openvpn

[kristianpaul]

other basic decoder and rule for openvpn:

<!-- openvpn
Mar 9 08:15:37 camaleon-1 openvpn[3995]: 192.168.0.4:48679
[kristianpaul] Peer Connec
tion Initiated with 192.168.0.4:48679 (via 200.21.200.2)
-->

<decoder name="openvpn">
<program_name>openvpn</program_name>
</decoder>

<decoder name="openvpn-srcip">
<parent>openvpn</parent>
<regex>^(\d+.\d+.\d+.\d+):\S+ </regex>
<order>srcip</order>
</decoder>

<!-- I dont get usert yet, so working progress :)
-->

<decoder name="openvpn-user">
<parent>openvpn</parent>
<regex>^\d+.\d+.\d+.\d+:\S+\p(\S+)\p Peer Connection Initiated\S+</
regex>
<order>user</order>
</decoder>

<decoder name="openvpn-user2">
<parent>openvpn</parent>
<prematch>(\d+.\d+.\d+.\d+):\S+</prematch>
<regex offset="after_prematch">^[(\S+)]</regex>
<order>user</order>
</decoder>

rule:

<rule id="100300" level="0">
<decoded_as>openvpn</decoded_as>
<description>Grouping of openvpn rules</description>
</rule>

<rule id="100301" level="3">
<if_sid>100300</if_sid>
<match>Peer Connection Initiated with</match>
<options>alert_by_email</options>
<description>Openvpn Connection Initiated</description>
</rule>

<rule id="100302" level="3">
<if_sid>100301</if_sid>
<user>kristianpaul</user>
<description>Paul Openvpn Connection Initiated</description>
</rule>

</group>

Thre is no more rules but easilly you can add for non sucefull and
othet types of conections

Of course i allo this work be added in the next ossec release if is
considered it to worth :p

[schrotti]

Here are a couple more decoders and rules. Unfortenately i didn't get composite rules to work that indicate a complete and successful login (tcp connection established, cert verified, peer connection initiated and virtual ip addr assigend) but i think the current rules still do there job.

<!-- BEGIN OpenVPN Decoders -->                                                    
<decoder name="openvpn">                                                          
  <program_name>ovpn-server</program_name>                                        
</decoder>                                                                        

<!-- Catch TCP connections -->                                                                                  
<decoder name="openvpn-tcp-event">                                                
  <parent>openvpn</parent>                                                        
  <prematch offset="after_parent">^TCP connection established</prematch>          
  <regex offset="after_prematch">(\d+.\d+.\d+.\d+):(\d+)$</regex>                  
  <order>srcip,srcport</order>                                                    
</decoder>                                                                        

<!-- Decode peer connection event to get dstuser, srcip and srcport -->                                                                                  
<decoder name="openvpn-login-event">                                              
  <parent>openvpn</parent>                                                        
  <prematch offset="after_parent">Peer Connection Initiated</prematch>            
  <regex offset="after_parent">^(\d+.\d+.\d+.\d+):(\d+) [(\w+)] </regex>          
  <order>srcip,srcport,user</order>                                                
</decoder>                                                                        

<!-- Get the VPN IP assigend to the user -->                                                                                  
<decoder name="openvpn-ip-assign-event">                                          
  <parent>openvpn</parent>                                                        
  <prematch offset="after_parent">primary virtual IP for </prematch>              
  <regex offset="after_prematch">^(\w+)/(\d+.\d+.\d+.\d+):(\d+): (\d+.\d+.\d+.\d+)$</regex>
  <order>user,srcip,srcport,dstip</order>                                          
</decoder>                                                                        

<!-- Decode events that start with user/srcip:srcport -->                                                                                  
<decoder name="openvpn-client-event">                                              
  <parent>openvpn</parent>                                                        
  <regex offset="after_parent">^(\w+)/(\d+.\d+.\d+.\d+):(\d+) </regex>            
  <order>user,srcip,srcport</order>                                                
</decoder>                                                                        

<!-- Decode events that start with srcip:srcport -->                                                                                  
<decoder name="openvpn-client-event">                                              
  <parent>openvpn</parent>                                                        
  <regex offset="after_parent">^(\d+.\d+.\d+.\d+):(\d+) </regex>                  
  <order>srcip,srcport</order>                                                    
</decoder>                                                                        

<!-- Get the actual event message as extra_data -->                                                                                  
<decoder name="openvpn-client-event">                                              
  <parent>openvpn</parent>                                                        
  <regex offset="after_regex">^(\S\.*)</regex>                                    
  <order>extra_data</order>                                                        
</decoder>                                                                        
<!-- END OpenVPN Decoders -->

Some rules:

<!-- BEGIN OpenVPN rules -->
<group name="syslog,openvpn,">

  <rule id="100300" level="0">

    <category>syslog</category>
    <decoded_as>openvpn</decoded_as>
    <description>Grouping of OpenVPN rules.</description>

  </rule>

  <rule id="100301" level="3">
    <if_sid>100300</if_sid>

    <match>TCP connection established</match>
    <description>A TCP connection was established to the VPN</description>
    <group>connection_established,</group>

  </rule>


  <rule id="100302" level="3">

    <if_sid>100300</if_sid>
    <match>VERIFY OK: depth=0</match>
    <description>Client successfully authenticated</description>
    <group>authentication_success,</group>
  </rule>

  <rule id="100303" level="3">
    <if_sid>100300</if_sid>
    <match>Peer Connection Initiated</match>
    <description>Client successfully connected to VPN</description>
    <group>connection_success,</group>
  </rule>
  <rule id="100304" level="3">
    <if_sid>100300</if_sid>
    <match>primary virtual IP for</match>
    <description>Assigned virtual IP to client</description>
  </rule>

  <rule id="100305" level="3">
    <if_sid>100300</if_sid>
    <match>SIGUSR1</match>
    <description>Client closed VPN session</description>
  </rule>

Any advice how to make a composite rule out of rules 100302-100304 is welcome. I tried with <if_matched_sid> and timeframe but it didn't work. The initial event is 100302 after a couple of seconds follows 100303 and after that 100304. And the frequency option doesn't seem to work here because of this odd implicit +2 thing to the actual given value.

I hope this also helps other to analysis their OpenVPN logs.

[dan (ddp)]

Thanks for the decoders and rules! Do you have any issues with us
adding these to the decoders/rules provided by OSSEC?
Can you provide some sample log messages? It'd really help for
testing, and trying to get composite rules working.


>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.