Hi Emil, Your rules and decoders are correct, but the vshelld logs are not very useful since the authentication failure logs do not have the source ip address. We could correlate using the session id (which I assume is 00206 in your logs), but with the way OSSEC works you would not be able to use the source ip from the first log when the last one matches. Do you mind opening a feature request about it (with some of your logs) on http://www.ossec.net/bugs/ ? I will try to add support for it.
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Jun 20, 2008 at 1:47 PM, <[EMAIL PROTECTED]> wrote: > > I'm a bit confused about correlation and rules/decoders. What I am > trying to do is get an active response to this: > > OSSEC HIDS Notification. > 2008 Jun 20 10:36:12 > > Received From: (srv1.somedomain.com) 10.0.0.28->/var/log/messages > Rule: 40111 fired (level 10) -> "Multiple authentication failures." > Portion of the log(s): > > Jun 20 10:36:01 srv1 vshelld(pam_unix)[16593]: authentication failure; > logname= uid=0 euid=0 tty= ruser= rhost= Jun 20 10:35:59 srv1 > vshelld[16592]: auth,00206: PAM authentication failure for user > administrator. > Jun 20 10:36:09 srv1.somedomain.com vshelld[16592]: auth,00206: PAM > authentication failure for user administrator. > Jun 20 10:35:57 srv1 vshelld[16587]: auth,00205: PAM authentication > failure for user username. > Jun 20 10:36:06 srv1.somedomain.com vshelld[16587]: auth,00205: PAM > authentication failure for user username. > Jun 20 10:35:54 srv1 vshelld[16586]: auth,00204: PAM authentication > failure for user ftpuser. > Jun 20 10:36:04 srv1.somedomain.com vshelld[16586]: auth,00204: PAM > authentication failure for user ftpuser. > Jun 20 10:36:01 srv1.somedomain.com vshelld[16581]: auth,00203: PAM > authentication failure for user visitor. > Jun 20 10:35:52 srv1 vshelld[16581]: auth,00203: PAM authentication > failure for user visitor. > Jun 20 10:35:59 srv1.somedomain.com vshelld[16572]: auth,00202: PAM > authentication failure for user named. > > > > --END OF NOTIFICATION > > With a log for one session from above of > ------------------------------------------------------ > > Jun 20 10:35:57 srv1 vshelld[16592]: conn,00206: Connection accepted > from 82.187.180.163:49850. > Jun 20 10:35:59 srv1 vshelld(pam_unix)[16592]: check pass; user > unknown > Jun 20 10:35:59 srv1 vshelld(pam_unix)[16592]: authentication failure; > logname= uid=0 euid=0 tty= ruser= rhost= > Jun 20 10:35:59 srv1 vshelld[16592]: auth,00206: PAM authentication > failure for user administrator. > Jun 20 10:35:59 srv1 vshelld[16592]: auth,00206: password for user > administrator rejected. > Jun 20 10:35:59 srv1 vshelld[16592]: conn,00206: The SSH transport was > aborted with a disconnect packet. Detail: A protocol error occurred. > Bye Bye > Jun 20 10:35:59 srv1 vshelld[16592]: conn,00206: Connection closed. > > ------------------------ End Log > > I've been attempting to craft rules and appropriate decoders so that > it catches the Connection attempt, and then the auth failure. Then > with a correlation rule, if this happens multiple times, get active > response to fire a firewall drop. Somewhere, though, I've confused > myself, so I decided to stop and ask questions. Below are the rules/ > decoder I've been working on. Am I even close? > > <group name="syslog,vshelld"> > <rule id="105700" level="0" noalert="1"> > <decoded_as>vshelld</decoded_as> > <description>VSHELLD messages grouped.</description> > </rule> > </group> > > > <decoder name="vshelld-syslog"> > <program_name>^vshelld</program_name> > </decoder> > > <decoder name="vshelld-connection"> > <parent>vshelld-syslog</parent> > <prematch offset="after_parent">^conn,\d\d\d\d\d: </prematch> > <regex offset="after_prematch">^Connection accepted from (\d+\.\d+\. > \d+\.\d):\d+\.</regex> > <order>srcip, srcport</order> > <fts>srcip</fts> > </decoder> > > <decoder name="vshelld-auth"> > <parent>vshelld-syslog</parent> > <prematch offset="after_parent">^auth,\d+: PAM authentication > failure for </prematch> > <regex offset="after_prematch">^user \S+\.</regex> > <order>user</order> > <fts>user</fts> > </decoder> > > Thanks, > Emil >
