On Thu, Jan 21, 2010 at 11:14 AM, Dennis Golden <[email protected]> wrote: > I have discovered a serious problem with the subject rules. here is the result > running ossec-logtest: > > -- > Dennis Golden2010/01/21 09:49:16 ossec-testrule: INFO: Started (pid: 20196). > ossec-testrule: Type one log per line. > > > > **Phase 1: Completed pre-decoding. > full event: 'Jan 20 21:45:23 dg-linux2 sshd[29397]: reverse mapping > checking getaddrinfo for 115.118.6.19.static-ttsl-hyderabad.vsnl.net.in > [115.118.6.19] failed - POSSIBLE BREAK-IN ATTEMPT!' > hostname: 'dg-linux2' > program_name: 'sshd' > log: 'reverse mapping checking getaddrinfo for > 115.118.6.19.static-ttsl-hyderabad.vsnl.net.in [115.118.6.19] failed - > POSSIBLE > BREAK-IN ATTEMPT!' > > **Phase 2: Completed decoding. > decoder: 'sshd' > srcip: '115.118.6.19.static-ttsl-hyderabad.vsnl.net.in' > > **Phase 3: Completed filtering (rules). > Rule id: '5702' > Level: '5' > Description: 'Reverse lookup error (bad ISP or attack).' > **Alert to be generated. > > Needless to say that if active response tries to use the address that has > already failed it will also fail; therefore, the attack can continue forever. > > Dennis > -- > Golden Consulting Services, Inc. >
Ok, this will require a little bit of surgery on the decoder.xml file. I'd rather not have to change it on my setups, but I'm not sure how to get around that here. This means you'll have to do a bit more work when it comes time to upgrade, unless we can get these decoders added to the decoder.xml file. In $OSSEC_HOME/etc/decoder.xml add the following ABOVE the <decoder name="ssh-reverse-mapping"> entry: <decoder name="ssh-reverse-mapping2"> <parent>sshd</parent> <prematch>^reverse mapping checking getaddrinfo for \S+ [\d+.\d+.\d+.\d+] failed</prematch> <regex offset="after_parent">reverse mapping checking getaddrinfo for \S+ [(\d+.\d+.\d+.\d+)] failed</regex> <order>srcip</order> </decoder> If anyone else reading this has other variations on the above sample event, feel free to forward them on to me. I'll try to adjust decoders and submit them for inclusion. dan
