Hey;
While not a direct answer, I think I have the direction in which you want
to go. I've been reading the online manual (http://www.ossec.net/doc/)
which has a section on cdb list lookups from within rules
(http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html). Cdb is
'constant database'; effectively a standalone perl hash, if you're familiar
with perl.
So, in english, what you want is a rule that will block IPs that are
attempting access to the dovecot port with a user that is not in the list
of valid users. That is an excellent idea. If you get the entire process
worked out, let me know as I would like to do the same exact thing.
Unfortunately, no time to work on it at the moment.
My understanding (which is probably inaccurate in some places)
* ossec.conf needs a line in the rules section similar to:
<list>rules/users</list>
* You make a text file called rules/users formatted as:
${valid_user1}: 1
${valid_user2}: 1
${valid_user3}: 1
...
* You then run ossec-makelists
* Assuming all that works, you then create a rule with a line that looks
something like:
<list field="program_name" lookup="not_match_key">rules/users</list>
then use the active response if that rule triggers...
There's a *bunch* in there that needs work. I'm very new to ossec myself
but that seems like it'd be the right way to go. And, if not, someone more
experienced will pipe up, call me all sorts of names, and tell us both the
right way to do it :)
Hope that helps.
Doug O'Leary
