Ossec and dovecot - issue to active-response
28 views
Skip to first unread message
Giorgio Biondi
Oct 14, 2018, 12:05:05 PM10/14/18
to ossec-list
Hi,
I have a problem on my mailserver with ossec: I have see some brute force attack but ossec don't react at this log.
I have try with logtest tools.. and 'no decoder match' is returned.. but in my ossec installation have rules for dovecot..
Somebody have hint?
see this:
[root@mailserver bin]# ./ossec-logtest
2018/10/14 16:12:27 ossec-testrule: INFO: Reading local decoder file.
2018/10/14 16:12:27 ossec-testrule: INFO: Started (pid: 32967).
ossec-testrule: Type one log per line.
Oct 14 15:50:21 mailserver dovecot Oct 14 15:50:17 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<marco...@tech2.it>, me thod=PLAIN, rip=84.241.31.7, lip=10.12.14.11, TLS, session=<bwpymTB4VdBU8R8H>
**Phase 1: Completed pre-decoding.
full event: 'Oct 14 15:50:21 mailserver dovecot Oct 14 15:50:17 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<marco...@tech2.it>, me thod=PLAIN, rip=84.241.31.7, lip=10.12.14.11, TLS, session=<bwpymTB4VdBU8R8H>'
hostname: 'mailserver'
program_name: '(null)'
log: 'dovecot Oct 14 15:50:17 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<marco...@tech2.it>, me thod=PLAIN, rip=84.241.31.7, lip=10.12.14.11, TLS, session=<bwpymTB4VdBU8R8H>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
dan (ddp)
Oct 14, 2018, 12:07:30 PM10/14/18
to ossec...@googlegroups.com
On Sun, Oct 14, 2018 at 12:05 PM Giorgio Biondi <biondi....@gmail.com> wrote:
Hi,I have a problem on my mailserver with ossec: I have see some brute force attack but ossec don't react at this log.I have try with logtest tools.. and 'no decoder match' is returned.. but in my ossec installation have rules for dovecot..Somebody have hint?see this:[root@mailserver bin]# ./ossec-logtest2018/10/14 16:12:27 ossec-testrule: INFO: Reading local decoder file.2018/10/14 16:12:27 ossec-testrule: INFO: Started (pid: 32967).ossec-testrule: Type one log per line.Oct 14 15:50:21 mailserver dovecot Oct 14 15:50:17 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<marco...@tech2.it>, me thod=PLAIN, rip=84.241.31.7, lip=10.12.14.11, TLS, session=<bwpymTB4VdBU8R8H>
Are there really 2 timestamps in the log message?
**Phase 1: Completed pre-decoding.full event: 'Oct 14 15:50:21 mailserver dovecot Oct 14 15:50:17 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<marco...@tech2.it>, me thod=PLAIN, rip=84.241.31.7, lip=10.12.14.11, TLS, session=<bwpymTB4VdBU8R8H>'hostname: 'mailserver'program_name: '(null)'log: 'dovecot Oct 14 15:50:17 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<marco...@tech2.it>, me thod=PLAIN, rip=84.241.31.7, lip=10.12.14.11, TLS, session=<bwpymTB4VdBU8R8H>'**Phase 2: Completed decoding.No decoder matched.**Phase 3: Completed filtering (rules).Rule id: '1002'Level: '2'Description: 'Unknown problem somewhere in the system.'**Alert to be generated.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Giorgio Biondi
Oct 14, 2018, 4:13:25 PM10/14/18
to ossec...@googlegroups.com
Hi,
no.. sorry for mistake.. this a entry arrived now from my mailserver :
Oct 14 22:10:18 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<gigi...@tech2.it>, method=PLAIN, rip=41.222.58.71, lip=10.12.14.11, TLS, session=<qAl66DV4V8Ip3jpH>
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/q_C3J_I5wc4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
Giorgio Biondi
Oct 14, 2018, 4:15:45 PM10/14/18
to ossec...@googlegroups.com
..this is output from ossec-logtest
[root@mailserver bin]# ./ossec-logtest
2018/10/14 22:13:30 ossec-testrule: INFO: Reading local decoder file.
2018/10/14 22:13:30 ossec-testrule: INFO: Started (pid: 45431).
ossec-testrule: Type one log per line.
Oct 14 22:10:18 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<gigi...@tech2.it>, method=PLAIN, rip=41.222.58.71, lip=10.12.14.11, TLS, session=<qAl66DV4V8Ip3jpH>
**Phase 1: Completed pre-decoding.
full event: 'Oct 14 22:10:18 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<gigi...@tech2.it>, method=PLAIN, rip=41.222.58.71, lip=10.12.14.11, TLS, session=<qAl66DV4V8Ip3jpH>'
hostname: 'mailserver'
program_name: 'imap-login'
log: 'Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<gigi...@tech2.it>, method=PLAIN, rip=41.222.58.71, lip=10.12.14.11, TLS, session=<qAl66DV4V8Ip3jpH>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
Il giorno dom 14 ott 2018 alle ore 18:07 dan (ddp) <ddp...@gmail.com> ha scritto:
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/q_C3J_I5wc4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
dan (ddp)
Oct 17, 2018, 7:24:32 AM10/17/18
to ossec...@googlegroups.com
On Sun, Oct 14, 2018 at 4:15 PM Giorgio Biondi <biondi....@gmail.com> wrote:
>
> ..this is output from ossec-logtest
>
> [root@mailserver bin]# ./ossec-logtest
> 2018/10/14 22:13:30 ossec-testrule: INFO: Reading local decoder file.
> 2018/10/14 22:13:30 ossec-testrule: INFO: Started (pid: 45431).
> ossec-testrule: Type one log per line.
>
> Oct 14 22:10:18 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<gigi...@tech2.it>, method=PLAIN, rip=41.222.58.71, lip=10.12.14.11, TLS, session=<qAl66DV4V8Ip3jpH>
>
Ok, so this log message is in a different format than we've come
>
> ..this is output from ossec-logtest
>
> [root@mailserver bin]# ./ossec-logtest
> 2018/10/14 22:13:30 ossec-testrule: INFO: Reading local decoder file.
> 2018/10/14 22:13:30 ossec-testrule: INFO: Started (pid: 45431).
> ossec-testrule: Type one log per line.
>
> Oct 14 22:10:18 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<gigi...@tech2.it>, method=PLAIN, rip=41.222.58.71, lip=10.12.14.11, TLS, session=<qAl66DV4V8Ip3jpH>
>
across in the past.
Here's a couple of decoders to get you started:
<decoder name="imap-login">
<program_name>^imap-login</program_name>
</decoder>
<decoder name="imap-login-info">
<parent>imap-login</parent>
<regex>^Info: (\S+) \((\.+),\.+ user=\<(\S+)>, \.+, rip=(\S+),
lip=(\S+),</regex>
<order>status, extra_data, user, srcip, dstip</order>
</decoder>
I'm not sure how the current rules would cope with just changing the
decoder over to this one, and without more logs it's definitely an
incomplete solution.
Reply all
Reply to author
Forward
0 new messages