Just today I´ve been experiencing same issues trying to get OSSIM + OSSEC working with an asterisk box, I´ve followed this link [1], and trying to enumerate users I´m able to correlate and fire mails correctly with OSSIM, but UI always show $SRCIP 0.0.0.0 so seems useless to configure post-actions like DROP $SRCIP.
Taking a look at the link provided, his log appears only to contain src IP, like that: May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”355″<sip:355@192.168.1.60>’ failed for ‘[[[192.168.210.48]]]’ – No matching peer found You can see "failed for 'x.x.x.x' only But seems like in recent versions like me ( stable Elastix and ossec 2.8 ), log says "failed for 'x.x.x.x:UDPPORT' so I figured it could be some regexp issue, time to check. - log from post provided and default regexp in decoder.xml "\d+.\d+.\d+.\d+" in regexpr.com correctly matches SRCIP but it fails, you can try yourself: May [[[[[[19 11:42:17]]]]] asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”355″<sip:[[[355@192.168.1.60]]]]]>’ failed for ‘192.168.210.48’ – No matching peer found - Escaping dot characters solves the problem, \d+\.\d+\.\d+\.\d+ correctly matches IP address, and for IP:UDPPORT you can use \d+\.\d+\.\d+\.\d+\:\d+. But placing all this tweakings in decoder and restarting ossec server did not work, OSSIM always matches SRCIP like 0.0.0.0. In fact, I modified this ossec as is the event seen in OSSIM UI when I run svwar: <rule id="6212" level="5"> <if_sid>6201</if_sid> <match>No matching peer found</match> <description>Login session failed (invalid extension).</description> <group>invalid_login,</group> </rule> I´ll keep trying tomorrow, keep in touch please! Kind Regards, Daniel [1] https://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/ 2015-02-09 20:21 GMT+01:00 dan (ddp) <ddp...@gmail.com>: > On Mon, Feb 9, 2015 at 2:10 PM, Security <secur...@gillet-bouillon.eu> > wrote: > > Could be. > > I don't know if I have to write to the dev mailing list to have it fixed > in > > the next release. > > I'm running my modified version on 3 asterisk instances and I'm very > happy > > with the results. > > > > Your best option is to open an issue on the github. > https://github.com/ossec/ossec-hids > If I remember I'll try to come up with a rule that covers both the old > and new log samples we have. > > > Regards, > > > > Simon Gillet > > > > Le 9 févr. 2015 à 14:08, dan (ddp) <ddp...@gmail.com> a écrit : > > > > On Sun, Feb 8, 2015 at 5:26 PM, Security <secur...@gillet-bouillon.eu> > > wrote: > > > > Hello, > > > > I think the Asterisk rules could be wrong. Or at least for Ubuntu. > > OSSEC always failed blocking brute force attempt on Asterisk. > > A standart log entry for brute force attempt looks like: > > > > Dec 17 22:37:25 new asterisk[20110]: NOTICE[20127]: chan_sip.c:25030 in > > handle_request_register: Registration from '"6100" <sip:6100@X.X.X.X>' > > failed for '85.25.110.243:5188' - Wrong password > > > > > > This log sample is different than the one we were provided previously. > > > > I changed the rules in the decoder.xml files and I have no much better > > results. > > > > Let me know if I'm wrong, I'm not a OSSEC expert but now I block the > brute > > force attempts. > > > > Regards, > > > > Simon Gillet > > > > I changed this rule: > > > > <decoder name="asterisk-denied"> > > <parent>asterisk</parent> > > <prematch>^NOTICE[\d+]: \S+ in \S+: Registration from </prematch> > > <regex offset="after_prematch">^\S+ failed for > '(\d+.\d+.\d+.\d+)'</regex> > > <order>srcip</order> > > </decoder> > > > > To this one: > > > > <decoder name="asterisk-denied"> > > <parent>asterisk</parent> > > <prematch>^NOTICE[\d+]: \S+ in \S+: Registration from \S+ \S+</prematch> > > <regex offset="after_prematch">^failed for '(\S+):(\d+)'</regex> > > <order>srcip,srcport</order> > > </decoder> > > > > And this rule: > > > > <decoder name="asterisk-denied2"> > > <parent>asterisk</parent> > > <prematch>Registration from </prematch> > > <regex offset="after_prematch">failed for '(\d+.\d+.\d+.\d+)'</regex> > > <order>srcip</order> > > </decoder> > > > > To this one: > > > > <decoder name="asterisk-denied2"> > > <parent>asterisk</parent> > > <prematch>Registration from </prematch> > > <regex offset="after_prematch">failed for '(\S+):(\d+)'</regex> > > <order>srcip,srcport</order> > > </decoder> > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
