Active response not firing / Rules not matching
32 views
Skip to first unread message
bar...@bossanova.com
Sep 20, 2016, 12:11:49 PM9/20/16
to ossec-list
Question: I have a custom decoder/rule which I believe should lead to an active response
My alert logs show:
OSSEC - TS:"1474385165", RID: "100504", RL: "5", RG: "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:26:04 2016 us=815044 100.99.88.77:37778 CRL CHECK FAILED: C=US, ST=PA, L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]"
OSSEC - TS:"1474385171", RID: "100504", RL: "5", RG: "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:26:10 2016 us=65544 100.99.88.77:62693 CRL CHECK FAILED: C=US, ST=PA, L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]"
OSSEC - TS:"1474385203", RID: "100504", RL: "5", RG: "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:26:42 2016 us=65834 100.99.88.77:28569 CRL CHECK FAILED: C=US, ST=PA, L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]"
OSSEC - TS:"1474385211", RID: "100504", RL: "5", RG: "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:26:50 2016 us=806194 100.99.88.77:59297 CRL CHECK FAILED: C=US, ST=PA, L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]"
OSSEC - TS:"1474385440", RID: "100504", RL: "5", RG: "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:30:38 2016 us=310533 100.99.88.77:25104 CRL CHECK FAILED: C=US, ST=PA, L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]"
OSSEC - TS:"1474385448", RID: "100504", RL: "5", RG: "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:30:46 2016 us=987802 100.99.88.77:4767 CRL CHECK FAILED: C=US, ST=PA, L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]"
OSSEC - TS:"1474385454", RID: "100504", RL: "5", RG: "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:30:53 2016 us=807904 100.99.88.77:10344 CRL CHECK FAILED: C=US, ST=PA, L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]"
I have a set of rules like the below snippet shows
custom_rules.xml snippet
<rule id="100504" level="5">
<if_sid>100500</if_sid>
<match>CRL CHECK FAILED</match>
<description>Revoked Certificate Usage.</description>
<group>authentication_failed,</group>
</rule>
<rule id="100505" level="5">
<if_sid>100500</if_sid>
<match>TLS handshake failed</match>
<description>TLS handshake failed</description>
<group>authentication_failed,</group>
</rule>
<rule id="100506" level="10" frequency="3" timeframe="120" ignore="90">
<if_matched_sid>100504</if_matched_sid>
<same_source_ip/>
<description>Multiple Revoked CRL OpenVPN authentication failures.</description>
<group>authentication_failures,</group>
</rule>
<rule id="100507" level="10" frequency="3" timeframe="120" ignore="90">
<if_matched_sid>100505</if_matched_sid>
<same_source_ip/>
<description>Multiple OpenVPN authentication failures.</description>
<group>authentication_failures,</group>
</rule>
<rule id="100508" level="0">
<if_sid>100500</if_sid>
<match>error trying to bind as user|</match>
<match>PLUGIN_AUTH_USER_PASS_VERIFY failed with status|</match>
<match>Username/Password verification failed for peer|</match>
<match>SIGUSR1[soft,tls-error] received, client-instance restarting</match>
<description>OpenVPN message that is useless, redundant, or lacking context.</description>
</rule>
My expectation is that rule 100507 should match if 100504 matches 3 times within 2 minutes
I have active response enable in my ossec.conf but my active_response.log shows no activity
Any advice?
Thanks
-barrett
dan (ddp)
Sep 20, 2016, 12:25:13 PM9/20/16
to ossec...@googlegroups.com
within 90 seconds.
>
> I have active response enable in my ossec.conf but my active_response.log
> shows no activity
>
> Any advice?
>
> Thanks
>
> -barrett
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
dan (ddp)
Sep 20, 2016, 12:25:30 PM9/20/16
to ossec...@googlegroups.com
On Tue, Sep 20, 2016 at 12:20 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Tue, Sep 20, 2016 at 11:58 AM, <bar...@bossanova.com> wrote:
>> Question: I have a custom decoder/rule which I believe should lead to an
>> active response
>>
>>
>> My alert logs show:
>>
>> OSSEC - TS:"1474385165", RID: "100504", RL: "5", RG:
>> "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER:
>> "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0",
>> LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:26:04
>> 2016 us=815044 100.99.88.77:37778 CRL CHECK FAILED: C=US, ST=PA,
>> L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key,
>> name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]"
>>
> On Tue, Sep 20, 2016 at 11:58 AM, <bar...@bossanova.com> wrote:
>> Question: I have a custom decoder/rule which I believe should lead to an
>> active response
>>
>>
>> My alert logs show:
>>
>> OSSEC - TS:"1474385165", RID: "100504", RL: "5", RG:
>> "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER:
>> "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0",
>> LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:26:04
>> 2016 us=815044 100.99.88.77:37778 CRL CHECK FAILED: C=US, ST=PA,
>> L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key,
>> name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]"
>>
<same_ip /> has something to work with), I can get 100506 to fire
after a number of 100504s.
I haven't verified 100507 yet though.
bar...@bossanova.com
Sep 20, 2016, 1:04:01 PM9/20/16
to ossec-list
I misspoke in the original email. I was attempting to fire 100506 based on 100504.
A side question: My openvpn install does not log to syslog and does not contain the program name. I was forced to name all decoders the same in order to get the rule to match. Is there a more elegant way to handle this. Or better yet indicate that a certain log file should only have certain decoders applied?
Thank you very much for the help.
-b
bar...@bossanova.com
Sep 20, 2016, 1:26:43 PM9/20/16
to ossec-list
Also in my original logs it does show SRCIP as being set and identical across those entries.
dan (ddp)
Sep 20, 2016, 1:33:31 PM9/20/16
to ossec...@googlegroups.com
On Tue, Sep 20, 2016 at 1:26 PM, <bar...@bossanova.com> wrote:
> Also in my original logs it does show SRCIP as being set and identical
> across those entries.
>
Which doesn't matter if there is no decoder to decode the IP address.
> Also in my original logs it does show SRCIP as being set and identical
> across those entries.
>
dan (ddp)
Sep 20, 2016, 1:44:54 PM9/20/16
to ossec...@googlegroups.com
On Tue, Sep 20, 2016 at 1:04 PM, <bar...@bossanova.com> wrote:
> I misspoke in the original email. I was attempting to fire 100506 based on
> 100504.
>
> A side question: My openvpn install does not log to syslog and does not
> contain the program name. I was forced to name all decoders the same in
> order to get the rule to match. Is there a more elegant way to handle this.
> Or better yet indicate that a certain log file should only have certain
> decoders applied?
>
There is no way to bind decoders to log files.
> I misspoke in the original email. I was attempting to fire 100506 based on
> 100504.
>
> A side question: My openvpn install does not log to syslog and does not
> contain the program name. I was forced to name all decoders the same in
> order to get the rule to match. Is there a more elegant way to handle this.
> Or better yet indicate that a certain log file should only have certain
> decoders applied?
>
Handling bad log sources can be difficult. It's best to abstract as
much as possible.
These decoders get the IP address in the log messages (not tested for
conflicts with anything else, and I obviously don't have the log
samples you do):
<decoder name="openvpn">
<prematch>^\w\w\w \w\w\w \d\d \d\d:\d\d:\d\d \d\d\d\d us=\d+ </prematch>
</decoder>
<decoder name="openvpn-ip">
<parent>openvpn</parent>
<regex offset="after_parent">^(\S+):\d+ </regex>
<order>srcip</order>
</decoder>
With these, and the rules you provided, I'm able to get 100506 to fire
after a number of 100504s (in ossec-logtest).
bar...@bossanova.com
Sep 20, 2016, 2:06:34 PM9/20/16
to ossec-list
Thanks for the help.
It still isn't working on my end, so I think I have a misunderstanding I need to work through.
Appreciate the help
-b
Reply all
Reply to author
Forward
0 new messages