[ossec-list] Re: sendmail_rules.xml

Thu, 07 Sep 2006 13:04:51 -0700 


OSSEC isn't getting these messages at all.

Though I may have made a mistake regarding the Connection throttle..
that probably isn't detected yet.

I'm making my first (lame) attempt at rules on the applicable server:

 <rule id="6000" level="10" frequency="1" ignore="4">
   <match>reject=421 4.3.2 Connection rate limit exceeded</match>
   <same_source_ip />
   <description>SMTP connection throttle; usually BOTNET
activity.</description>
 </rule>

and for RBLs and /etc/mail/access matches:

<rule id="6001" level="10" frequency="4" ignore="5">
   <match>reject=553 5.3.0</match>
   <regex>Message from.*blocked</regex>
   <regex>Rejected due to abuse</regex>
   <same_source_ip />
   <description>Excessive general connections from RBL and access
rejections</description>
 </rule>

Still working on it - constructive criticism/input appreciated ;-)


_F


Daniel Cid wrote:

Hi Forrest,

Ossec is alerting on these events, but not blocking the ips? Is that
what is happening? Or ossec is not even getting these messages
at all?

Daniel


On 9/7/06, Forrest Aldrich <[EMAIL PROTECTED]> wrote:


 I installed the default OSSEC (server) on my internal mail system.

 Since then, it has not triggered any actions on the sendmail file - and
though I'm still trying to grok how OSSEC is working, the rules in
sendmail_rules.xml seem like they should be triggering several events.

 Namely:

 (annoying botnet flooding)

reject=421 4.3.2 Connection rate limit exceeded.
 (rbl rejections)
Sep 7 13:07:07 mail sm-mta[69281]: ruleset=check_relay, arg1=[60.55.8.6], arg2=127.0.0.7, relay=[60.55.8.6], reject=553 5.3.0 Message from 60.55.8.6 
blocked - see http://dnsbl.sorbs.net
 I'm using sendmail - but it may be good to account for other MTA's like
Postfix eventually.   The RBL reject message for sendmail can be easily
customized/tagged for identification by OSSEC if needed.
In this case, I want to block these subnets on a permanent basis - it's my 
private system, and I really don't care.

 Presently, I do this manually with the help of a couple of messy shell
scripts, but OSSEC could be doing this as an action.

 I'm on FreeBSD_6.1, btw... which really shouldn't matter.


 Thanks.

Reply via email to