Hello, I think the Asterisk rules could be wrong. Or at least for Ubuntu. OSSEC always failed blocking brute force attempt on Asterisk. A standart log entry for brute force attempt looks like:
Dec 17 22:37:25 new asterisk[20110]: NOTICE[20127]: chan_sip.c:25030 in handle_request_register: Registration from '"6100" <sip:6100@X.X.X <mailto:6100@X.X.X>.X>' failed for '85.25.110.243:5188' - Wrong password I changed the rules in the decoder.xml files and I have no much better results. Let me know if I’m wrong, I’m not a OSSEC expert but now I block the brute force attempts. Regards, Simon Gillet I changed this rule: <decoder name="asterisk-denied"> <parent>asterisk</parent> <prematch>^NOTICE[\d+]: \S+ in \S+: Registration from </prematch> <regex offset="after_prematch">^\S+ failed for '(\d+.\d+.\d+.\d+)'</regex> <order>srcip</order> </decoder> To this one: <decoder name="asterisk-denied"> <parent>asterisk</parent> <prematch>^NOTICE[\d+]: \S+ in \S+: Registration from \S+ \S+</prematch> <regex offset="after_prematch">^failed for '(\S+):(\d+)'</regex> <order>srcip,srcport</order> </decoder> And this rule: <decoder name="asterisk-denied2"> <parent>asterisk</parent> <prematch>Registration from </prematch> <regex offset="after_prematch">failed for '(\d+.\d+.\d+.\d+)'</regex> <order>srcip</order> </decoder> To this one: <decoder name="asterisk-denied2"> <parent>asterisk</parent> <prematch>Registration from </prematch> <regex offset="after_prematch">failed for '(\S+):(\d+)'</regex> <order>srcip,srcport</order> </decoder> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
