Here's a typical email I keep getting from ossec;
--------
Received From: stamina->/var/log/maillog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
system."
Portion of the log(s):
Jul 19 13:51:00 stamina vm-pop3d[28323]: User '[EMAIL PROTECTED]' - failed
auth, from=999.85.128.188
--END OF NOTIFICATION
--------
I've been trying to get ossec to recognise this error and in turn not
only stop it from sending me an email every time it sees such a line
but dealing with the persistent offenders. Here's what I tried (I've
never done this before);
First, I added a few lines to decoder.xml;
--------
<!-- vm-pop3d -->
<decoder name="vm-pop3d">
<program_name>^vm-pop3d</program_name>
</decoder>
<decoder name="vm-pop3d-fail">
<parent>vm-pop3d</parent>
<prematch>User '</prematch>
<regex offset="after_prematch">([EMAIL PROTECTED])' - failed auth,
from=(\d+.\d
+.\d+.\d+)$</regex>
<order>user, srcip</order>
</decoder>
--------
Next, I added some rules to local_rules.xml;
--------
<group name="syslog,vm-pop3d,">
<rule id="30200" level="0" noalert="1">
<decoded_as>vm-pop3d</decoded_as>
<description>Grouping for the vm-pop3d rules.</description>
</rule>
<rule id="30201" level="5">
<if_sid>30200</if_sid>
<match>User '[EMAIL PROTECTED]' - failed auth</match>
<group>authentication_failed,</group>
<description>Login failed accessing the pop3 server.</description>
</rule>
<rule id="30202" level="10" frequency="8" timeframe="240">
<if_matched_sid>30201</if_matched_sid>
<same_source_ip />
<description>POP3 brute force (multiple failed logins).</
description>
<group>authentication_failures,</group>
</rule>
</group>
--------
However, I'm clearly doing something wrong because ossec continued to
not recognise the failed auth log and email me every time it turned
up. I'd be very grateful if someone could point me in the right
direction.
Thanks,
Chris
