Hi dan, I´ve finally solved the issue, there was an regexp issue in ossim plugin for ossec ( ossec-single-line.cfg ), so now ossim is correctly parsing srcip and dstip in UI.
Kind Regards 2015-02-10 14:07 GMT+01:00 dan (ddp) <ddp...@gmail.com>: > On Tue, Feb 10, 2015 at 8:01 AM, dan (ddp) <ddp...@gmail.com> wrote: >> >> On Feb 10, 2015 7:57 AM, "Daniel Calvo Castro" >> <daniel.ca...@kernelsecurity.es> wrote: >>> >>> Hi again >>> >>> These brackets are for emphasis, sorry for not to clarify this, but it >>> clearly looks like it is a regexp issue, I´m going to deal with it now >>> and I´ll post if I´m able to solve it. May be some other people are >>> dealing with this, any help would really appreciated. It is a ticket >>> opened on github as suggested? I´ll do that in such case >>> >> >> I opened one about the regex issue I'm seeing with this. >> > > Which was ultimately not an issue. Somehow utf-8 characters polluted > the log message I was testing with. > >>> Kind Regards >>> >>> 2015-02-10 13:31 GMT+01:00 dan (ddp) <ddp...@gmail.com>: >>> > On Mon, Feb 9, 2015 at 4:23 PM, Daniel Calvo Castro >>> > <daniel.ca...@kernelsecurity.es> wrote: >>> >> Just today I´ve been experiencing same issues trying to get OSSIM + >>> >> OSSEC >>> >> working with an asterisk box, I´ve followed this link [1], and trying >>> >> to >>> >> enumerate users I´m able to correlate and fire mails correctly with >>> >> OSSIM, >>> >> but UI always show $SRCIP 0.0.0.0 so seems useless to configure >>> >> post-actions >>> >> like DROP $SRCIP. >>> >> >>> >> Taking a look at the link provided, his log appears only to contain src >>> >> IP, >>> >> like that: >>> >> >>> >> May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: >>> >> chan_sip.c:15889 in >>> >> handle_request_register: Registration from >>> >> ‘”355″<sip:355@192.168.1.60>’ >>> >> failed for ‘[[[192.168.210.48]]]’ – No matching peer found >>> >> >>> >> You can see "failed for 'x.x.x.x' only >>> >> >>> >> But seems like in recent versions like me ( stable Elastix and ossec >>> >> 2.8 ), >>> >> log says "failed for 'x.x.x.x:UDPPORT' so I figured it could be some >>> >> regexp >>> >> issue, time to check. >>> >> >>> >> - log from post provided and default regexp in decoder.xml >>> >> "\d+.\d+.\d+.\d+" >>> >> in regexpr.com correctly matches SRCIP but it fails, you can try >>> >> yourself: >>> >> >>> >> May [[[[[[19 11:42:17]]]]] asterisk asterisk[5200]: NOTICE[14808]: >>> >> chan_sip.c:15889 in handle_request_register: Registration from >>> >> ‘”355″<sip:[[[355@192.168.1.60]]]]]>’ failed for ‘192.168.210.48’ – No >>> >> matching peer found >>> >> >>> > >>> > Are these brackets really in the log message, or are they there for >>> > emphasis? >>> > >>> >> - Escaping dot characters solves the problem, \d+\.\d+\.\d+\.\d+ >>> >> correctly >>> > >>> > \. matches any single character. >>> > >>> >> matches IP address, and for IP:UDPPORT you can use >>> >> \d+\.\d+\.\d+\.\d+\:\d+. >>> >> >>> >> But placing all this tweakings in decoder and restarting ossec server >>> >> did >>> >> not work, OSSIM always matches SRCIP like 0.0.0.0. In fact, I modified >>> >> this >>> >> ossec as is the event seen in OSSIM UI when I run svwar: >>> >> >>> > >>> > For some reason I can't get the regex to work with the single quotes >>> > around the IP address. >>> > >>> >> <rule id="6212" level="5"> >>> >> <if_sid>6201</if_sid> >>> >> <match>No matching peer found</match> >>> >> <description>Login session failed (invalid extension).</description> >>> >> <group>invalid_login,</group> >>> >> </rule> >>> >> >>> >> >>> >> I´ll keep trying tomorrow, keep in touch please! >>> >> >>> >> Kind Regards, >>> >> >>> >> Daniel >>> >> >>> >> [1] https://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/ >>> >> >>> >> 2015-02-09 20:21 GMT+01:00 dan (ddp) <ddp...@gmail.com>: >>> >>> >>> >>> On Mon, Feb 9, 2015 at 2:10 PM, Security <secur...@gillet-bouillon.eu> >>> >>> wrote: >>> >>> > Could be. >>> >>> > I don't know if I have to write to the dev mailing list to have it >>> >>> > fixed >>> >>> > in >>> >>> > the next release. >>> >>> > I'm running my modified version on 3 asterisk instances and I'm very >>> >>> > happy >>> >>> > with the results. >>> >>> > >>> >>> >>> >>> Your best option is to open an issue on the github. >>> >>> https://github.com/ossec/ossec-hids >>> >>> If I remember I'll try to come up with a rule that covers both the old >>> >>> and new log samples we have. >>> >>> >>> >>> > Regards, >>> >>> > >>> >>> > Simon Gillet >>> >>> > >>> >>> > Le 9 févr. 2015 à 14:08, dan (ddp) <ddp...@gmail.com> a écrit : >>> >>> > >>> >>> > On Sun, Feb 8, 2015 at 5:26 PM, Security >>> >>> > <secur...@gillet-bouillon.eu> >>> >>> > wrote: >>> >>> > >>> >>> > Hello, >>> >>> > >>> >>> > I think the Asterisk rules could be wrong. Or at least for Ubuntu. >>> >>> > OSSEC always failed blocking brute force attempt on Asterisk. >>> >>> > A standart log entry for brute force attempt looks like: >>> >>> > >>> >>> > Dec 17 22:37:25 new asterisk[20110]: NOTICE[20127]: chan_sip.c:25030 >>> >>> > in >>> >>> > handle_request_register: Registration from '"6100" >>> >>> > <sip:6100@X.X.X.X>' >>> >>> > failed for '85.25.110.243:5188' - Wrong password >>> >>> > >>> >>> > >>> >>> > This log sample is different than the one we were provided >>> >>> > previously. >>> >>> > >>> >>> > I changed the rules in the decoder.xml files and I have no much >>> >>> > better >>> >>> > results. >>> >>> > >>> >>> > Let me know if I'm wrong, I'm not a OSSEC expert but now I block the >>> >>> > brute >>> >>> > force attempts. >>> >>> > >>> >>> > Regards, >>> >>> > >>> >>> > Simon Gillet >>> >>> > >>> >>> > I changed this rule: >>> >>> > >>> >>> > <decoder name="asterisk-denied"> >>> >>> > <parent>asterisk</parent> >>> >>> > <prematch>^NOTICE[\d+]: \S+ in \S+: Registration from </prematch> >>> >>> > <regex offset="after_prematch">^\S+ failed for >>> >>> > '(\d+.\d+.\d+.\d+)'</regex> >>> >>> > <order>srcip</order> >>> >>> > </decoder> >>> >>> > >>> >>> > To this one: >>> >>> > >>> >>> > <decoder name="asterisk-denied"> >>> >>> > <parent>asterisk</parent> >>> >>> > <prematch>^NOTICE[\d+]: \S+ in \S+: Registration from \S+ >>> >>> > \S+</prematch> >>> >>> > <regex offset="after_prematch">^failed for '(\S+):(\d+)'</regex> >>> >>> > <order>srcip,srcport</order> >>> >>> > </decoder> >>> >>> > >>> >>> > And this rule: >>> >>> > >>> >>> > <decoder name="asterisk-denied2"> >>> >>> > <parent>asterisk</parent> >>> >>> > <prematch>Registration from </prematch> >>> >>> > <regex offset="after_prematch">failed for >>> >>> > '(\d+.\d+.\d+.\d+)'</regex> >>> >>> > <order>srcip</order> >>> >>> > </decoder> >>> >>> > >>> >>> > To this one: >>> >>> > >>> >>> > <decoder name="asterisk-denied2"> >>> >>> > <parent>asterisk</parent> >>> >>> > <prematch>Registration from </prematch> >>> >>> > <regex offset="after_prematch">failed for '(\S+):(\d+)'</regex> >>> >>> > <order>srcip,srcport</order> >>> >>> > </decoder> >>> >>> > >>> >>> > -- >>> >>> > >>> >>> > --- >>> >>> > You received this message because you are subscribed to the Google >>> >>> > Groups >>> >>> > "ossec-list" group. >>> >>> > To unsubscribe from this group and stop receiving emails from it, >>> >>> > send >>> >>> > an >>> >>> > email to ossec-list+unsubscr...@googlegroups.com. >>> >>> > For more options, visit https://groups.google.com/d/optout. >>> >>> > >>> >>> > >>> >>> > -- >>> >>> > >>> >>> > --- >>> >>> > You received this message because you are subscribed to the Google >>> >>> > Groups >>> >>> > "ossec-list" group. >>> >>> > To unsubscribe from this group and stop receiving emails from it, >>> >>> > send >>> >>> > an >>> >>> > email to ossec-list+unsubscr...@googlegroups.com. >>> >>> > For more options, visit https://groups.google.com/d/optout. >>> >>> > >>> >>> > >>> >>> > -- >>> >>> > >>> >>> > --- >>> >>> > You received this message because you are subscribed to the Google >>> >>> > Groups >>> >>> > "ossec-list" group. >>> >>> > To unsubscribe from this group and stop receiving emails from it, >>> >>> > send >>> >>> > an >>> >>> > email to ossec-list+unsubscr...@googlegroups.com. >>> >>> > For more options, visit https://groups.google.com/d/optout. >>> >>> >>> >>> -- >>> >>> >>> >>> --- >>> >>> You received this message because you are subscribed to the Google >>> >>> Groups >>> >>> "ossec-list" group. >>> >>> To unsubscribe from this group and stop receiving emails from it, send >>> >>> an >>> >>> email to ossec-list+unsubscr...@googlegroups.com. >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >>> >> >>> >> -- >>> >> >>> >> --- >>> >> You received this message because you are subscribed to the Google >>> >> Groups >>> >> "ossec-list" group. >>> >> To unsubscribe from this group and stop receiving emails from it, send >>> >> an >>> >> email to ossec-list+unsubscr...@googlegroups.com. >>> >> For more options, visit https://groups.google.com/d/optout. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an email to ossec-list+unsubscr...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+unsubscr...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
