On Mon, Feb 9, 2015 at 2:10 PM, Security <secur...@gillet-bouillon.eu> wrote: > Could be. > I don't know if I have to write to the dev mailing list to have it fixed in > the next release. > I'm running my modified version on 3 asterisk instances and I'm very happy > with the results. >
Your best option is to open an issue on the github. https://github.com/ossec/ossec-hids If I remember I'll try to come up with a rule that covers both the old and new log samples we have. > Regards, > > Simon Gillet > > Le 9 févr. 2015 à 14:08, dan (ddp) <ddp...@gmail.com> a écrit : > > On Sun, Feb 8, 2015 at 5:26 PM, Security <secur...@gillet-bouillon.eu> > wrote: > > Hello, > > I think the Asterisk rules could be wrong. Or at least for Ubuntu. > OSSEC always failed blocking brute force attempt on Asterisk. > A standart log entry for brute force attempt looks like: > > Dec 17 22:37:25 new asterisk[20110]: NOTICE[20127]: chan_sip.c:25030 in > handle_request_register: Registration from '"6100" <sip:6100@X.X.X.X>' > failed for '85.25.110.243:5188' - Wrong password > > > This log sample is different than the one we were provided previously. > > I changed the rules in the decoder.xml files and I have no much better > results. > > Let me know if I'm wrong, I'm not a OSSEC expert but now I block the brute > force attempts. > > Regards, > > Simon Gillet > > I changed this rule: > > <decoder name="asterisk-denied"> > <parent>asterisk</parent> > <prematch>^NOTICE[\d+]: \S+ in \S+: Registration from </prematch> > <regex offset="after_prematch">^\S+ failed for '(\d+.\d+.\d+.\d+)'</regex> > <order>srcip</order> > </decoder> > > To this one: > > <decoder name="asterisk-denied"> > <parent>asterisk</parent> > <prematch>^NOTICE[\d+]: \S+ in \S+: Registration from \S+ \S+</prematch> > <regex offset="after_prematch">^failed for '(\S+):(\d+)'</regex> > <order>srcip,srcport</order> > </decoder> > > And this rule: > > <decoder name="asterisk-denied2"> > <parent>asterisk</parent> > <prematch>Registration from </prematch> > <regex offset="after_prematch">failed for '(\d+.\d+.\d+.\d+)'</regex> > <order>srcip</order> > </decoder> > > To this one: > > <decoder name="asterisk-denied2"> > <parent>asterisk</parent> > <prematch>Registration from </prematch> > <regex offset="after_prematch">failed for '(\S+):(\d+)'</regex> > <order>srcip,srcport</order> > </decoder> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
