Asterisk "Multiple failed logins rule" (6251) not triggering even though it's parent "Login Session Failed" (6210) is
433 views
Skip to first unread message
Ryan Short
Oct 28, 2013, 11:46:32 AM10/28/13
to ossec...@googlegroups.com
Hi all,
I'm having an issue with a brute force password attempt not being blocked and I'm not sure why, there are two rules as far as I can tell in the asterisk_rules.xml file, the latter should trigger when the former hits a certain number of failed attempts.
The 6210 rule is being hit and is being logged in the alerts.log file:
** Alert 1382974360.1666067: - syslog,asterisk,authentication_failed,
2013 Oct 28 15:32:40 demopbx->/var/log/messages
Rule: 6210 (level 5) -> 'Login session failed.'
Oct 28 15:32:38 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
** Alert 1382974390.1666442: - syslog,asterisk,authentication_failed,
2013 Oct 28 15:33:10 demopbx->/var/log/messages
Rule: 6210 (level 5) -> 'Login session failed.'
Oct 28 15:33:09 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
** Alert 1382974420.1666817: - syslog,asterisk,authentication_failed,
2013 Oct 28 15:33:40 demopbx->/var/log/messages
Rule: 6210 (level 5) -> 'Login session failed.'
Oct 28 15:33:39 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
However nothing is being done about it as the multiple failed logins rule (6251) is not being triggered.
Not sure if this is useful, but when I try and test the rules by performing:
cat ossectest | /var/ossec/bin/ossec-logtest -v
I get:
Trying rule: 6200 - Asterisk messages grouped.
*Rule 6200 matched.
*Trying child rules.
Trying rule: 6201 - Asterisk notice messages grouped.
*Rule 6201 matched.
*Trying child rules.
Trying rule: 6210 - Login session failed.
*Rule 6210 matched.
*Trying child rules.
Trying rule: 6251 - Multiple failed logins.
Trying rule: 40111 - Multiple authentication failures.
**Phase 3: Completed filtering (rules).
Rule id: '6210'
Level: '5'
Description: 'Login session failed.'
**Alert to be generated.
ossectest contains:
Oct 28 15:02:17 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
Oct 28 15:02:18 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
Oct 28 15:02:19 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
Oct 28 15:02:20 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
Oct 28 15:02:21 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
Oct 28 15:02:22 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
Oct 28 15:02:23 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
Oct 28 15:02:24 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
Oct 28 15:02:25 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
Not sure if ossec-logtest tests the file as a whole or just takes them line by line.
I've tried altering the threshold and number of failed attempts before a block occurs because I noticed they're only trying a connection every 30 seconds and wasn't sure if they were bypassing the checks like that, the two rules are as follows:
<rule id="6210" level="5">
<if_sid>6201</if_sid>
<match>Wrong password</match>
<description>Login session failed.</description>
<group>authentication_failed,</group>
</rule>
<rule id="6251" level="10" frequency="2">
<if_matched_sid>6210</if_matched_sid>
<same_source_ip />
<description>Multiple failed logins.</description>
</rule>
I tried 6251 with a threshold of the default 300 and an increased 600.
Any help would be appreciated.
Best Regards
I'm having an issue with a brute force password attempt not being blocked and I'm not sure why, there are two rules as far as I can tell in the asterisk_rules.xml file, the latter should trigger when the former hits a certain number of failed attempts.
The 6210 rule is being hit and is being logged in the alerts.log file:
** Alert 1382974360.1666067: - syslog,asterisk,authentication_failed,
2013 Oct 28 15:32:40 demopbx->/var/log/messages
Rule: 6210 (level 5) -> 'Login session failed.'
Oct 28 15:32:38 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
** Alert 1382974390.1666442: - syslog,asterisk,authentication_failed,
2013 Oct 28 15:33:10 demopbx->/var/log/messages
Rule: 6210 (level 5) -> 'Login session failed.'
Oct 28 15:33:09 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
** Alert 1382974420.1666817: - syslog,asterisk,authentication_failed,
2013 Oct 28 15:33:40 demopbx->/var/log/messages
Rule: 6210 (level 5) -> 'Login session failed.'
Oct 28 15:33:39 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
However nothing is being done about it as the multiple failed logins rule (6251) is not being triggered.
Not sure if this is useful, but when I try and test the rules by performing:
cat ossectest | /var/ossec/bin/ossec-logtest -v
I get:
Trying rule: 6200 - Asterisk messages grouped.
*Rule 6200 matched.
*Trying child rules.
Trying rule: 6201 - Asterisk notice messages grouped.
*Rule 6201 matched.
*Trying child rules.
Trying rule: 6210 - Login session failed.
*Rule 6210 matched.
*Trying child rules.
Trying rule: 6251 - Multiple failed logins.
Trying rule: 40111 - Multiple authentication failures.
**Phase 3: Completed filtering (rules).
Rule id: '6210'
Level: '5'
Description: 'Login session failed.'
**Alert to be generated.
ossectest contains:
Oct 28 15:02:17 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
Oct 28 15:02:18 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
Oct 28 15:02:19 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
Oct 28 15:02:20 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
Oct 28 15:02:21 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
Oct 28 15:02:22 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
Oct 28 15:02:23 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
Oct 28 15:02:24 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
Oct 28 15:02:25 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for '85.64.90.98:5063' - Wrong password
Not sure if ossec-logtest tests the file as a whole or just takes them line by line.
I've tried altering the threshold and number of failed attempts before a block occurs because I noticed they're only trying a connection every 30 seconds and wasn't sure if they were bypassing the checks like that, the two rules are as follows:
<rule id="6210" level="5">
<if_sid>6201</if_sid>
<match>Wrong password</match>
<description>Login session failed.</description>
<group>authentication_failed,</group>
</rule>
<rule id="6251" level="10" frequency="2">
<if_matched_sid>6210</if_matched_sid>
<same_source_ip />
<description>Multiple failed logins.</description>
</rule>
I tried 6251 with a threshold of the default 300 and an increased 600.
Any help would be appreciated.
Best Regards
Roa Jose
Oct 28, 2013, 7:30:50 PM10/28/13
to ossec...@googlegroups.com, dee...@googlemail.com
Try install Fail2ban for Linux and enable plugin of asterisk
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Michael Starks
Oct 30, 2013, 11:31:33 AM10/30/13
to ossec...@googlegroups.com
On 28.10.2013 10:46, Ryan Short wrote:
> Hi all,
>
> I'm having an issue with a brute force password attempt not being
> blocked and I'm not sure why, there are two rules as far as I can
> tell
> in the asterisk_rules.xml file, the latter should trigger when the
> former hits a certain number of failed attempts.
Thanks for all of the detailed information. It really helps. Before you
> Hi all,
>
> I'm having an issue with a brute force password attempt not being
> blocked and I'm not sure why, there are two rules as far as I can
> tell
> in the asterisk_rules.xml file, the latter should trigger when the
> former hits a certain number of failed attempts.
decide to switch to fail2ban, let's see if we can actually address your
issue. I noticed that the srcip wasn't being decoded properly, which is
likely the issue. So, try this:
1. Comment out the asterisk decoder from decoder.xml.
2. Copy it into local_decoders.xml (create if needed, with the same
permissions as decoder.xml)
3. Paste it into local_decoders.xml and replace the asterisk-denied
sub-decoder with this one.
<decoder name="asterisk-denied">
<parent>asterisk</parent>
<prematch>^NOTICE[\d+]: \S+ in \S+: Registration from </prematch>
<regex offset="after_prematch">^'"\d+" \p\.+' failed for
'(\d+.\d+.\d+.\d+):(\d+)</regex>
<order>srcip,srcport</order>
</decoder>
Note that I don't know how this will affect other versions of Asterisk
logs, but it should decode yours. Let us know how it turns out.
Michael Starks
Oct 30, 2013, 11:37:37 AM10/30/13
to ossec...@googlegroups.com
On 30.10.2013 10:31, Michael Starks wrote:
> 1. Comment out the asterisk decoder from decoder.xml.
> 2. Copy it into local_decoders.xml (create if needed, with the same
Woops, that should be local_decoder.xml.
> 1. Comment out the asterisk decoder from decoder.xml.
> 2. Copy it into local_decoders.xml (create if needed, with the same
dan (ddp)
Nov 1, 2013, 9:26:28 AM11/1/13
to ossec...@googlegroups.com
Wrong mailing list.
Ryan Short
Nov 11, 2013, 5:48:44 AM11/11/13
to ossec...@googlegroups.com
Hi Michael,
Apologies for the delay, google didn't email me when the thread was updated beyond the message saying to try fail2ban.
Just wanted to drop a quick thanks for your help, I now understand a little more on how the decoders work, and give you a quick update on how it was resolved.
The decoder I used was the one you specified, however it wouldn't work when I put it in the local_decoder.xml file for whatever reason, I know it was reading the file as ossec wouldn't restart due to an error with that file when the decoder named "asterisk-denied" was in both files.
However when I put it into the decoder.xml just it finally extracts the IP and port and bans the IP address successfully.
** Alert 1384166725.155250: - syslog,asterisk,authentication_failed,
2013 Nov 11 10:45:25 demopbx->/var/log/messages
Apologies for the delay, google didn't email me when the thread was updated beyond the message saying to try fail2ban.
Just wanted to drop a quick thanks for your help, I now understand a little more on how the decoders work, and give you a quick update on how it was resolved.
The decoder I used was the one you specified, however it wouldn't work when I put it in the local_decoder.xml file for whatever reason, I know it was reading the file as ossec wouldn't restart due to an error with that file when the decoder named "asterisk-denied" was in both files.
However when I put it into the decoder.xml just it finally extracts the IP and port and bans the IP address successfully.
** Alert 1384166725.155250: - syslog,asterisk,authentication_failed,
2013 Nov 11 10:45:25 demopbx->/var/log/messages
Rule: 6210 (level 5) -> 'Login session failed.'
Src IP: ip.add.re.ss
Src Port: 5063
Nov 11 10:45:23 demopbx asterisk[2153]: NOTICE[2538]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for 'ip.add.re.ss:5063' - Wrong password
** Alert 1384166755.155659: mail - syslog,asterisk,
2013 Nov 11 10:45:55 demopbx->/var/log/messages
Rule: 6251 (level 10) -> 'Multiple failed logins.'
Src IP: ip.add.re.ss
Src Port: 5063
Nov 11 10:45:53 demopbx asterisk[2153]: NOTICE[2538]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for 'ip.add.re.ss:5063' - Wrong password
Nov 11 10:45:23 demopbx asterisk[2153]: NOTICE[2538]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for 'ip.add.re.ss:5063' - Wrong password
Nov 11 10:44:53 demopbx asterisk[2153]: NOTICE[2538]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for 'ip.add.re.ss:5063' - Wrong password
Nov 11 10:44:22 demopbx asterisk[2153]: NOTICE[2538]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for 'ip.add.re.ss:5063' - Wrong password
Again thanks a bunch for the help!
Best Regards
Src Port: 5063
Nov 11 10:45:23 demopbx asterisk[2153]: NOTICE[2538]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for 'ip.add.re.ss:5063' - Wrong password
** Alert 1384166755.155659: mail - syslog,asterisk,
2013 Nov 11 10:45:55 demopbx->/var/log/messages
Rule: 6251 (level 10) -> 'Multiple failed logins.'
Src IP: ip.add.re.ss
Src Port: 5063
Nov 11 10:45:53 demopbx asterisk[2153]: NOTICE[2538]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for 'ip.add.re.ss:5063' - Wrong password
Nov 11 10:45:23 demopbx asterisk[2153]: NOTICE[2538]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for 'ip.add.re.ss:5063' - Wrong password
Nov 11 10:44:53 demopbx asterisk[2153]: NOTICE[2538]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for 'ip.add.re.ss:5063' - Wrong password
Nov 11 10:44:22 demopbx asterisk[2153]: NOTICE[2538]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:5...@demopbx.domain.tld>' failed for 'ip.add.re.ss:5063' - Wrong password
Again thanks a bunch for the help!
Best Regards
Reply all
Reply to author
Forward
0 new messages