Active response fails for sshd rule 5702/5703

[Dennis Golden]

I have discovered a serious problem with the subject rules. here is the result
running ossec-logtest:

--
Dennis Golden2010/01/21 09:49:16 ossec-testrule: INFO: Started (pid: 20196).
ossec-testrule: Type one log per line.

**Phase 1: Completed pre-decoding.
full event: 'Jan 20 21:45:23 dg-linux2 sshd[29397]: reverse mapping
checking getaddrinfo for 115.118.6.19.static-ttsl-hyderabad.vsnl.net.in
[115.118.6.19] failed - POSSIBLE BREAK-IN ATTEMPT!'
hostname: 'dg-linux2'
program_name: 'sshd'
log: 'reverse mapping checking getaddrinfo for
115.118.6.19.static-ttsl-hyderabad.vsnl.net.in [115.118.6.19] failed - POSSIBLE
BREAK-IN ATTEMPT!'

**Phase 2: Completed decoding.
decoder: 'sshd'
srcip: '115.118.6.19.static-ttsl-hyderabad.vsnl.net.in'

**Phase 3: Completed filtering (rules).
Rule id: '5702'
Level: '5'
Description: 'Reverse lookup error (bad ISP or attack).'
**Alert to be generated.

Needless to say that if active response tries to use the address that has
already failed it will also fail; therefore, the attack can continue forever.

Dennis
--
Golden Consulting Services, Inc.

[dan (ddp)]

Strangely, I've found at least 3 variations on this log event (including yours).
Out of curiosity, what OS or distribution are you running?

[dan (ddp)]

On Thu, Jan 21, 2010 at 11:14 AM, Dennis Golden
<dgo...@golden-consulting.com> wrote:

Ok, this will require a little bit of surgery on the decoder.xml file.
I'd rather not
have to change it on my setups, but I'm not sure how to get around that here.
This means you'll have to do a bit more work when it comes time to upgrade,
unless we can get these decoders added to the decoder.xml file.

In $OSSEC_HOME/etc/decoder.xml add the following ABOVE the
<decoder name="ssh-reverse-mapping"> entry:

<decoder name="ssh-reverse-mapping2">
<parent>sshd</parent>
<prematch>^reverse mapping checking getaddrinfo for \S+
[\d+.\d+.\d+.\d+] failed</prematch>
<regex offset="after_parent">reverse mapping checking getaddrinfo
for \S+ [(\d+.\d+.\d+.\d+)] failed</regex>
<order>srcip</order>
</decoder>

If anyone else reading this has other variations on the above sample event,
feel free to forward them on to me. I'll try to adjust decoders and submit them
for inclusion.
dan

[--[ UxBoD ]--]

I was under the impression that for Active Response you should disable the DNS lookup in sshd_config.

--
Thanks, Phil

[Dennis Golden]

I've already modified the decoder on my system so it works correctly; however, I
don't know how to modify it to work with multiple formats of the syslog message.

Regards,

Dennis
--
Dennis Golden
Golden Consulting Services, Inc.

[Dennis Golden]

This is openSUSE 11.0. I've modified it to work here, but it won't work for
messages that are in the format you have in the example.

[Dennis Golden]

I'll have to look into that.

[dan (ddp)]

Thanks. I've messed with the decoders and have them working for a
couple of the formats. I'll be googling a bit for other variations before
passing them on to the ossec developers. I figure labeling them by
distro/OS might not be a bad idea.

dan