Daniel Cid wrote:
Hi Ken,
You got very closed. The problem with your decoder is that the offset
for the regex
is set to after the "prematch". So, if it finds "rhost=xxx", the regex
will start looking
after the hostname. If you change the regex offset to "after_parent",
it will start looking
after the "pam_unix[pid] : " and will work.
<decoder name="pam-host">
<parent>pam</parent>
<prematch offset="after_parent">rhost=\S+</prematch>
<regex offset="after_parent">rhost=(\S+)</regex>
<order>srcip</order>
</decoder>
Hope it helps,
Yes, it does, Thanks!
On an unrelated note, I found that putting a space into the $BADWORDS in
syslog_rules.xml for a couple entries "| error | bad |" helps alleviate
some false positives. We see this happen on users uploading things like
'error.php' and people with usernames like 'badboy', etc..
Thanks for your help and for OSSEC-HIDS!
Ken A.
Pacific.Net
*yes, we need to document the decoders :)
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/25/06, Ken A <[EMAIL PROTECTED]> wrote:
With ossec-hids-0.9 I'm having trouble getting a rule to work that will
match multiple auth failures in syslog written by dovecot(pam_unix).
"dovecot(pam_unix)[25346]: authentication failure; logname= uid=0 euid=0
tty= ruser= rhost=aa.bb.cc.dd"
By default, the authentication_failed group matches, and triggers the
attack rule based on that, but it doesn't match the IP, so it doesn't
trigger a block as I'd like it to.
So I added a rule to match <same_source_ip>, but that isn't ever
triggered, since the source IP doesn't seem to be decoded - it's not
showing in the alert logs that match the authentication failed messages.
I looked in the decoder.xml file and it looks like it should be matched
by the pam decoder. I added a new decoder just for host, rather than
host and user to try to catch it, but am not having any luck..
<decoder name="pam-host">
<parent>pam</parent>
<prematch offset="after_parent">rhost=\S+</prematch>
<regex offset="after_prematch">rhost=(\S+)</regex>
<order>srcip</order>
</decoder>
Can you help me understand what I'm missing.
Thanks,
Ken A
Pacific.Net
