I'm a bit confused about correlation and rules/decoders. What I am
trying to do is get an active response to this:
OSSEC HIDS Notification.
2008 Jun 20 10:36:12
Received From: (srv1.somedomain.com) 10.0.0.28->/var/log/messages
Rule: 40111 fired (level 10) -> "Multiple authentication failures."
Portion of the log(s):
Jun 20 10:36:01 srv1 vshelld(pam_unix)[16593]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost= Jun 20 10:35:59 srv1
vshelld[16592]: auth,00206: PAM authentication failure for user
administrator.
Jun 20 10:36:09 srv1.somedomain.com vshelld[16592]: auth,00206: PAM
authentication failure for user administrator.
Jun 20 10:35:57 srv1 vshelld[16587]: auth,00205: PAM authentication
failure for user username.
Jun 20 10:36:06 srv1.somedomain.com vshelld[16587]: auth,00205: PAM
authentication failure for user username.
Jun 20 10:35:54 srv1 vshelld[16586]: auth,00204: PAM authentication
failure for user ftpuser.
Jun 20 10:36:04 srv1.somedomain.com vshelld[16586]: auth,00204: PAM
authentication failure for user ftpuser.
Jun 20 10:36:01 srv1.somedomain.com vshelld[16581]: auth,00203: PAM
authentication failure for user visitor.
Jun 20 10:35:52 srv1 vshelld[16581]: auth,00203: PAM authentication
failure for user visitor.
Jun 20 10:35:59 srv1.somedomain.com vshelld[16572]: auth,00202: PAM
authentication failure for user named.
--END OF NOTIFICATION
With a log for one session from above of
------------------------------------------------------
Jun 20 10:35:57 srv1 vshelld[16592]: conn,00206: Connection accepted
from 82.187.180.163:49850.
Jun 20 10:35:59 srv1 vshelld(pam_unix)[16592]: check pass; user
unknown
Jun 20 10:35:59 srv1 vshelld(pam_unix)[16592]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=
Jun 20 10:35:59 srv1 vshelld[16592]: auth,00206: PAM authentication
failure for user administrator.
Jun 20 10:35:59 srv1 vshelld[16592]: auth,00206: password for user
administrator rejected.
Jun 20 10:35:59 srv1 vshelld[16592]: conn,00206: The SSH transport was
aborted with a disconnect packet. Detail: A protocol error occurred.
Bye Bye
Jun 20 10:35:59 srv1 vshelld[16592]: conn,00206: Connection closed.
------------------------ End Log
I've been attempting to craft rules and appropriate decoders so that
it catches the Connection attempt, and then the auth failure. Then
with a correlation rule, if this happens multiple times, get active
response to fire a firewall drop. Somewhere, though, I've confused
myself, so I decided to stop and ask questions. Below are the rules/
decoder I've been working on. Am I even close?
<group name="syslog,vshelld">
<rule id="105700" level="0" noalert="1">
<decoded_as>vshelld</decoded_as>
<description>VSHELLD messages grouped.</description>
</rule>
</group>
<decoder name="vshelld-syslog">
<program_name>^vshelld</program_name>
</decoder>
<decoder name="vshelld-connection">
<parent>vshelld-syslog</parent>
<prematch offset="after_parent">^conn,\d\d\d\d\d: </prematch>
<regex offset="after_prematch">^Connection accepted from (\d+\.\d+\.
\d+\.\d):\d+\.</regex>
<order>srcip, srcport</order>
<fts>srcip</fts>
</decoder>
<decoder name="vshelld-auth">
<parent>vshelld-syslog</parent>
<prematch offset="after_parent">^auth,\d+: PAM authentication
failure for </prematch>
<regex offset="after_prematch">^user \S+\.</regex>
<order>user</order>
<fts>user</fts>
</decoder>
Thanks,
Emil
