Here's a typical email I keep getting from ossec; -------- Received From: stamina->/var/log/maillog Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s):
Jul 19 13:51:00 stamina vm-pop3d[28323]: User '[EMAIL PROTECTED]' - failed auth, from=999.85.128.188 --END OF NOTIFICATION -------- I've been trying to get ossec to recognise this error and in turn not only stop it from sending me an email every time it sees such a line but dealing with the persistent offenders. Here's what I tried (I've never done this before); First, I added a few lines to decoder.xml; -------- <!-- vm-pop3d --> <decoder name="vm-pop3d"> <program_name>^vm-pop3d</program_name> </decoder> <decoder name="vm-pop3d-fail"> <parent>vm-pop3d</parent> <prematch>User '</prematch> <regex offset="after_prematch">([EMAIL PROTECTED])' - failed auth, from=(\d+.\d +.\d+.\d+)$</regex> <order>user, srcip</order> </decoder> -------- Next, I added some rules to local_rules.xml; -------- <group name="syslog,vm-pop3d,"> <rule id="30200" level="0" noalert="1"> <decoded_as>vm-pop3d</decoded_as> <description>Grouping for the vm-pop3d rules.</description> </rule> <rule id="30201" level="5"> <if_sid>30200</if_sid> <match>User '[EMAIL PROTECTED]' - failed auth</match> <group>authentication_failed,</group> <description>Login failed accessing the pop3 server.</description> </rule> <rule id="30202" level="10" frequency="8" timeframe="240"> <if_matched_sid>30201</if_matched_sid> <same_source_ip /> <description>POP3 brute force (multiple failed logins).</ description> <group>authentication_failures,</group> </rule> </group> -------- However, I'm clearly doing something wrong because ossec continued to not recognise the failed auth log and email me every time it turned up. I'd be very grateful if someone could point me in the right direction. Thanks, Chris