[ossec-list] Re: Active-response doesn't seem to work for some rules (ipop3 specifically but some ssh and other auth failures as well)
How can i determine if the IP is properly decoded? With the ossec-logtest program? Here is the output I get from that: ossec-testrule: Type one log per line. Feb 1 09:02:41 server1 ipop3d[39710]: Login failed user=stud...@hammer.net auth=stud...@hammer.net host=ipx21117.ipxserver.de [212.112.234.119] **Phase 1: Completed pre-decoding. full event: 'Feb 1 09:02:41 server1 ipop3d[39710]: Login failed user=stud...@hammer.net auth=stud...@hammer.net host=ipx21117.ipxserver.de [212.112.234.119]' hostname: 'server1' program_name: 'ipop3d' log: 'Login failed user=stud...@hammer.net auth=stud...@hammer.net host=ipx21117.ipxserver.de [212.112.234.119]' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '2501' Level: '5' Description: 'User authentication failure.' **Alert to be generated. I assume that means there is no specific decoder for ipop3d logs but it seems to know what kind of problem it is and how to classify it. Does that mean ossec needs a decoder for this? Or do I need to make some kind of config change? Thanks
Re: [ossec-list] Re: Active-response doesn't seem to work for some rules (ipop3 specifically but some ssh and other auth failures as well)
On Thu, Feb 2, 2012 at 9:34 AM, Jon Bayless fbjbayl...@gmail.com wrote: How can i determine if the IP is properly decoded? With the ossec-logtest program? Here is the output I get from that: ossec-testrule: Type one log per line. Feb 1 09:02:41 server1 ipop3d[39710]: Login failed user=stud...@hammer.net auth=stud...@hammer.net host=ipx21117.ipxserver.de [212.112.234.119] **Phase 1: Completed pre-decoding. full event: 'Feb 1 09:02:41 server1 ipop3d[39710]: Login failed user=stud...@hammer.net auth=stud...@hammer.net host=ipx21117.ipxserver.de [212.112.234.119]' hostname: 'server1' program_name: 'ipop3d' log: 'Login failed user=stud...@hammer.net auth=stud...@hammer.net host=ipx21117.ipxserver.de [212.112.234.119]' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '2501' Level: '5' Description: 'User authentication failure.' **Alert to be generated. I assume that means there is no specific decoder for ipop3d logs but it seems to know what kind of problem it is and how to classify it. Does that mean ossec needs a decoder for this? Or do I need to make some kind of config change? Thanks Yes, you will need a decoder. Something like: !--Feb 1 06:39:33 server1 ipop3d[33069]: Login failed user=info auth=info host=[12.36.252.93]-- decoder name=ipop3d program_name^ipop3d/program_name /decoder decoder name=ipop3d-fail parentipop3d/parent prematch offset=after_parent^Login failed /prematch regex offset=after_prematch^user=(\S+) auth=(\S+) host=[\d+.\d+.\d+.\d+]$/regex orderdstuser, extra_data, srcip/order /decoder I haven't tested any of this though, so it may need tweaking.
[ossec-list] Re: Active-response doesn't seem to work for some rules (ipop3 specifically but some ssh and other auth failures as well)
Well with that custom decoder it matches the decoder now. I will try it and see if it actually catches and blocks the source IPs now. Is there any way to test whether it is decoding that source IP and will be able to use it properly? Thanks for all your help.
Re: [ossec-list] Re: Active-response doesn't seem to work for some rules (ipop3 specifically but some ssh and other auth failures as well)
On Thu, Feb 2, 2012 at 10:34 AM, Jon Bayless fbjbayl...@gmail.com wrote: Well with that custom decoder it matches the decoder now. I will try it and see if it actually catches and blocks the source IPs now. Is there any way to test whether it is decoding that source IP and will be able to use it properly? Thanks for all your help. You can find out if a srcip or username or anything like that is decoded from a log message with ossec-logtest. That info will show up in Phase 2.