Phil,
If you have any comments or rules to share that would be great. Thank you.
I needed to block the IP of anyone who repeatedly uses the wrong password
to access a Zimbra account. So far, I added audit.log to the logs that get
monitored by ossec and I added a rule to the decoder to extract the IP.
Seems to be working. I have set the timeout to 1 hour. The IPs of anyone who
uses the incorrect password are being blocked via iptables for one hour. It's
not helping the initial account being attacked as that locks itself after 4
attempts but then no other accounts can be attacked after that. Also, this way
the hacker gets an access denied message and may move on to more vulnerable
machines (it appears to me the locked zimbra account still appears to the
user/hacker to be rejecting incorrect passwords).
Added to ossec.conf on the Zimbra server:
<localfile>
<log_format>syslog</log_format>
<location>/opt/zimbra/log/audit.log</location>
</localfile>
On the OSSEC server I added to the decoder.xml:
<decoder name="zimbra">
<prematch>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d\d\d WARN </prematch>
</decoder>
<decoder name="zimbra-audit">
<parent>zimbra</parent>
<regex offset="after_parent">ip=(\d+.\d+.\d+.\d+);</regex>
<order>srcip</order>
</decoder>
<decoder name="zimbra-audit2">
<parent>zimbra</parent>
<regex offset="after_parent">oip=(\d+.\d+.\d+.\d+);</regex>
<order>srcip</order>
</decoder>
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of --[ UxBoD ]--
Sent: Sunday, May 02, 2010 11:11 AM
To: [email protected]
Subject: Re: [ossec-list] Customized Decoder
Eric,
what are you specifically trying to trap from Zimbra ? I may be able to
share some of my rules if you would like.
--
Thanks, Phil (uxbod - Zimbra moderator)
