Hi Rafael,
It has been fixed already on our development snapshot:
http://www.ossec.net/files/snapshots/ossec-hids-100317.tar.gz
The issue was that the decoder was not picking up the source ip address
properly.
That's the result now:
**Phase 1: Completed pre-decoding.
full event: 'Mar 18 10:08:53 server courierpop3login: LOGIN
FAILED, [email protected], ip=[::ffff:18.104.87.110]'
hostname: 'server'
program_name: 'courierpop3login'
log: 'LOGIN FAILED, [email protected], ip=[::ffff:18.104.87.110]'
**Phase 2: Completed decoding.
decoder: 'courier'
srcip: '::ffff:18.104.87.110'
**Phase 3: Completed filtering (rules).
Rule id: '3902'
Level: '5'
Description: 'Courier (imap/pop3) authentication failed.'
**Alert to be generated.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Mar 18, 2010 at 5:05 PM, rafael.gomes <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Guys,
>
> I am getting this msg in my OSSEC:
>
> Mar 18 10:08:53 server courierpop3login: LOGIN FAILED,
> [email protected], ip=[::ffff:18.104.87.110]
> Mar 18 10:08:53 server courierpop3login: LOGIN FAILED,
> [email protected], ip=[::ffff:18.104.87.110]
> Mar 18 10:07:41 server courierpop3login: LOGIN FAILED,
> [email protected], ip=[::ffff:18.104.87.110]
> Mar 18 10:07:41 server courierpop3login: LOGIN FAILED,
> [email protected], ip=[::ffff:18.104.87.110]
> Mar 18 10:06:30 server courierpop3login: LOGIN FAILED,
> [email protected], ip=[::ffff:18.104.87.110]
> Mar 18 10:06:30 server courierpop3login: LOGIN FAILED,
> [email protected], ip=[::ffff:18.104.87.110]
> Mar 18 10:05:13 server courierpop3login: LOGIN FAILED,
> [email protected], ip=[::ffff:18.104.87.110]
>
> But it doesn't active response. Why?
>
> I got this archived mail:
>
> http://www.mail-archive.com/[email protected]/msg01874.html
>
> I know that developers need time to do this, I am not requiring nothing,
> but just asking if they have intention to developing it soon.
>
> This log is killing me, I am thinking about add another tool to control
> just it.
>
> I am not able to help with devel, but I can test if you need.
>
> Thanks!
>
> - --
> Atenciosamente,
>
> Rafael Brito Gomes
> Analista de Segurança
> LPIC-1 MCSO
> DISUP/CPD/UFBA
> Tel : +55 71 3283 6100
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkuih3YACgkQmcKAeZZwz2bZIgCgrhebTc/HrmQGLkIhiHkWHxpY
> TWwAnjHNsufmCJtfMfCFnqSwOJxiXWwi
> =mVO1
> -----END PGP SIGNATURE-----
>
> To unsubscribe from this group, send email to
> ossec-list+unsubscribegooglegroups.com or reply to this email with the words
> "REMOVE ME" as the subject.
>
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
"REMOVE ME" as the subject.
