Hi Dave,
Thanks for the reply! I've looked in the /var/ossec/etc/ossec.conf and I
do have the following entry:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
OSSEC is definitely reading the maillog file as I get other notices sent
to me via email as this email this morning:
Received From: (Mail_Server77) xxx.xxx.xxx.10->/var/log/maillog
Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
The unfortunate thing is I get lots of emails about things that are less
significant but the important stuff like brute force attacks I never get
and I'm at a lost as to why. :-(
Has anyone else ever seen something similar to this? Does OSSEC might
not be reading the log file fully or skipping parts of the log entirely?
thx,
SW
Dave Lowe wrote:
> Hi Steve,
>
> Can you please check to make sure that the maillog file is being
> monitored on the agent?
> The following should be in the /var/ossec/etc/ossec.conf on the agent:
> <localfile>
> <log_format>vpopmail</log_format>
> <location>/var/log/maillog</location>
> </localfile>
>
> I just tested this out with your log sample, and it worked well.
>
> Thanks
>
> Dave Lowe
>
>
>
> On 8/14/07, *Steve West* <[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>> wrote:
>
>
> Hi,
>
> I'm trying to figure out why the OSSEC Rule ID 9952 didn't fire even
> though I'm seeing a number of email harvesters scanning our mail
> servers?
>
> I've checked the OSSEC vpopmail rule file which contains the following
> rules:
>
> <rule id="9902" level="5">
> <if_sid>9900</if_sid>
> <match>vchkpw-pop3: vpopmail user not found </match>
> <group>invalid_login,</group>
> <description>Attempt to login with invalid username.</description>
> </rule>
>
>
> <rule id="9952" level="10" frequency="8" timeframe="240">
> <if_matched_sid>9902</if_matched_sid>
> <same_source_ip />
> <description>POP3 brute force (email harvesting).</description>
> <group>authentication_failures,</group>
> </rule>
>
>
> And the /var/log/maillog contains the following entries:
>
> # grep "69\.3\.64\.3" /var/log/maillog.1
>
> Aug 12 11:52:52 mail vpopmail[4162]: vchkpw-pop3: vpopmail user not
> found support@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:52 mail vpopmail[4165]: vchkpw-pop3: vpopmail user not
> found support@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:52 mail vpopmail[4168]: vchkpw-pop3: vpopmail user not
> found support@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:52 mail vpopmail[4170]: vchkpw-pop3: vpopmail user not
> found support@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:52 mail vpopmail[4171]: vchkpw-pop3: vpopmail user not
> found info@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:52 mail vpopmail[4172]: vchkpw-pop3: vpopmail user not
> found info@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:52 mail vpopmail[4173]: vchkpw-pop3: vpopmail user not
> found info@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:53 mail vpopmail[4175]: vchkpw-pop3: vpopmail user not
> found info@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:53 mail vpopmail[4187]: vchkpw-pop3: vpopmail user not
> found help@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:53 mail vpopmail[4190]: vchkpw-pop3: vpopmail user not
> found help@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:53 mail vpopmail[4191]: vchkpw-pop3: vpopmail user not
> found spam@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:53 mail vpopmail[4192]: vchkpw-pop3: vpopmail user not
> found help@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:53 mail vpopmail[4193]: vchkpw-pop3: vpopmail user not
> found spam@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:53 mail vpopmail[4195]: vchkpw-pop3: vpopmail user not
> found spam@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:54 mail vpopmail[4196]: vchkpw-pop3: vpopmail user not
> found spam@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:54 mail vpopmail[4197]: vchkpw-pop3: vpopmail user not
> found aaron@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:54 mail vpopmail[4198]: vchkpw-pop3: vpopmail user not
> found aaron@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:54 mail vpopmail[4199]: vchkpw-pop3: vpopmail user not
> found aaron@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:54 mail vpopmail[4200]: vchkpw-pop3: vpopmail user not
> found aaron@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:54 mail vpopmail[4202]: vchkpw-pop3: vpopmail user not
> found abby@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:54 mail vpopmail[4203]: vchkpw-pop3: vpopmail user not
> found abby@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:54 mail vpopmail[4204]: vchkpw-pop3: vpopmail user not
> found abby@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:54 mail vpopmail[4205]: vchkpw-pop3: vpopmail user not
> found abby@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:54 mail vpopmail[4207]: vchkpw-pop3: vpopmail user not
> found abigail@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:54 mail vpopmail[4208]: vchkpw-pop3: vpopmail user not
> found abigail@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:54 mail vpopmail[4212]: vchkpw-pop3: vpopmail user not
> found abigail@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:55 mail vpopmail[4218]: vchkpw-pop3: vpopmail user not
> found aaron@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:55 mail vpopmail[4219]: vchkpw-pop3: vpopmail user not
> found spam@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:55 mail vpopmail[4221]: vchkpw-pop3: vpopmail user not
> found abigail@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:55 mail vpopmail[4225]: vchkpw-pop3: vpopmail user not
> found abraham@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:55 mail vpopmail[4228]: vchkpw-pop3: vpopmail user not
> found abraham@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:55 mail vpopmail[4230]: vchkpw-pop3: vpopmail user not
> found abraham@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:55 mail vpopmail[4231]: vchkpw-pop3: vpopmail user not
> found abuse@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:55 mail vpopmail[4237]: vchkpw-pop3: vpopmail user not
> found info@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:55 mail vpopmail[4241]: vchkpw-pop3: vpopmail user not
> found abuse@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:55 mail vpopmail[4242]: vchkpw-pop3: vpopmail user not
> found abuse@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:55 mail vpopmail[4243]: vchkpw-pop3: vpopmail user not
> found abuse@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:55 mail vpopmail[4244]: vchkpw-pop3: vpopmail user not
> found abuse@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:56 mail vpopmail[4249]: vchkpw-pop3: vpopmail user not
> found access@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:56 mail vpopmail[4252]: vchkpw-pop3: vpopmail user not
> found help@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:56 mail vpopmail[4253]: vchkpw-pop3: vpopmail user not
> found help@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:56 mail vpopmail[4255]: vchkpw-pop3: vpopmail user not
> found access@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:56 mail vpopmail[4258]: vchkpw-pop3: vpopmail user not
> found account@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:56 mail vpopmail[4259]: vchkpw-pop3: vpopmail user not
> found access@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:56 mail vpopmail[4260]: vchkpw-pop3: vpopmail user not
> found account@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:56 mail vpopmail[4262]: vchkpw-pop3: vpopmail user not
> found account@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:56 mail vpopmail[4264]: vchkpw-pop3: vpopmail user not
> found account@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:56 mail vpopmail[4265]: vchkpw-pop3: vpopmail user not
> found account@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:56 mail vpopmail[4266]: vchkpw-pop3: vpopmail user not
> found accounts@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:57 mail vpopmail[4267]: vchkpw-pop3: vpopmail user not
> found support@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:57 mail vpopmail[4271]: vchkpw-pop3: vpopmail user not
> found accounts@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:57 mail vpopmail[4273]: vchkpw-pop3: vpopmail user not
> found accounts@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:57 mail vpopmail[4275]: vchkpw-pop3: vpopmail user not
> found accounts@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:57 mail vpopmail[4277]: vchkpw-pop3: vpopmail user not
> found abby@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:57 mail vpopmail[4280]: vchkpw-pop3: vpopmail user not
> found adam@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:57 mail vpopmail[4281]: vchkpw-pop3: vpopmail user not
> found adam@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:57 mail vpopmail[4282]: vchkpw-pop3: vpopmail user not
> found adam@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:57 mail vpopmail[4283]: vchkpw-pop3: vpopmail user not
> found adam@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:57 mail vpopmail[4285]: vchkpw-pop3: vpopmail user not
> found adam@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:57 mail vpopmail[4286]: vchkpw-pop3: vpopmail user not
> found adm@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:58 mail vpopmail[4289]: vchkpw-pop3: vpopmail user not
> found adm@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:58 mail vpopmail[4291]: vchkpw-pop3: vpopmail user not
> found adm@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:58 mail vpopmail[4292]: vchkpw-pop3: vpopmail user not
> found adm@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:58 mail vpopmail[4293]: vchkpw-pop3: vpopmail user not
> found admin@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:58 mail vpopmail[4295]: vchkpw-pop3: vpopmail user not
> found abigail@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:58 mail vpopmail[4296]: vchkpw-pop3: vpopmail user not
> found abraham@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:58 mail vpopmail[4297]: vchkpw-pop3: vpopmail user not
> found admin@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:58 mail vpopmail[4304]: vchkpw-pop3: vpopmail user not
> found admin@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:58 mail vpopmail[4305]: vchkpw-pop3: vpopmail user not
> found access@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:58 mail vpopmail[4306]: vchkpw-pop3: vpopmail user not
> found access@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:59 mail vpopmail[4309]: vchkpw-pop3: vpopmail user not
> found admin@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:59 mail vpopmail[4310]: vchkpw-pop3: vpopmail user not
> found admin@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:59 mail vpopmail[4314]: vchkpw-pop3: vpopmail user not
> found admin2@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:59 mail vpopmail[4315]: vchkpw-pop3: vpopmail user not
> found admin2@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:59 mail vpopmail[4316]: vchkpw-pop3: vpopmail user not
> found admin2@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:59 mail vpopmail[4317]: vchkpw-pop3: vpopmail user not
> found admin2@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:59 mail vpopmail[4318]: vchkpw-pop3: vpopmail user not
> found admin2@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:52:59 mail vpopmail[4320]: vchkpw-pop3: vpopmail user not
> found adrian@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:00 mail vpopmail[4322]: vchkpw-pop3: vpopmail user not
> found adrian@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:00 mail vpopmail[4323]: vchkpw-pop3: vpopmail user not
> found adrian@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:00 mail vpopmail[4324]: vchkpw-pop3: vpopmail user not
> found aerial@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:00 mail vpopmail[4328]: vchkpw-pop3: vpopmail user not
> found adm@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:01 mail vpopmail[4330]: vchkpw-pop3: vpopmail user not
> found aerial@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:01 mail vpopmail[4356]: vchkpw-pop3: vpopmail user not
> found accounts@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:01 mail vpopmail[4357]: vchkpw-pop3: vpopmail user not
> found aerial@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:01 mail vpopmail[4360]: vchkpw-pop3: vpopmail user not
> found aerial@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:02 mail vpopmail[4363]: vchkpw-pop3: vpopmail user not
> found agent@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:02 mail vpopmail[4364]: vchkpw-pop3: vpopmail user not
> found aerial@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:02 mail vpopmail[4365]: vchkpw-pop3: vpopmail user not
> found agent@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:02 mail vpopmail[4366]: vchkpw-pop3: vpopmail user not
> found agent@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:02 mail vpopmail[4367]: vchkpw-pop3: vpopmail user not
> found agent@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:02 mail vpopmail[4369]: vchkpw-pop3: vpopmail user not
> found adrian@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:02 mail vpopmail[4380]: vchkpw-pop3: vpopmail user not
> found alan@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:02 mail vpopmail[4382]: vchkpw-pop3: vpopmail user not
> found alan@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:02 mail vpopmail[4387]: vchkpw-pop3: vpopmail user not
> found adrian@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:03 mail vpopmail[4389]: vchkpw-pop3: vpopmail user not
> found alan@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:03 mail vpopmail[4392]: vchkpw-pop3: vpopmail user not
> found albert@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:03 mail vpopmail[4393]: vchkpw-pop3: vpopmail user not
> found albert@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:03 mail vpopmail[4394]: vchkpw-pop3: vpopmail user not
> found albert@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:03 mail vpopmail[4396]: vchkpw-pop3: vpopmail user not
> found albert@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:04 mail vpopmail[4398]: vchkpw-pop3: vpopmail user not
> found albert@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:04 mail vpopmail[4404]: vchkpw-pop3: vpopmail user not
> found alberto@:69.3.64.3 <http://69.3.64.3>
> Aug 12 11:53:05 mail vpopmail[4416]: vchkpw-pop3: vpopmail user not
> found alan@:69.3.64.3 <http://69.3.64.3>
>
>
> [EMAIL PROTECTED] ~]# grep "69\.3\.64\.3" -c /var/log/maillog.1
> 103
>
>
>
>
