS *** 530 1326 41 101 11 0 
>> 1475ab80-1b75-43ce-9b59-d2d61cf15c63 - An+error+oc 
>>  curred+during+the+authentication+process.
>>
>> On Monday, May 23, 2016 at 3:51:28 PM UTC-5, Jacob Mcgrath wrote:
>>>
>>> Here is what I have so far...
>>>
>>> *Agent config*
>>>
>>>
>>>
>>> 
>>> C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log
>>> iis
>>> 
>>>
>>> *Server local_decoder.xml*
>>>
>>>  
>>>   windows-date-format 
>>>   true 
>>>   ^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC>> prematch> 
>>>   ^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S 
>>> + \S+  
>>>   \d+ (\S+) \S+ (\d+)  
>>>   srcip,user,action,id 
>>>  
>>>
>>> *Server local_rules.xml*
>>>
>>>  
>>>
>>> msftp8 
>>> Grouping for the Microsoft ftp 8 rules. 
>>>
>>>
>>>
>>> 14 
>>> PASS 
>>> 530 
>>> FTP Authentication failed. 
>>> authentication_failed, 
>>>
>>>
>>>
>>> 15 
>>> FTP brute force (multiple failed logins).>> description> 
>>> authentication_failures, 
>>>   
>>>
>>>  
>>>
>>>
>>>
>>> *No My IIS 8 ftp server log looks like this for the 530 error:*
>>>
>>> 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 
>>> 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 
>>> 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - 
>>> An+error+occurred+during+the+authentication+process.
>>>
>>>
>>> The plan is to check the IIS 8 FTP server log looking for brute force 
>>> attempts and in addition drop the IP that is offending to agents.
>>>
>>> I have set these up and restarted both server and agent and run 10+ 
>>> rapid ftp login attempts but do not see any real alerts as designed.
>>>
>>> Any direction would be welcomed...
>>>
>>>
>>>
>>>

-- 

--- 
You received this message because you are subsc

[ossec-list] Re: IIS 8 FTP log monitor & alert

2016-05-25 Thread Jesus Linares 
Hi Jacob,

I have no idea what is happening.

ossec.conf:
  
etc/decoder.xml
etc/local_decoder.xml

local_decoder.xml:

  windows-date-format
  true
  ^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC
  ^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S+ \S+ 

  \d+ (\S+) \S+ (\d+) 
  srcip,user,action,id


local_rules.xml:

  
msftp8
Grouping for the Microsoft ftp 8 rules.
  


  
14
PASS
530
FTP Authentication failed.
authentication_failed,
  


  
15
FTP brute force (multiple failed logins).
authentication_failures,
  




ossec-logtest:
2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 
12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - 
An+error+occurred+during+the+authentication+process.




**Phase 1: Completed pre-decoding.
   full event: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 
SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 
6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - 
An+error+occurred+during+the+authentication+process.'
   hostname: 'v280'
   program_name: '(null)'
   log: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 
10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 
6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - 
An+error+occurred+during+the+authentication+process.'


**Phase 2: Completed decoding.
   decoder: 'windows-date-format'
   srcip: '10.18.100.24'
   dstuser: '-'
   action: 'PASS'
   id: '530'


**Phase 3: Completed filtering (rules).
   Rule id: '15'
   Level: '5'
   Description: 'FTP Authentication failed.'
**Alert to be generated.

cat /etc/ossec-init.conf
DIRECTORY="/var/ossec"
VERSION="v2.8"
DATE="Wed May 25 10:13:08 CEST 2016"
TYPE="server"

I tested it with the log:
2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 
12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - 
An+error+occurred+during+the+authentication+process.

but in your last post, the log looks like:
2016-05-24 19:02:01 10.18.100.24 53101 - FTPSVC4 SPMEDIA1 - 10.20.199.157 
12600   PASS *** 530 1326 41 101 11 0 
1475ab80-1b75-43ce-9b59-d2d61cf15c63 - An+error+oc 
 curred+during+the+authentication+process.

I guess the white spaces are due to a format issue when you pasted the log, 
or are you receiving the log with white spaces?.

Regards.


On Tuesday, May 24, 2016 at 9:05:59 PM UTC+2, Jacob Mcgrath wrote:
>
>
> As far as alert.log
>
>
> ** Alert 1464116536.2709526: mail  - syslog,errors,
> 2016 May 24 19:02:16 (spmedia1) 
> 10.20.199.157->\inetpub\logs\LogFiles\FTPSVC4\u_ 
>  ex160524.log
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> Src IP: 10.18.100.24
> User: -
> 2016-05-24 19:02:01 10.18.100.24 53101 - FTPSVC4 SPMEDIA1 - 10.20.199.157 
> 12600   PASS *** 530 1326 41 101 11 0 
> 1475ab80-1b75-43ce-9b59-d2d61cf15c63 - An+error+oc 
>  curred+during+the+authentication+process.
>
> On Monday, May 23, 2016 at 3:51:28 PM UTC-5, Jacob Mcgrath wrote:
>>
>> Here is what I have so far...
>>
>> *Agent config*
>>
>>
>>
>> 
>> C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log
>> iis
>> 
>>
>> *Server local_decoder.xml*
>>
>>  
>>   windows-date-format 
>>   true 
>>   ^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC> prematch> 
>>   ^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S 
>> + \S+  
>>   \d+ (\S+) \S+ (\d+)  
>>   srcip,user,action,id 
>>  
>>
>> *Server local_rules.xml*
>>
>>  
>>
>> msftp8 
>> Grouping for the Microsoft ftp 8 rules. 
>>
>>
>>
>> 14 
>> PASS 
>> 530 
>> FTP Authentication failed. 
>> authentication_failed, 
>>
>>
>>
>> 15 
>> FTP brute force (multiple failed logins).> description> 
>> authentication_failures, 
>>   
>>
>>  
>>
>>
>>
>> *No My IIS 8 ftp server log looks like this for the 530 error:*
>>
>> 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 
>> 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - 
>> An+error+occurred+during+the+authentication+process.
>>
>>
>> The plan is to check the IIS 8 FTP server log looking for brute force 
>> attempts and in addition drop the IP that is offending to agents.
>>
>> I have set these up and restarted both server and agent and run 10+ rapid 
>> ftp login attempts but do not see any real alerts as designed.
>>
>> Any direction would be welcomed...
>>
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: parent usage in local_decoder.xml

2016-05-25 Thread Jesus Linares 
Hi Dave,

that happens. Maybe I didn't explain it very well.

Just add a prematch to the USB decoder in 
kernel-iptables_apparmor_decoders.xml 

 
and use this decoder in your local_decoder file:


 iptables
 ^[\s*\d+.\d+] ipt:
 (\S+): in=\.+ src=(\S+) dst=(\S+) 
 action,srcip,dstip


I'm glad to help!.

Regards.



On Wednesday, May 25, 2016 at 4:35:19 AM UTC+2, Dave Vehrs wrote:
>
> Oh and if I follow the links in your reply you have already shown me the 
> prematch to add!
>
> It's days like this that I almost feel like a blind man, the answer was 
> there for me all!
>
> It's now all working and I will take the lesson to slow down to read & 
> consider what is said in the replies before I rush off in some attempted 
> fix.
>
> Thanks again!
>
> Dave
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.