[ossec-list] Mac OS X Server 10.5 FTP logs
Daniel, Great! Here are a few sample log entries (from /var/log/secure.log): Jun 20 09:00:42 File-Server ftpd[65613]: Failed authentication from: [U2FsdGVkX18af1PrJ6KSUhskC8ikccfvTqyjjJI/qtk=] @ 58.211.16.202 [58.211.16.202] Jun 20 09:00:52 File-Server ftpd[65625]: Failed authentication from: [U2FsdGVkX1+RbLXPa7lV2Ly9a3Bir9x88RdjF2oWkg4=] @ 58.211.16.202 [58.211.16.202] Jun 20 09:01:02 File-Server ftpd[65639]: Failed authentication from: [U2FsdGVkX18V16WdD4Z7rcx6tv0zBiUG6bok2Y3IQGQ=] @ 58.211.16.202 [58.211.16.202] Jun 25 10:24:06 File-Server ftpd[29807]: Failed authentication from: 1.Red-88-2-137.staticIP.rima-tde.net [88.2.137.1] Jun 25 10:24:25: --- last message repeated 1 time --- Jun 25 10:24:25 File-Server ftpd[29871]: Failed authentication from: 1.Red-88-2-137.staticIP.rima-tde.net [88.2.137.1] Oher times malformated attacks are like this: Jul 4 02:11:44 File-Server ftpd[54844]: FTP LOGIN REFUSED (PASS before USER) FROM 202.113.244.42 [202.113.244.42] Thanks! Charles On Jun 24, 2008, at 20:02 , Daniel Cid wrote: Hi Charles, We currently do not support ftpd log from Mac OS. If you can provide a few log samples to us (from a sucessful connection, failed password, invalid user trying to FTP, etc), we can easily create some decoders/rules for it. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Sat, Jun 21, 2008 at 6:37 AM, kef_list [EMAIL PROTECTED] wrote: Hi Guys, I am having a problem with ossec 1.4 under Mac OS X Server 10.5 The ftpd logs are not interpreted correctly and the IP address is not read, so the active response is never triggered. Bellow are two sample alert logs: ** Alert 1213947151.801450: mail - syslog,errors, 2008 Jun 20 09:32:31 File-Server-/var/log/system.log Rule: 1002 (level 2) - 'Unknown problem somewhere in the system.' Src IP: (none) User: (none) Jun 20 09:32:30 File-Server ftpd[68281]: FTP LOGIN REFUSED (PASS before USER) FROM 58.211.16.202 [58.211.16.202] ** Alert 1213947135.800831: mail - syslog,access_control,authentication_failed, 2008 Jun 20 09:32:15 File-Server-/var/log/system.log Rule: 2502 (level 10) - 'User missed the password more than one time' Src IP: (none) User: (none) Jun 20 09:32:13 File-Server ftpd[68268]: repeated login failures from 58.211.16.202 [58.211.16.202] In both cases the Src IP is read as none so my firewall is never activated... Does anyone know how to fix this? Thanks, Charles Institut Balear de Comunicacions, S.L. Gremio Tejedores 22, 1 07009 Palma de Mallorca, Spain Tel: +34 971.45.90.99 | Mobile: +34 607.87.12.77 Fax: +34 971.43.08.18 | E-mail: [EMAIL PROTECTED] URL: http://www.ibacom.es/ La legislación española ampara el secreto de las comunicaciones. Este correo electrónico es estrictamente confidencial y va dirigido exclusivamente a su destinatario/a. Si no es Ud., le rogamos que no difunda ni copie la transmisión y nos lo notifique cuanto antes. Spanish law guarantees privacy in electronic communications. This electronic transmission is strictly confidential and intended solely for the addressee. If you are not the intended addressee, you are kindly requested not to disclose nor to copy this transmission and to notify us as soon as possible.
[ossec-list] Multiple windows audit events
Hi. Is there any way to suppress or stop the checking of a specific alert. Namely the one that alerts me when windows firewall has detected an application is listening for incoming traffic? Rule 18153 gets called but it doesnt seem to work if i disable it . Also having problems with multiple windows 2003 systems where the cpu is pegging at 100% but I havent checked the object access audit setting yet to see if thats the cause. I am running version 1.5.1 Thanks. Roch -- Sent from Gmail for mobile | mobile.google.com
[ossec-list] Re: Multiple windows audit events
Suppression is easily accomplished using local rules: http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules basically you'll want something like this: rule id=11 level=0 if_matched_sid18153/if_matched_sid descriptionIgnore Multiple Windows audit failure events/description /rule I would suggest only ignoring for noisy hosts by adding srcip tags to the local rule. This way you don't miss something new down the road. Check local_rules.xml for more examples. Cheers On Fri, Jul 4, 2008 at 5:38 AM, Roch [EMAIL PROTECTED] wrote: Hi. Is there any way to suppress or stop the checking of a specific alert. Namely the one that alerts me when windows firewall has detected an application is listening for incoming traffic? Rule 18153 gets called but it doesnt seem to work if i disable it . Also having problems with multiple windows 2003 systems where the cpu is pegging at 100% but I havent checked the object access audit setting yet to see if thats the cause. I am running version 1.5.1 Thanks. Roch -- Sent from Gmail for mobile | mobile.google.com
[ossec-list] Testing OSSEC rules
Hi list, I just posted on my blog about a very useful tool (available on CVS) to test the rules/decoders in real time. If you ever need to write or change rules, it can save a lot of time. If you are interested, take a look at: http://www.ossec.net/dcid/?p=136 Part of the output from logtest, when run against a sshd message: # ./ossec-logtest 2008/07/04 09:57:28 ossec-testrule: INFO: Started (pid: 12683). ossec-testrule: Type one log per line. Jul 4 09:42:16 enigma sshd[11990]: Accepted password for dcid from 192.168.2.10 port 35259 ssh2 **Phase 1: Completed pre-decoding. full event: 'Jul 4 09:42:16 enigma sshd[11990]: Accepted password for dcid from 192.168.2.10 port 35259 ssh2′ hostname: 'enigma' program_name: 'sshd' log: 'Accepted password for dcid from 192.168.2.10 port 35259 ssh2′ **Phase 2: Completed decoding. decoder: 'sshd' dstuser: 'dcid' srcip: '192.168.2.10′ **Phase 3: Completed filtering (rules). Rule id: '10100′ Level: '4′ Description: 'First time user logged in.' **Alert to be generated. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net
[ossec-list] Re: Link to ossec and snort paper is broken
BRconnection changed to the new website and URL changed. I posted them at snort brazilian website so it's easier to keep the same URL http://www.snort.org.br/arquivos/ossec-snort-activeresponse_english.pdf http://www.snort.org.br/arquivos/ossec-snort-activeresponse_pt-BR.pdf Daniel, could you post something at ossec site about this ? Regards, Rodrigo Montoro(Sp0oKeR) On Thu, Jul 3, 2008 at 5:08 PM, carlopmart [EMAIL PROTECTED] wrote: List Subscriptions wrote: I believe this is the paper you're looking for. Cheers! On Thu, Jul 3, 2008 at 11:38 AM, carlopmart [EMAIL PROTECTED] wrote: Hi all, I see this link about configure snort with ossec, but link is broken ... Somebody knows where can I find original doc?? Many thanks. -- CL Martinez carlopmart {at} gmail {d0t} com Many thanks -- CL Martinez carlopmart {at} gmail {d0t} com -- === Rodrigo Montoro (Sp0oKeR) Security Analyst SnortCP / RHCE / LPIC-I / MCSO http://www.spooker.com.br http://www.snort.org.br http://www.linkedin.com/in/spooker ===