I am trying to learn enough about writing decoders and local rules to use ossec-hids in protecting my spam-filter gateways against distributed zombie attacks but I've run into one that I haven't been able to figure out.
The maillog entry that I want to decode is: Nov 30 00:05:41 mxgf2 sm-mta-in[52687]: lAU558MF052687: Milter: from=<[EMAIL PROTECTED]>, reject=550 5.7.1 Blocked, look at http://cbl.abuseat.org/lookup.cgi?ip=155.69.124.178 That should trigger the `sendmail-reject' decoder so I added a child: <decoder name="sendmail-blocked-cbl"> <parent>sendmail-reject</parent> <prematch>ip=</prematch> <regex offset="after_prematch">^(\d+.\d+.\d+.\d+)</regex> <order>srcip</order> </decoder> Then in local_rules.xml: <rule id="100060" level="0"> <decoded_as>sendmail-blocked-cbl</decoded_as> <description>Zombie pc connection</description> <description>Blocked by cbl.abuseat.org.</description> <group>spam,</group> </rule> <rule id="100062" level="5"> <if_sid>100060</if_sid> <description>Zombie pc detected and blocked.</description> <group>spam,</group> </rule> <rule id="100064" level="10" frequency="5" timeframe="60"> <if_matched_sid>100062</if_matched_sid> <same_source_ip /> <description>Multiple Zombie connections. </description> <group>multiple_spam,</group> </rule> But - nothing. Not even a 100062 alert (log_alert_level 1). I have similar rules operating to detect multiple smf-sav-rcpt connections that work OK, the only difference being that they do not use child decoders. Hopefully some one can point me in the right direction. I've read everything I can find but obviously I don't have something right.
