On Mon, Dec 5, 2011 at 8:30 AM, alsdks <[email protected]> wrote:
> Hello Dan,
>
>
> As it turn out , it doesn't work for ssh too .The cdb list lookup
> <list field="srcip" lookup="not_address_match_key">rules/
> trusted_ips</list> is not working .Major disappointment !
>
> Any ideas why it is not working ?
>
>
> What I am trying to achieve is for each successful login (via ssh,rdp
> etc ) check the source IP against a list of trusted IP's and if it is
> not there create an alert.
>
>
> Thank you !
>
Like I said, this works for me.
===============================================================
This is with OSSEC 2.6:
/var/ossec/etc/ossec.conf:
<rules>
...
<include>dropbear_rules.xml</include>
<list>lists/test.txt</list> <!-- DANGEROUS IPs -->
<list>lists/test2.txt</list> <!-- TRUSTED IPs -->
<include>local_rules.xml</include>
</rules>
/var/ossec/rules/local_rules.xml:
<rule id="100102" level="0">
<if_sid>18107</if_sid>
<match>Logon Type: 10</match>
<description>Remote Interactive Login (Terminal Services) </description>
</rule>
<rule id="100103" level="10">
<if_sid>100102</if_sid>
<list field="srcip" lookup="not_address_match_key">lists/test2.txt</list>
<description>Alert when a user succesfully logs in from an</description>
</rule>
With an approved IP:
# cat /tmp/xxx | /var/ossec/bin/ossec-logtest
2011/12/05 16:05:37 ossec-testrule: INFO: Reading local decoder file.
2011/12/05 16:05:37 ossec-testrule: INFO: Reading loading the lists
file: 'lists/test.txt'
2011/12/05 16:05:37 ossec-testrule: INFO: Reading loading the lists
file: 'lists/test2.txt'
2011/12/05 16:05:38 ossec-testrule: INFO: Started (pid: 4831).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security:
Administrator: OLDDOM: TESTSRV: Successful Logon: User Name:
administrator Domain: TESTDOM Logon ID:
(0x0,0x2D656E) Logon Type: 10 Logon Process: User32
Authentication Package: Negotiate Workstation Name:
TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128-f424fe653b09}
Caller User Name: TESTSRV$ Caller Domain: TESTDOM
Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1688
Transited Services: - Source Network Address: 10.10.10.2
Source Port: 49485 '
hostname: 'richese'
program_name: '(null)'
log: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security:
Administrator: OLDDOM: TESTSRV: Successful Logon: User Name:
administrator Domain: TESTDOM Logon ID:
(0x0,0x2D656E) Logon Type: 10 Logon Process: User32
Authentication Package: Negotiate Workstation Name:
TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128-f424fe653b09}
Caller User Name: TESTSRV$ Caller Domain: TESTDOM
Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1688
Transited Services: - Source Network Address: 10.10.10.2
Source Port: 49485 '
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '528'
extra_data: 'Security'
dstuser: 'Administrator'
system_name: 'TESTSRV'
srcip: '10.10.10.2'
**Phase 3: Completed filtering (rules).
Rule id: '100102'
Level: '0'
Description: 'Remote Interactive Login (Terminal Services) '
#
With a NON-approved IP:
# cat /tmp/yyy | /var/ossec/bin/ossec-logtest
2011/12/05 16:06:21 ossec-testrule: INFO: Reading local decoder file.
2011/12/05 16:06:21 ossec-testrule: INFO: Reading loading the lists
file: 'lists/test.txt'
2011/12/05 16:06:21 ossec-testrule: INFO: Reading loading the lists
file: 'lists/test2.txt'
2011/12/05 16:06:22 ossec-testrule: INFO: Started (pid: 22812).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security:
Administrator: OLDDOM: TESTSRV: Successful Logon: User Name:
administrator Domain: TESTDOM Logon ID:
(0x0,0x2D656E) Logon Type: 10 Logon Process: User32
Authentication Package: Negotiate Workstation Name:
TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128-f424fe653b09}
Caller User Name: TESTSRV$ Caller Domain: TESTDOM
Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1688
Transited Services: - Source Network Address: 10.10.10.20
Source Port: 49485 '
hostname: 'richese'
program_name: '(null)'
log: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security:
Administrator: OLDDOM: TESTSRV: Successful Logon: User Name:
administrator Domain: TESTDOM Logon ID:
(0x0,0x2D656E) Logon Type: 10 Logon Process: User32
Authentication Package: Negotiate Workstation Name:
TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128-f424fe653b09}
Caller User Name: TESTSRV$ Caller Domain: TESTDOM
Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1688
Transited Services: - Source Network Address: 10.10.10.20
Source Port: 49485 '
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '528'
extra_data: 'Security'
dstuser: 'Administrator'
system_name: 'TESTSRV'
srcip: '10.10.10.20'
**Phase 3: Completed filtering (rules).
Rule id: '100103'
Level: '10'
Description: 'Alert when a user succesfully logs in from an
unapproved source IP '
**Alert to be generated.
#
===============================================================
I setup a list lookup for ssh, and it also worked. I didn't even rely
on ossec-logtest this time:
OSSEC HIDS Notification.
2011 Dec 05 16:10:55
Received From: richese->/var/log/authlog
Rule: 100104 fired (level 10) -> "BAD LOGIN!"
Portion of the log(s):
Dec 5 16:10:54 richese sshd[11780]: Accepted publickey for ddp from
192.168.17.9 port 32407 ssh2
--END OF NOTIFICATION
So there must be a typo or something we aren't spotting, because the
options are functional.
