Re: [ossec-list] Dovecot rules don't trigger actie response
17 views
Skip to first unread message
dan (ddp)
Oct 31, 2018, 8:56:37 AM10/31/18
to ossec...@googlegroups.com
On Wed, Oct 31, 2018 at 7:46 AM Giorgio Biondi <biondi....@gmail.com> wrote:
>
> Hi at all,
>
> I have some entry in log on the my mailserver (with installed ossec agent) like this:
>
> Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<bwjozw...@caccabee.it>, method=PLAIN, rip=222.252.6.70, lip=10.12.14.36
>
> and my ossec server in the alert.log say:
>
> Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<bwjozw...@caccabee.it>, method=PLAIN, rip=222.252.6.70, lip=10.12.14.36
>
> ** Alert 1540983795.5645464: mail - dovecot,invalid_login,authentication_failed,
> 2018 Oct 31 12:03:15 (mailscanner04.tech2.it) 10.12.14.36->/var/log/messages
> Rule: 9705 (level 7) -> 'Dovecot Invalid User Login Attempt.'
> Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<bwjozw...@caccabee.it>, method=PLAIN, rip=222.252.6.70, lip=10.12.14.36
>
> The problem is: rules 9705 in the dovecot rules have level 7 and in my ossec.conf all rules over level 6 trigger a active response.. but not for 'dovecot'.. I don't understand why..
> All AR working fine for ALL other rule.. http and smtp.. only for dovecot don't trigger a active response..
>
> Any suggest are appreciate.
>
> Giorgio Biondi
>
The log message you provided does not decode the IP address.
root@buildtest:/home/ddp/src/ossec-hids# /var/ossec/bin/ossec-logtest
2018/10/31 12:48:38 ossec-testrule: INFO: Reading local decoder file.
2018/10/31 12:48:38 ossec-testrule: INFO: Started (pid: 17409).
ossec-testrule: Type one log per line.
Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth
failed, 1 attempts): user=<bwjozw...@caccabee.it>, method=PLAIN,
rip=222.252.6.70, lip=10.12.14.36
**Phase 1: Completed pre-decoding.
full event: 'Oct 31 12:03:15 mailscanner04 dovecot: pop3-login:
Disconnected (auth failed, 1 attempts):
user=<bwjozw...@caccabee.it>, method=PLAIN, rip=222.252.6.70,
lip=10.12.14.36'
hostname: 'mailscanner04'
program_name: 'dovecot'
log: 'pop3-login: Disconnected (auth failed, 1 attempts):
user=<bwjozw...@caccabee.it>, method=PLAIN, rip=222.252.6.70,
lip=10.12.14.36'
**Phase 2: Completed decoding.
decoder: 'dovecot'
**Phase 3: Completed filtering (rules).
Rule id: '9705'
Level: '5'
Description: 'Dovecot Invalid User Login Attempt.'
**Alert to be generated.
The decoders will have to be adjusted for that the IP to get pulled
out and be useful for active response.
You might be able to adjust the <decoder name="dovecot-authfailed">
decoder to fit.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
> Hi at all,
>
> I have some entry in log on the my mailserver (with installed ossec agent) like this:
>
> Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<bwjozw...@caccabee.it>, method=PLAIN, rip=222.252.6.70, lip=10.12.14.36
>
> and my ossec server in the alert.log say:
>
> Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<bwjozw...@caccabee.it>, method=PLAIN, rip=222.252.6.70, lip=10.12.14.36
>
> ** Alert 1540983795.5645464: mail - dovecot,invalid_login,authentication_failed,
> 2018 Oct 31 12:03:15 (mailscanner04.tech2.it) 10.12.14.36->/var/log/messages
> Rule: 9705 (level 7) -> 'Dovecot Invalid User Login Attempt.'
> Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<bwjozw...@caccabee.it>, method=PLAIN, rip=222.252.6.70, lip=10.12.14.36
>
> The problem is: rules 9705 in the dovecot rules have level 7 and in my ossec.conf all rules over level 6 trigger a active response.. but not for 'dovecot'.. I don't understand why..
> All AR working fine for ALL other rule.. http and smtp.. only for dovecot don't trigger a active response..
>
> Any suggest are appreciate.
>
> Giorgio Biondi
>
The log message you provided does not decode the IP address.
root@buildtest:/home/ddp/src/ossec-hids# /var/ossec/bin/ossec-logtest
2018/10/31 12:48:38 ossec-testrule: INFO: Reading local decoder file.
2018/10/31 12:48:38 ossec-testrule: INFO: Started (pid: 17409).
ossec-testrule: Type one log per line.
Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth
failed, 1 attempts): user=<bwjozw...@caccabee.it>, method=PLAIN,
rip=222.252.6.70, lip=10.12.14.36
**Phase 1: Completed pre-decoding.
full event: 'Oct 31 12:03:15 mailscanner04 dovecot: pop3-login:
Disconnected (auth failed, 1 attempts):
user=<bwjozw...@caccabee.it>, method=PLAIN, rip=222.252.6.70,
lip=10.12.14.36'
hostname: 'mailscanner04'
program_name: 'dovecot'
log: 'pop3-login: Disconnected (auth failed, 1 attempts):
user=<bwjozw...@caccabee.it>, method=PLAIN, rip=222.252.6.70,
lip=10.12.14.36'
**Phase 2: Completed decoding.
decoder: 'dovecot'
**Phase 3: Completed filtering (rules).
Rule id: '9705'
Level: '5'
Description: 'Dovecot Invalid User Login Attempt.'
**Alert to be generated.
The decoders will have to be adjusted for that the IP to get pulled
out and be useful for active response.
You might be able to adjust the <decoder name="dovecot-authfailed">
decoder to fit.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Giorgio Biondi
Oct 31, 2018, 9:17:46 AM10/31/18
to ossec-list
Hi Dan,
I have too small skill for adjust a decoder.. you can make this for me? I don't known where starting for make it...
Thanks for your time..
dan (ddp)
Oct 31, 2018, 9:21:01 AM10/31/18
to ossec...@googlegroups.com
On Wed, Oct 31, 2018 at 9:17 AM Giorgio Biondi <biondi....@gmail.com> wrote:
>
> Hi Dan,
>
> I have too small skill for adjust a decoder.. you can make this for me? I don't known where starting for make it...
>
This works for the 1 example you provided:
>
> Hi Dan,
>
> I have too small skill for adjust a decoder.. you can make this for me? I don't known where starting for make it...
>
<decoder name="dovecot-authfailed">
<parent>dovecot</parent>
<prematch offset="after_parent">^pop3-login: </prematch>
<regex offset="after_prematch">^Disconnected \(auth failed, \d+
attempts\): user=\<(\S+)>, \S+, rip=(\S+), lip=(\S+)$</regex>
<order>user,srcip,dstip</order>
</decoder>
Giorgio Biondi
Oct 31, 2018, 9:52:09 AM10/31/18
to ossec-list
Hi Dan,
I try to understand where put new decoder and update you ASAP..
Giorgio Biondi
Oct 31, 2018, 10:12:33 AM10/31/18
to ossec-list
Hi Dan,
I have remove in decoder.xml old dovecot-authfailed and have copied your code.. and I have restart ossec server.. behaviur is the same..
in the alert.log i see level 7 rule 9705 but active response don't trigger..
dan (ddp)
Oct 31, 2018, 10:37:10 AM10/31/18
to ossec...@googlegroups.com
On Wed, Oct 31, 2018 at 10:12 AM Giorgio Biondi
<biondi....@gmail.com> wrote:
>
> Hi Dan,
>
you've updated the decoders.
Use ossec-logtest to test the log message.
<biondi....@gmail.com> wrote:
>
> Hi Dan,
>
> I have remove in decoder.xml old dovecot-authfailed and have copied your code.. and I have restart ossec server.. behaviur is the same..
> in the alert.log i see level 7 rule 9705 but active response don't trigger..
>
Make sure you restart the ossec processes on the ossec server after
> in the alert.log i see level 7 rule 9705 but active response don't trigger..
>
you've updated the decoders.
Use ossec-logtest to test the log message.
Giorgio Biondi
Oct 31, 2018, 11:34:06 AM10/31/18
to ossec-list
Dan,
in front of all, thank for your time.
I think the problem is more treacherous .. it's not that the decoder does not work or that the rule does not work .. it works all in fact I see in the alert.log that the server understands that there is a failed login .. the problem is that, although the rule has level 7 and I have in ossec.conf that rules above level 6 trigger active response this does NOT happen. As if dovecot rules could not generate an active response. Honestly I do not know what 'log to watch .. I spent the last 48 hours watching but there seems to be nothing wrong ..
dan (ddp)
Oct 31, 2018, 12:00:55 PM10/31/18
to ossec...@googlegroups.com
On Wed, Oct 31, 2018 at 11:34 AM Giorgio Biondi
<biondi....@gmail.com> wrote:
>
> Dan,
>
> in front of all, thank for your time.
>
> I think the problem is more treacherous .. it's not that the decoder does not work or that the rule does not work .. it works all in fact I see in the alert.log that the server understands that there is a failed login .. the problem is that, although the rule has level 7 and I have in ossec.conf that rules above level 6 trigger active response this does NOT happen. As if dovecot rules could not generate an active response. Honestly I do not know what 'log to watch .. I spent the last 48 hours watching but there seems to be nothing wrong ..
>
You did not include the version of OSSEC you're using, so I can't do
<biondi....@gmail.com> wrote:
>
> Dan,
>
> in front of all, thank for your time.
>
> I think the problem is more treacherous .. it's not that the decoder does not work or that the rule does not work .. it works all in fact I see in the alert.log that the server understands that there is a failed login .. the problem is that, although the rule has level 7 and I have in ossec.conf that rules above level 6 trigger active response this does NOT happen. As if dovecot rules could not generate an active response. Honestly I do not know what 'log to watch .. I spent the last 48 hours watching but there seems to be nothing wrong ..
>
specific testing.
You'll need to put a bit more effort into this to get the problem solved.
I'm short on time (real life always seems to intrude on my hobbies),
so here's a command to run on the OSSEC server:
`echo 'Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected
(auth failed, 1 attempts): user=<bwjozw...@caccabee.it>,
method=PLAIN, rip=222.252.6.70, lip=10.12.14.36' |
/var/ossec/bin/ossec-logtest`
In order for OSSEC to initiate the active response (I assume anyway,
you did not include that configuration either) a source ip has to be
decoded.
Your initial alerts.log entry does not mention a source IP, so I had
to assume it was not being decoded properly (which I verified for the
version of OSSEC I have installed).
So first, we need to determine if the proper data is being parsed so
that active response has a chance of working.
If it is, we need to make sure the ossec processes were restarted at
some point, and watch for alerts after that moment.
Giorgio Biondi
Nov 1, 2018, 4:31:07 AM11/1/18
to ossec...@googlegroups.com
Hi Dan,
I Have installed on my server Ossec V3.1 downloaded from github, not the official release.. about 20 day ago.. all my 10 agent are installed with this version.
Anyway.. now.. working with your decoder.. I have see log today, and I have for first one trigger with rule 97XX - WORK!!!!
Look my log:
Server Ossec : alert.log:
[root@serverossec ~]# grep "Nov 1 03:52:58" /var/ossec/logs/alerts/alerts.log
Nov 1 03:52:58 mailscanner04 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<yifo...@caccabee.it>, method=PLAIN, rip=196.219.91.169, lip=10.12.14.36
Agent Ossec : active-response.log
[root@mailscanner04 ~]# grep "196.219.91.169" /var/ossec/logs/active-responses.log
gio 1 nov 2018, 03.52.59, CET /var/ossec/active-response/bin/host-deny.sh add - 196.219.91.169 1541040779.741935 9705
gio 1 nov 2018, 03.52.59, CET /var/ossec/active-response/bin/firewall-drop.sh add - 196.219.91.169 1541040779.741935 9705
I do not know how to thank you .. it should be pointed out to the developers of ossec that you need to change the decoder to mitigate attacks on dovecot.
I do not know how to thank you .. it should be pointed out to the developers of ossec that you need to change the decoder to mitigate attacks on dovecot.
Before today I had never seen the 97XX rule in the log .. so without your modification the ossec decoder does not detect attacks on dovecot
Again, I repeat but it's right: thank you for your time.
Giorgio Biondi
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/YQjYGUAFq_w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
dan (ddp)
Nov 2, 2018, 6:53:13 AM11/2/18
to ossec...@googlegroups.com
> I Have installed on my server Ossec V3.1 downloaded from github, not the official release.. about 20 day ago.. all my 10 agent are installed with this version.
> Anyway.. now.. working with your decoder.. I have see log today, and I have for first one trigger with rule 97XX - WORK!!!!
> Look my log:
>
> Server Ossec : alert.log:
> [root@serverossec ~]# grep "Nov 1 03:52:58" /var/ossec/logs/alerts/alerts.log
> Nov 1 03:52:58 mailscanner04 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<yifo...@caccabee.it>, method=PLAIN, rip=196.219.91.169, lip=10.12.14.36
>
> Agent Ossec : active-response.log
> [root@mailscanner04 ~]# grep "196.219.91.169" /var/ossec/logs/active-responses.log
> gio 1 nov 2018, 03.52.59, CET /var/ossec/active-response/bin/host-deny.sh add - 196.219.91.169 1541040779.741935 9705
> gio 1 nov 2018, 03.52.59, CET /var/ossec/active-response/bin/firewall-drop.sh add - 196.219.91.169 1541040779.741935 9705
>
> I do not know how to thank you .. it should be pointed out to the developers of ossec that you need to change the decoder to mitigate attacks on dovecot.
>
The problem is that these log formats change, sometimes just on a per
> Anyway.. now.. working with your decoder.. I have see log today, and I have for first one trigger with rule 97XX - WORK!!!!
> Look my log:
>
> Server Ossec : alert.log:
> [root@serverossec ~]# grep "Nov 1 03:52:58" /var/ossec/logs/alerts/alerts.log
> Nov 1 03:52:58 mailscanner04 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<yifo...@caccabee.it>, method=PLAIN, rip=196.219.91.169, lip=10.12.14.36
>
> Agent Ossec : active-response.log
> [root@mailscanner04 ~]# grep "196.219.91.169" /var/ossec/logs/active-responses.log
> gio 1 nov 2018, 03.52.59, CET /var/ossec/active-response/bin/host-deny.sh add - 196.219.91.169 1541040779.741935 9705
> gio 1 nov 2018, 03.52.59, CET /var/ossec/active-response/bin/firewall-drop.sh add - 196.219.91.169 1541040779.741935 9705
>
> I do not know how to thank you .. it should be pointed out to the developers of ossec that you need to change the decoder to mitigate attacks on dovecot.
>
distro basis. I don't run any dovecot instances myself, so I haven't
kept up with the changes in the log formats.
Sometimes (like in this instance), the only way we find out is someone
mentioning it on the mailing list.
More participation from the community would be great. Even if users
don't want to submit decoders and rules, up to date log samples would
help a lot.
Reply all
Reply to author
Forward
0 new messages