On Tue, Feb 10, 2015 at 8:01 AM, dan (ddp) <ddp...@gmail.com> wrote: > > On Feb 10, 2015 7:57 AM, "Daniel Calvo Castro" > <daniel.ca...@kernelsecurity.es> wrote: >> >> Hi again >> >> These brackets are for emphasis, sorry for not to clarify this, but it >> clearly looks like it is a regexp issue, I´m going to deal with it now >> and I´ll post if I´m able to solve it. May be some other people are >> dealing with this, any help would really appreciated. It is a ticket >> opened on github as suggested? I´ll do that in such case >> > > I opened one about the regex issue I'm seeing with this. >
Which was ultimately not an issue. Somehow utf-8 characters polluted the log message I was testing with. >> Kind Regards >> >> 2015-02-10 13:31 GMT+01:00 dan (ddp) <ddp...@gmail.com>: >> > On Mon, Feb 9, 2015 at 4:23 PM, Daniel Calvo Castro >> > <daniel.ca...@kernelsecurity.es> wrote: >> >> Just today I´ve been experiencing same issues trying to get OSSIM + >> >> OSSEC >> >> working with an asterisk box, I´ve followed this link [1], and trying >> >> to >> >> enumerate users I´m able to correlate and fire mails correctly with >> >> OSSIM, >> >> but UI always show $SRCIP 0.0.0.0 so seems useless to configure >> >> post-actions >> >> like DROP $SRCIP. >> >> >> >> Taking a look at the link provided, his log appears only to contain src >> >> IP, >> >> like that: >> >> >> >> May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: >> >> chan_sip.c:15889 in >> >> handle_request_register: Registration from >> >> ‘”355″<sip:355@192.168.1.60>’ >> >> failed for ‘[[[192.168.210.48]]]’ – No matching peer found >> >> >> >> You can see "failed for 'x.x.x.x' only >> >> >> >> But seems like in recent versions like me ( stable Elastix and ossec >> >> 2.8 ), >> >> log says "failed for 'x.x.x.x:UDPPORT' so I figured it could be some >> >> regexp >> >> issue, time to check. >> >> >> >> - log from post provided and default regexp in decoder.xml >> >> "\d+.\d+.\d+.\d+" >> >> in regexpr.com correctly matches SRCIP but it fails, you can try >> >> yourself: >> >> >> >> May [[[[[[19 11:42:17]]]]] asterisk asterisk[5200]: NOTICE[14808]: >> >> chan_sip.c:15889 in handle_request_register: Registration from >> >> ‘”355″<sip:[[[355@192.168.1.60]]]]]>’ failed for ‘192.168.210.48’ – No >> >> matching peer found >> >> >> > >> > Are these brackets really in the log message, or are they there for >> > emphasis? >> > >> >> - Escaping dot characters solves the problem, \d+\.\d+\.\d+\.\d+ >> >> correctly >> > >> > \. matches any single character. >> > >> >> matches IP address, and for IP:UDPPORT you can use >> >> \d+\.\d+\.\d+\.\d+\:\d+. >> >> >> >> But placing all this tweakings in decoder and restarting ossec server >> >> did >> >> not work, OSSIM always matches SRCIP like 0.0.0.0. In fact, I modified >> >> this >> >> ossec as is the event seen in OSSIM UI when I run svwar: >> >> >> > >> > For some reason I can't get the regex to work with the single quotes >> > around the IP address. >> > >> >> <rule id="6212" level="5"> >> >> <if_sid>6201</if_sid> >> >> <match>No matching peer found</match> >> >> <description>Login session failed (invalid extension).</description> >> >> <group>invalid_login,</group> >> >> </rule> >> >> >> >> >> >> I´ll keep trying tomorrow, keep in touch please! >> >> >> >> Kind Regards, >> >> >> >> Daniel >> >> >> >> [1] https://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/ >> >> >> >> 2015-02-09 20:21 GMT+01:00 dan (ddp) <ddp...@gmail.com>: >> >>> >> >>> On Mon, Feb 9, 2015 at 2:10 PM, Security <secur...@gillet-bouillon.eu> >> >>> wrote: >> >>> > Could be. >> >>> > I don't know if I have to write to the dev mailing list to have it >> >>> > fixed >> >>> > in >> >>> > the next release. >> >>> > I'm running my modified version on 3 asterisk instances and I'm very >> >>> > happy >> >>> > with the results. >> >>> > >> >>> >> >>> Your best option is to open an issue on the github. >> >>> https://github.com/ossec/ossec-hids >> >>> If I remember I'll try to come up with a rule that covers both the old >> >>> and new log samples we have. >> >>> >> >>> > Regards, >> >>> > >> >>> > Simon Gillet >> >>> > >> >>> > Le 9 févr. 2015 à 14:08, dan (ddp) <ddp...@gmail.com> a écrit : >> >>> > >> >>> > On Sun, Feb 8, 2015 at 5:26 PM, Security >> >>> > <secur...@gillet-bouillon.eu> >> >>> > wrote: >> >>> > >> >>> > Hello, >> >>> > >> >>> > I think the Asterisk rules could be wrong. Or at least for Ubuntu. >> >>> > OSSEC always failed blocking brute force attempt on Asterisk. >> >>> > A standart log entry for brute force attempt looks like: >> >>> > >> >>> > Dec 17 22:37:25 new asterisk[20110]: NOTICE[20127]: chan_sip.c:25030 >> >>> > in >> >>> > handle_request_register: Registration from '"6100" >> >>> > <sip:6100@X.X.X.X>' >> >>> > failed for '85.25.110.243:5188' - Wrong password >> >>> > >> >>> > >> >>> > This log sample is different than the one we were provided >> >>> > previously. >> >>> > >> >>> > I changed the rules in the decoder.xml files and I have no much >> >>> > better >> >>> > results. >> >>> > >> >>> > Let me know if I'm wrong, I'm not a OSSEC expert but now I block the >> >>> > brute >> >>> > force attempts. >> >>> > >> >>> > Regards, >> >>> > >> >>> > Simon Gillet >> >>> > >> >>> > I changed this rule: >> >>> > >> >>> > <decoder name="asterisk-denied"> >> >>> > <parent>asterisk</parent> >> >>> > <prematch>^NOTICE[\d+]: \S+ in \S+: Registration from </prematch> >> >>> > <regex offset="after_prematch">^\S+ failed for >> >>> > '(\d+.\d+.\d+.\d+)'</regex> >> >>> > <order>srcip</order> >> >>> > </decoder> >> >>> > >> >>> > To this one: >> >>> > >> >>> > <decoder name="asterisk-denied"> >> >>> > <parent>asterisk</parent> >> >>> > <prematch>^NOTICE[\d+]: \S+ in \S+: Registration from \S+ >> >>> > \S+</prematch> >> >>> > <regex offset="after_prematch">^failed for '(\S+):(\d+)'</regex> >> >>> > <order>srcip,srcport</order> >> >>> > </decoder> >> >>> > >> >>> > And this rule: >> >>> > >> >>> > <decoder name="asterisk-denied2"> >> >>> > <parent>asterisk</parent> >> >>> > <prematch>Registration from </prematch> >> >>> > <regex offset="after_prematch">failed for >> >>> > '(\d+.\d+.\d+.\d+)'</regex> >> >>> > <order>srcip</order> >> >>> > </decoder> >> >>> > >> >>> > To this one: >> >>> > >> >>> > <decoder name="asterisk-denied2"> >> >>> > <parent>asterisk</parent> >> >>> > <prematch>Registration from </prematch> >> >>> > <regex offset="after_prematch">failed for '(\S+):(\d+)'</regex> >> >>> > <order>srcip,srcport</order> >> >>> > </decoder> >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups >> >>> > "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> >>> > send >> >>> > an >> >>> > email to ossec-list+unsubscr...@googlegroups.com. >> >>> > For more options, visit https://groups.google.com/d/optout. >> >>> > >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups >> >>> > "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> >>> > send >> >>> > an >> >>> > email to ossec-list+unsubscr...@googlegroups.com. >> >>> > For more options, visit https://groups.google.com/d/optout. >> >>> > >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups >> >>> > "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> >>> > send >> >>> > an >> >>> > email to ossec-list+unsubscr...@googlegroups.com. >> >>> > For more options, visit https://groups.google.com/d/optout. >> >>> >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to the Google >> >>> Groups >> >>> "ossec-list" group. >> >>> To unsubscribe from this group and stop receiving emails from it, send >> >>> an >> >>> email to ossec-list+unsubscr...@googlegroups.com. >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to ossec-list+unsubscr...@googlegroups.com. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to ossec-list+unsubscr...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.