Re: [ossec-list] Asterisk rules for Ubuntu
Hi dan, I´ve finally solved the issue, there was an regexp issue in ossim plugin for ossec ( ossec-single-line.cfg ), so now ossim is correctly parsing srcip and dstip in UI. Kind Regards 2015-02-10 14:07 GMT+01:00 dan (ddp) ddp...@gmail.com: On Tue, Feb 10, 2015 at 8:01 AM, dan (ddp) ddp...@gmail.com wrote: On Feb 10, 2015 7:57 AM, Daniel Calvo Castro daniel.ca...@kernelsecurity.es wrote: Hi again These brackets are for emphasis, sorry for not to clarify this, but it clearly looks like it is a regexp issue, I´m going to deal with it now and I´ll post if I´m able to solve it. May be some other people are dealing with this, any help would really appreciated. It is a ticket opened on github as suggested? I´ll do that in such case I opened one about the regex issue I'm seeing with this. Which was ultimately not an issue. Somehow utf-8 characters polluted the log message I was testing with. Kind Regards 2015-02-10 13:31 GMT+01:00 dan (ddp) ddp...@gmail.com: On Mon, Feb 9, 2015 at 4:23 PM, Daniel Calvo Castro daniel.ca...@kernelsecurity.es wrote: Just today I´ve been experiencing same issues trying to get OSSIM + OSSEC working with an asterisk box, I´ve followed this link [1], and trying to enumerate users I´m able to correlate and fire mails correctly with OSSIM, but UI always show $SRCIP 0.0.0.0 so seems useless to configure post-actions like DROP $SRCIP. Taking a look at the link provided, his log appears only to contain src IP, like that: May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”355″sip:355@192.168.1.60’ failed for ‘[[[192.168.210.48]]]’ – No matching peer found You can see failed for 'x.x.x.x' only But seems like in recent versions like me ( stable Elastix and ossec 2.8 ), log says failed for 'x.x.x.x:UDPPORT' so I figured it could be some regexp issue, time to check. - log from post provided and default regexp in decoder.xml \d+.\d+.\d+.\d+ in regexpr.com correctly matches SRCIP but it fails, you can try yourself: May [[19 11:42:17] asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”355″sip:[[[355@192.168.1.60]’ failed for ‘192.168.210.48’ – No matching peer found Are these brackets really in the log message, or are they there for emphasis? - Escaping dot characters solves the problem, \d+\.\d+\.\d+\.\d+ correctly \. matches any single character. matches IP address, and for IP:UDPPORT you can use \d+\.\d+\.\d+\.\d+\:\d+. But placing all this tweakings in decoder and restarting ossec server did not work, OSSIM always matches SRCIP like 0.0.0.0. In fact, I modified this ossec as is the event seen in OSSIM UI when I run svwar: For some reason I can't get the regex to work with the single quotes around the IP address. rule id=6212 level=5 if_sid6201/if_sid matchNo matching peer found/match descriptionLogin session failed (invalid extension)./description groupinvalid_login,/group /rule I´ll keep trying tomorrow, keep in touch please! Kind Regards, Daniel [1] https://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/ 2015-02-09 20:21 GMT+01:00 dan (ddp) ddp...@gmail.com: On Mon, Feb 9, 2015 at 2:10 PM, Security secur...@gillet-bouillon.eu wrote: Could be. I don't know if I have to write to the dev mailing list to have it fixed in the next release. I'm running my modified version on 3 asterisk instances and I'm very happy with the results. Your best option is to open an issue on the github. https://github.com/ossec/ossec-hids If I remember I'll try to come up with a rule that covers both the old and new log samples we have. Regards, Simon Gillet Le 9 févr. 2015 à 14:08, dan (ddp) ddp...@gmail.com a écrit : On Sun, Feb 8, 2015 at 5:26 PM, Security secur...@gillet-bouillon.eu wrote: Hello, I think the Asterisk rules could be wrong. Or at least for Ubuntu. OSSEC always failed blocking brute force attempt on Asterisk. A standart log entry for brute force attempt looks like: Dec 17 22:37:25 new asterisk[20110]: NOTICE[20127]: chan_sip.c:25030 in handle_request_register: Registration from '6100 sip:6100@X.X.X.X' failed for '85.25.110.243:5188' - Wrong password This log sample is different than the one we were provided previously. I changed the rules in the decoder.xml files and I have no much better results. Let me know if I'm wrong, I'm not a OSSEC expert but now I block the brute force attempts. Regards, Simon Gillet I changed this rule: decoder name=asterisk-denied parentasterisk/parent prematch^NOTICE[\d+]: \S+ in \S+: Registration from /prematch regex offset=after_prematch^\S+ failed for
Re: [ossec-list] Asterisk rules for Ubuntu
On Feb 10, 2015 7:57 AM, Daniel Calvo Castro daniel.ca...@kernelsecurity.es wrote: Hi again These brackets are for emphasis, sorry for not to clarify this, but it clearly looks like it is a regexp issue, I´m going to deal with it now and I´ll post if I´m able to solve it. May be some other people are dealing with this, any help would really appreciated. It is a ticket opened on github as suggested? I´ll do that in such case I opened one about the regex issue I'm seeing with this. Kind Regards 2015-02-10 13:31 GMT+01:00 dan (ddp) ddp...@gmail.com: On Mon, Feb 9, 2015 at 4:23 PM, Daniel Calvo Castro daniel.ca...@kernelsecurity.es wrote: Just today I´ve been experiencing same issues trying to get OSSIM + OSSEC working with an asterisk box, I´ve followed this link [1], and trying to enumerate users I´m able to correlate and fire mails correctly with OSSIM, but UI always show $SRCIP 0.0.0.0 so seems useless to configure post-actions like DROP $SRCIP. Taking a look at the link provided, his log appears only to contain src IP, like that: May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”355″sip:355@192.168.1.60 ’ failed for ‘[[[192.168.210.48]]]’ – No matching peer found You can see failed for 'x.x.x.x' only But seems like in recent versions like me ( stable Elastix and ossec 2.8 ), log says failed for 'x.x.x.x:UDPPORT' so I figured it could be some regexp issue, time to check. - log from post provided and default regexp in decoder.xml \d+.\d+.\d+.\d+ in regexpr.com correctly matches SRCIP but it fails, you can try yourself: May [[19 11:42:17] asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”355″sip:[[[355@192.168.1.60]’ failed for ‘192.168.210.48’ – No matching peer found Are these brackets really in the log message, or are they there for emphasis? - Escaping dot characters solves the problem, \d+\.\d+\.\d+\.\d+ correctly \. matches any single character. matches IP address, and for IP:UDPPORT you can use \d+\.\d+\.\d+\.\d+\:\d+. But placing all this tweakings in decoder and restarting ossec server did not work, OSSIM always matches SRCIP like 0.0.0.0. In fact, I modified this ossec as is the event seen in OSSIM UI when I run svwar: For some reason I can't get the regex to work with the single quotes around the IP address. rule id=6212 level=5 if_sid6201/if_sid matchNo matching peer found/match descriptionLogin session failed (invalid extension)./description groupinvalid_login,/group /rule I´ll keep trying tomorrow, keep in touch please! Kind Regards, Daniel [1] https://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/ 2015-02-09 20:21 GMT+01:00 dan (ddp) ddp...@gmail.com: On Mon, Feb 9, 2015 at 2:10 PM, Security secur...@gillet-bouillon.eu wrote: Could be. I don't know if I have to write to the dev mailing list to have it fixed in the next release. I'm running my modified version on 3 asterisk instances and I'm very happy with the results. Your best option is to open an issue on the github. https://github.com/ossec/ossec-hids If I remember I'll try to come up with a rule that covers both the old and new log samples we have. Regards, Simon Gillet Le 9 févr. 2015 à 14:08, dan (ddp) ddp...@gmail.com a écrit : On Sun, Feb 8, 2015 at 5:26 PM, Security secur...@gillet-bouillon.eu wrote: Hello, I think the Asterisk rules could be wrong. Or at least for Ubuntu. OSSEC always failed blocking brute force attempt on Asterisk. A standart log entry for brute force attempt looks like: Dec 17 22:37:25 new asterisk[20110]: NOTICE[20127]: chan_sip.c:25030 in handle_request_register: Registration from '6100 sip:6100@X.X.X.X ' failed for '85.25.110.243:5188' - Wrong password This log sample is different than the one we were provided previously. I changed the rules in the decoder.xml files and I have no much better results. Let me know if I'm wrong, I'm not a OSSEC expert but now I block the brute force attempts. Regards, Simon Gillet I changed this rule: decoder name=asterisk-denied parentasterisk/parent prematch^NOTICE[\d+]: \S+ in \S+: Registration from /prematch regex offset=after_prematch^\S+ failed for '(\d+.\d+.\d+.\d+)'/regex ordersrcip/order /decoder To this one: decoder name=asterisk-denied parentasterisk/parent prematch^NOTICE[\d+]: \S+ in \S+: Registration from \S+ \S+/prematch regex offset=after_prematch^failed for '(\S+):(\d+)'/regex ordersrcip,srcport/order /decoder And this rule: decoder name=asterisk-denied2 parentasterisk/parent prematchRegistration from /prematch regex offset=after_prematchfailed for
Re: [ossec-list] Asterisk rules for Ubuntu
On Tue, Feb 10, 2015 at 8:01 AM, dan (ddp) ddp...@gmail.com wrote: On Feb 10, 2015 7:57 AM, Daniel Calvo Castro daniel.ca...@kernelsecurity.es wrote: Hi again These brackets are for emphasis, sorry for not to clarify this, but it clearly looks like it is a regexp issue, I´m going to deal with it now and I´ll post if I´m able to solve it. May be some other people are dealing with this, any help would really appreciated. It is a ticket opened on github as suggested? I´ll do that in such case I opened one about the regex issue I'm seeing with this. Which was ultimately not an issue. Somehow utf-8 characters polluted the log message I was testing with. Kind Regards 2015-02-10 13:31 GMT+01:00 dan (ddp) ddp...@gmail.com: On Mon, Feb 9, 2015 at 4:23 PM, Daniel Calvo Castro daniel.ca...@kernelsecurity.es wrote: Just today I´ve been experiencing same issues trying to get OSSIM + OSSEC working with an asterisk box, I´ve followed this link [1], and trying to enumerate users I´m able to correlate and fire mails correctly with OSSIM, but UI always show $SRCIP 0.0.0.0 so seems useless to configure post-actions like DROP $SRCIP. Taking a look at the link provided, his log appears only to contain src IP, like that: May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”355″sip:355@192.168.1.60’ failed for ‘[[[192.168.210.48]]]’ – No matching peer found You can see failed for 'x.x.x.x' only But seems like in recent versions like me ( stable Elastix and ossec 2.8 ), log says failed for 'x.x.x.x:UDPPORT' so I figured it could be some regexp issue, time to check. - log from post provided and default regexp in decoder.xml \d+.\d+.\d+.\d+ in regexpr.com correctly matches SRCIP but it fails, you can try yourself: May [[19 11:42:17] asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”355″sip:[[[355@192.168.1.60]’ failed for ‘192.168.210.48’ – No matching peer found Are these brackets really in the log message, or are they there for emphasis? - Escaping dot characters solves the problem, \d+\.\d+\.\d+\.\d+ correctly \. matches any single character. matches IP address, and for IP:UDPPORT you can use \d+\.\d+\.\d+\.\d+\:\d+. But placing all this tweakings in decoder and restarting ossec server did not work, OSSIM always matches SRCIP like 0.0.0.0. In fact, I modified this ossec as is the event seen in OSSIM UI when I run svwar: For some reason I can't get the regex to work with the single quotes around the IP address. rule id=6212 level=5 if_sid6201/if_sid matchNo matching peer found/match descriptionLogin session failed (invalid extension)./description groupinvalid_login,/group /rule I´ll keep trying tomorrow, keep in touch please! Kind Regards, Daniel [1] https://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/ 2015-02-09 20:21 GMT+01:00 dan (ddp) ddp...@gmail.com: On Mon, Feb 9, 2015 at 2:10 PM, Security secur...@gillet-bouillon.eu wrote: Could be. I don't know if I have to write to the dev mailing list to have it fixed in the next release. I'm running my modified version on 3 asterisk instances and I'm very happy with the results. Your best option is to open an issue on the github. https://github.com/ossec/ossec-hids If I remember I'll try to come up with a rule that covers both the old and new log samples we have. Regards, Simon Gillet Le 9 févr. 2015 à 14:08, dan (ddp) ddp...@gmail.com a écrit : On Sun, Feb 8, 2015 at 5:26 PM, Security secur...@gillet-bouillon.eu wrote: Hello, I think the Asterisk rules could be wrong. Or at least for Ubuntu. OSSEC always failed blocking brute force attempt on Asterisk. A standart log entry for brute force attempt looks like: Dec 17 22:37:25 new asterisk[20110]: NOTICE[20127]: chan_sip.c:25030 in handle_request_register: Registration from '6100 sip:6100@X.X.X.X' failed for '85.25.110.243:5188' - Wrong password This log sample is different than the one we were provided previously. I changed the rules in the decoder.xml files and I have no much better results. Let me know if I'm wrong, I'm not a OSSEC expert but now I block the brute force attempts. Regards, Simon Gillet I changed this rule: decoder name=asterisk-denied parentasterisk/parent prematch^NOTICE[\d+]: \S+ in \S+: Registration from /prematch regex offset=after_prematch^\S+ failed for '(\d+.\d+.\d+.\d+)'/regex ordersrcip/order /decoder To this one: decoder name=asterisk-denied parentasterisk/parent prematch^NOTICE[\d+]: \S+ in \S+: Registration from \S+ \S+/prematch regex offset=after_prematch^failed for
Re: [ossec-list] Asterisk rules for Ubuntu
Hi again These brackets are for emphasis, sorry for not to clarify this, but it clearly looks like it is a regexp issue, I´m going to deal with it now and I´ll post if I´m able to solve it. May be some other people are dealing with this, any help would really appreciated. It is a ticket opened on github as suggested? I´ll do that in such case Kind Regards 2015-02-10 13:31 GMT+01:00 dan (ddp) ddp...@gmail.com: On Mon, Feb 9, 2015 at 4:23 PM, Daniel Calvo Castro daniel.ca...@kernelsecurity.es wrote: Just today I´ve been experiencing same issues trying to get OSSIM + OSSEC working with an asterisk box, I´ve followed this link [1], and trying to enumerate users I´m able to correlate and fire mails correctly with OSSIM, but UI always show $SRCIP 0.0.0.0 so seems useless to configure post-actions like DROP $SRCIP. Taking a look at the link provided, his log appears only to contain src IP, like that: May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”355″sip:355@192.168.1.60’ failed for ‘[[[192.168.210.48]]]’ – No matching peer found You can see failed for 'x.x.x.x' only But seems like in recent versions like me ( stable Elastix and ossec 2.8 ), log says failed for 'x.x.x.x:UDPPORT' so I figured it could be some regexp issue, time to check. - log from post provided and default regexp in decoder.xml \d+.\d+.\d+.\d+ in regexpr.com correctly matches SRCIP but it fails, you can try yourself: May [[19 11:42:17] asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”355″sip:[[[355@192.168.1.60]’ failed for ‘192.168.210.48’ – No matching peer found Are these brackets really in the log message, or are they there for emphasis? - Escaping dot characters solves the problem, \d+\.\d+\.\d+\.\d+ correctly \. matches any single character. matches IP address, and for IP:UDPPORT you can use \d+\.\d+\.\d+\.\d+\:\d+. But placing all this tweakings in decoder and restarting ossec server did not work, OSSIM always matches SRCIP like 0.0.0.0. In fact, I modified this ossec as is the event seen in OSSIM UI when I run svwar: For some reason I can't get the regex to work with the single quotes around the IP address. rule id=6212 level=5 if_sid6201/if_sid matchNo matching peer found/match descriptionLogin session failed (invalid extension)./description groupinvalid_login,/group /rule I´ll keep trying tomorrow, keep in touch please! Kind Regards, Daniel [1] https://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/ 2015-02-09 20:21 GMT+01:00 dan (ddp) ddp...@gmail.com: On Mon, Feb 9, 2015 at 2:10 PM, Security secur...@gillet-bouillon.eu wrote: Could be. I don't know if I have to write to the dev mailing list to have it fixed in the next release. I'm running my modified version on 3 asterisk instances and I'm very happy with the results. Your best option is to open an issue on the github. https://github.com/ossec/ossec-hids If I remember I'll try to come up with a rule that covers both the old and new log samples we have. Regards, Simon Gillet Le 9 févr. 2015 à 14:08, dan (ddp) ddp...@gmail.com a écrit : On Sun, Feb 8, 2015 at 5:26 PM, Security secur...@gillet-bouillon.eu wrote: Hello, I think the Asterisk rules could be wrong. Or at least for Ubuntu. OSSEC always failed blocking brute force attempt on Asterisk. A standart log entry for brute force attempt looks like: Dec 17 22:37:25 new asterisk[20110]: NOTICE[20127]: chan_sip.c:25030 in handle_request_register: Registration from '6100 sip:6100@X.X.X.X' failed for '85.25.110.243:5188' - Wrong password This log sample is different than the one we were provided previously. I changed the rules in the decoder.xml files and I have no much better results. Let me know if I'm wrong, I'm not a OSSEC expert but now I block the brute force attempts. Regards, Simon Gillet I changed this rule: decoder name=asterisk-denied parentasterisk/parent prematch^NOTICE[\d+]: \S+ in \S+: Registration from /prematch regex offset=after_prematch^\S+ failed for '(\d+.\d+.\d+.\d+)'/regex ordersrcip/order /decoder To this one: decoder name=asterisk-denied parentasterisk/parent prematch^NOTICE[\d+]: \S+ in \S+: Registration from \S+ \S+/prematch regex offset=after_prematch^failed for '(\S+):(\d+)'/regex ordersrcip,srcport/order /decoder And this rule: decoder name=asterisk-denied2 parentasterisk/parent prematchRegistration from /prematch regex offset=after_prematchfailed for '(\d+.\d+.\d+.\d+)'/regex ordersrcip/order /decoder To this one: decoder name=asterisk-denied2 parentasterisk/parent prematchRegistration from /prematch regex offset=after_prematchfailed for '(\S+):(\d+)'/regex ordersrcip,srcport/order /decoder -- --- You
Re: [ossec-list] Asterisk rules for Ubuntu
On Mon, Feb 9, 2015 at 4:23 PM, Daniel Calvo Castro daniel.ca...@kernelsecurity.es wrote: Just today I´ve been experiencing same issues trying to get OSSIM + OSSEC working with an asterisk box, I´ve followed this link [1], and trying to enumerate users I´m able to correlate and fire mails correctly with OSSIM, but UI always show $SRCIP 0.0.0.0 so seems useless to configure post-actions like DROP $SRCIP. Taking a look at the link provided, his log appears only to contain src IP, like that: May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”355″sip:355@192.168.1.60’ failed for ‘[[[192.168.210.48]]]’ – No matching peer found You can see failed for 'x.x.x.x' only But seems like in recent versions like me ( stable Elastix and ossec 2.8 ), log says failed for 'x.x.x.x:UDPPORT' so I figured it could be some regexp issue, time to check. - log from post provided and default regexp in decoder.xml \d+.\d+.\d+.\d+ in regexpr.com correctly matches SRCIP but it fails, you can try yourself: May [[19 11:42:17] asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”355″sip:[[[355@192.168.1.60]’ failed for ‘192.168.210.48’ – No matching peer found Are these brackets really in the log message, or are they there for emphasis? - Escaping dot characters solves the problem, \d+\.\d+\.\d+\.\d+ correctly \. matches any single character. matches IP address, and for IP:UDPPORT you can use \d+\.\d+\.\d+\.\d+\:\d+. But placing all this tweakings in decoder and restarting ossec server did not work, OSSIM always matches SRCIP like 0.0.0.0. In fact, I modified this ossec as is the event seen in OSSIM UI when I run svwar: For some reason I can't get the regex to work with the single quotes around the IP address. rule id=6212 level=5 if_sid6201/if_sid matchNo matching peer found/match descriptionLogin session failed (invalid extension)./description groupinvalid_login,/group /rule I´ll keep trying tomorrow, keep in touch please! Kind Regards, Daniel [1] https://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/ 2015-02-09 20:21 GMT+01:00 dan (ddp) ddp...@gmail.com: On Mon, Feb 9, 2015 at 2:10 PM, Security secur...@gillet-bouillon.eu wrote: Could be. I don't know if I have to write to the dev mailing list to have it fixed in the next release. I'm running my modified version on 3 asterisk instances and I'm very happy with the results. Your best option is to open an issue on the github. https://github.com/ossec/ossec-hids If I remember I'll try to come up with a rule that covers both the old and new log samples we have. Regards, Simon Gillet Le 9 févr. 2015 à 14:08, dan (ddp) ddp...@gmail.com a écrit : On Sun, Feb 8, 2015 at 5:26 PM, Security secur...@gillet-bouillon.eu wrote: Hello, I think the Asterisk rules could be wrong. Or at least for Ubuntu. OSSEC always failed blocking brute force attempt on Asterisk. A standart log entry for brute force attempt looks like: Dec 17 22:37:25 new asterisk[20110]: NOTICE[20127]: chan_sip.c:25030 in handle_request_register: Registration from '6100 sip:6100@X.X.X.X' failed for '85.25.110.243:5188' - Wrong password This log sample is different than the one we were provided previously. I changed the rules in the decoder.xml files and I have no much better results. Let me know if I'm wrong, I'm not a OSSEC expert but now I block the brute force attempts. Regards, Simon Gillet I changed this rule: decoder name=asterisk-denied parentasterisk/parent prematch^NOTICE[\d+]: \S+ in \S+: Registration from /prematch regex offset=after_prematch^\S+ failed for '(\d+.\d+.\d+.\d+)'/regex ordersrcip/order /decoder To this one: decoder name=asterisk-denied parentasterisk/parent prematch^NOTICE[\d+]: \S+ in \S+: Registration from \S+ \S+/prematch regex offset=after_prematch^failed for '(\S+):(\d+)'/regex ordersrcip,srcport/order /decoder And this rule: decoder name=asterisk-denied2 parentasterisk/parent prematchRegistration from /prematch regex offset=after_prematchfailed for '(\d+.\d+.\d+.\d+)'/regex ordersrcip/order /decoder To this one: decoder name=asterisk-denied2 parentasterisk/parent prematchRegistration from /prematch regex offset=after_prematchfailed for '(\S+):(\d+)'/regex ordersrcip,srcport/order /decoder -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from
Re: [ossec-list] Asterisk rules for Ubuntu
Could be. I don’t know if I have to write to the dev mailing list to have it fixed in the next release. I’m running my modified version on 3 asterisk instances and I’m very happy with the results. Regards, Simon Gillet Le 9 févr. 2015 à 14:08, dan (ddp) ddp...@gmail.com a écrit : On Sun, Feb 8, 2015 at 5:26 PM, Security secur...@gillet-bouillon.eu mailto:secur...@gillet-bouillon.eu wrote: Hello, I think the Asterisk rules could be wrong. Or at least for Ubuntu. OSSEC always failed blocking brute force attempt on Asterisk. A standart log entry for brute force attempt looks like: Dec 17 22:37:25 new asterisk[20110]: NOTICE[20127]: chan_sip.c:25030 in handle_request_register: Registration from '6100 sip:6100@X.X.X.X sip:6100@X.X.X.X' failed for '85.25.110.243:5188' - Wrong password This log sample is different than the one we were provided previously. I changed the rules in the decoder.xml files and I have no much better results. Let me know if I'm wrong, I'm not a OSSEC expert but now I block the brute force attempts. Regards, Simon Gillet I changed this rule: decoder name=asterisk-denied parentasterisk/parent prematch^NOTICE[\d+]: \S+ in \S+: Registration from /prematch regex offset=after_prematch^\S+ failed for '(\d+.\d+.\d+.\d+)'/regex ordersrcip/order /decoder To this one: decoder name=asterisk-denied parentasterisk/parent prematch^NOTICE[\d+]: \S+ in \S+: Registration from \S+ \S+/prematch regex offset=after_prematch^failed for '(\S+):(\d+)'/regex ordersrcip,srcport/order /decoder And this rule: decoder name=asterisk-denied2 parentasterisk/parent prematchRegistration from /prematch regex offset=after_prematchfailed for '(\d+.\d+.\d+.\d+)'/regex ordersrcip/order /decoder To this one: decoder name=asterisk-denied2 parentasterisk/parent prematchRegistration from /prematch regex offset=after_prematchfailed for '(\S+):(\d+)'/regex ordersrcip,srcport/order /decoder -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com mailto:ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com mailto:ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Asterisk rules for Ubuntu
Just today I´ve been experiencing same issues trying to get OSSIM + OSSEC working with an asterisk box, I´ve followed this link [1], and trying to enumerate users I´m able to correlate and fire mails correctly with OSSIM, but UI always show $SRCIP 0.0.0.0 so seems useless to configure post-actions like DROP $SRCIP. Taking a look at the link provided, his log appears only to contain src IP, like that: May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”355″sip:355@192.168.1.60’ failed for ‘[[[192.168.210.48]]]’ – No matching peer found You can see failed for 'x.x.x.x' only But seems like in recent versions like me ( stable Elastix and ossec 2.8 ), log says failed for 'x.x.x.x:UDPPORT' so I figured it could be some regexp issue, time to check. - log from post provided and default regexp in decoder.xml \d+.\d+.\d+.\d+ in regexpr.com correctly matches SRCIP but it fails, you can try yourself: May [[19 11:42:17] asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”355″sip:[[[355@192.168.1.60]’ failed for ‘192.168.210.48’ – No matching peer found - Escaping dot characters solves the problem, \d+\.\d+\.\d+\.\d+ correctly matches IP address, and for IP:UDPPORT you can use \d+\.\d+\.\d+\.\d+\:\d+. But placing all this tweakings in decoder and restarting ossec server did not work, OSSIM always matches SRCIP like 0.0.0.0. In fact, I modified this ossec as is the event seen in OSSIM UI when I run svwar: rule id=6212 level=5 if_sid6201/if_sid matchNo matching peer found/match descriptionLogin session failed (invalid extension)./description groupinvalid_login,/group /rule I´ll keep trying tomorrow, keep in touch please! Kind Regards, Daniel [1] https://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/ 2015-02-09 20:21 GMT+01:00 dan (ddp) ddp...@gmail.com: On Mon, Feb 9, 2015 at 2:10 PM, Security secur...@gillet-bouillon.eu wrote: Could be. I don't know if I have to write to the dev mailing list to have it fixed in the next release. I'm running my modified version on 3 asterisk instances and I'm very happy with the results. Your best option is to open an issue on the github. https://github.com/ossec/ossec-hids If I remember I'll try to come up with a rule that covers both the old and new log samples we have. Regards, Simon Gillet Le 9 févr. 2015 à 14:08, dan (ddp) ddp...@gmail.com a écrit : On Sun, Feb 8, 2015 at 5:26 PM, Security secur...@gillet-bouillon.eu wrote: Hello, I think the Asterisk rules could be wrong. Or at least for Ubuntu. OSSEC always failed blocking brute force attempt on Asterisk. A standart log entry for brute force attempt looks like: Dec 17 22:37:25 new asterisk[20110]: NOTICE[20127]: chan_sip.c:25030 in handle_request_register: Registration from '6100 sip:6100@X.X.X.X' failed for '85.25.110.243:5188' - Wrong password This log sample is different than the one we were provided previously. I changed the rules in the decoder.xml files and I have no much better results. Let me know if I'm wrong, I'm not a OSSEC expert but now I block the brute force attempts. Regards, Simon Gillet I changed this rule: decoder name=asterisk-denied parentasterisk/parent prematch^NOTICE[\d+]: \S+ in \S+: Registration from /prematch regex offset=after_prematch^\S+ failed for '(\d+.\d+.\d+.\d+)'/regex ordersrcip/order /decoder To this one: decoder name=asterisk-denied parentasterisk/parent prematch^NOTICE[\d+]: \S+ in \S+: Registration from \S+ \S+/prematch regex offset=after_prematch^failed for '(\S+):(\d+)'/regex ordersrcip,srcport/order /decoder And this rule: decoder name=asterisk-denied2 parentasterisk/parent prematchRegistration from /prematch regex offset=after_prematchfailed for '(\d+.\d+.\d+.\d+)'/regex ordersrcip/order /decoder To this one: decoder name=asterisk-denied2 parentasterisk/parent prematchRegistration from /prematch regex offset=after_prematchfailed for '(\S+):(\d+)'/regex ordersrcip,srcport/order /decoder -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it,
Re: [ossec-list] Asterisk rules for Ubuntu
On Mon, Feb 9, 2015 at 2:10 PM, Security secur...@gillet-bouillon.eu wrote: Could be. I don't know if I have to write to the dev mailing list to have it fixed in the next release. I'm running my modified version on 3 asterisk instances and I'm very happy with the results. Your best option is to open an issue on the github. https://github.com/ossec/ossec-hids If I remember I'll try to come up with a rule that covers both the old and new log samples we have. Regards, Simon Gillet Le 9 févr. 2015 à 14:08, dan (ddp) ddp...@gmail.com a écrit : On Sun, Feb 8, 2015 at 5:26 PM, Security secur...@gillet-bouillon.eu wrote: Hello, I think the Asterisk rules could be wrong. Or at least for Ubuntu. OSSEC always failed blocking brute force attempt on Asterisk. A standart log entry for brute force attempt looks like: Dec 17 22:37:25 new asterisk[20110]: NOTICE[20127]: chan_sip.c:25030 in handle_request_register: Registration from '6100 sip:6100@X.X.X.X' failed for '85.25.110.243:5188' - Wrong password This log sample is different than the one we were provided previously. I changed the rules in the decoder.xml files and I have no much better results. Let me know if I'm wrong, I'm not a OSSEC expert but now I block the brute force attempts. Regards, Simon Gillet I changed this rule: decoder name=asterisk-denied parentasterisk/parent prematch^NOTICE[\d+]: \S+ in \S+: Registration from /prematch regex offset=after_prematch^\S+ failed for '(\d+.\d+.\d+.\d+)'/regex ordersrcip/order /decoder To this one: decoder name=asterisk-denied parentasterisk/parent prematch^NOTICE[\d+]: \S+ in \S+: Registration from \S+ \S+/prematch regex offset=after_prematch^failed for '(\S+):(\d+)'/regex ordersrcip,srcport/order /decoder And this rule: decoder name=asterisk-denied2 parentasterisk/parent prematchRegistration from /prematch regex offset=after_prematchfailed for '(\d+.\d+.\d+.\d+)'/regex ordersrcip/order /decoder To this one: decoder name=asterisk-denied2 parentasterisk/parent prematchRegistration from /prematch regex offset=after_prematchfailed for '(\S+):(\d+)'/regex ordersrcip,srcport/order /decoder -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Asterisk rules for Ubuntu
On Sun, Feb 8, 2015 at 5:26 PM, Security secur...@gillet-bouillon.eu wrote: Hello, I think the Asterisk rules could be wrong. Or at least for Ubuntu. OSSEC always failed blocking brute force attempt on Asterisk. A standart log entry for brute force attempt looks like: Dec 17 22:37:25 new asterisk[20110]: NOTICE[20127]: chan_sip.c:25030 in handle_request_register: Registration from '6100 sip:6100@X.X.X.X' failed for '85.25.110.243:5188' - Wrong password This log sample is different than the one we were provided previously. I changed the rules in the decoder.xml files and I have no much better results. Let me know if I'm wrong, I'm not a OSSEC expert but now I block the brute force attempts. Regards, Simon Gillet I changed this rule: decoder name=asterisk-denied parentasterisk/parent prematch^NOTICE[\d+]: \S+ in \S+: Registration from /prematch regex offset=after_prematch^\S+ failed for '(\d+.\d+.\d+.\d+)'/regex ordersrcip/order /decoder To this one: decoder name=asterisk-denied parentasterisk/parent prematch^NOTICE[\d+]: \S+ in \S+: Registration from \S+ \S+/prematch regex offset=after_prematch^failed for '(\S+):(\d+)'/regex ordersrcip,srcport/order /decoder And this rule: decoder name=asterisk-denied2 parentasterisk/parent prematchRegistration from /prematch regex offset=after_prematchfailed for '(\d+.\d+.\d+.\d+)'/regex ordersrcip/order /decoder To this one: decoder name=asterisk-denied2 parentasterisk/parent prematchRegistration from /prematch regex offset=after_prematchfailed for '(\S+):(\d+)'/regex ordersrcip,srcport/order /decoder -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
