Dan, I can't help you enough for your help ...
I went again through each step and stuck again at the ossec-config part . The first time you mentioned it, I must have done something wrong and did not work . I try these settings in two environments , a vm-lab and a live setup, so I must have mixed or missed something . So I went and again and changed the path of my list in ossec.conf. Which seems to make perfect sense according to what you said .Since lists should take the chroot into account they must be doing so at any case ...So the full path of my lists (/var/ossec/rules/trusted_ips) is not recognized as an absolute path but rather ossec must think it is under /var/ossec/var/ossec/rules/trusted_ips and of course this doesn't work .(A nice debug procedure , message would be nice though to spot this out earlier, or at least should be mentioned clearly in the documentation somewhere). I changed it, run makelists again , it said the list needs to be updated , restarted ossec and did makelists again (just to be safe ) and tested the rules.It works as it should !!! Again I can't thank you enough Dan , This has troubled me so much I lost hours and hours of sleep and got lost in the xml tags (most probably due to luck of sleep :) ) Thank you very much for your help! On Dec 5, 11:13 pm, "dan (ddp)" <[email protected]> wrote: > On Mon, Dec 5, 2011 at 8:30 AM, alsdks <[email protected]> wrote: > > Hello Dan, > > > As it turn out , it doesn't work for ssh too .The cdb list lookup > > <list field="srcip" lookup="not_address_match_key">rules/ > > trusted_ips</list> is not working .Major disappointment ! > > > Any ideas why it is not working ? > > > What I am trying to achieve is for each successful login (via ssh,rdp > > etc ) check the source IP against a list of trusted IP's and if it is > > not there create an alert. > > > Thank you ! > > Like I said, this works for me. > > =============================================================== > This is with OSSEC 2.6: > > /var/ossec/etc/ossec.conf: > <rules> > ... > <include>dropbear_rules.xml</include> > <list>lists/test.txt</list> <!-- DANGEROUS IPs --> > <list>lists/test2.txt</list> <!-- TRUSTED IPs --> > <include>local_rules.xml</include> > </rules> > > /var/ossec/rules/local_rules.xml: > > <rule id="100102" level="0"> > <if_sid>18107</if_sid> > <match>Logon Type: 10</match> > <description>Remote Interactive Login (Terminal Services) </description> > </rule> > > <rule id="100103" level="10"> > <if_sid>100102</if_sid> > <list field="srcip" lookup="not_address_match_key">lists/test2.txt</list> > <description>Alert when a user succesfully logs in from an</description> > </rule> > > With an approved IP: > # cat /tmp/xxx | /var/ossec/bin/ossec-logtest > 2011/12/05 16:05:37 ossec-testrule: INFO: Reading local decoder file. > 2011/12/05 16:05:37 ossec-testrule: INFO: Reading loading the lists > file: 'lists/test.txt' > 2011/12/05 16:05:37 ossec-testrule: INFO: Reading loading the lists > file: 'lists/test2.txt' > 2011/12/05 16:05:38 ossec-testrule: INFO: Started (pid: 4831). > ossec-testrule: Type one log per line. > > **Phase 1: Completed pre-decoding. > full event: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security: > Administrator: OLDDOM: TESTSRV: Successful Logon: User Name: > administrator Domain: TESTDOM Logon ID: > (0x0,0x2D656E) Logon Type: 10 Logon Process: User32 > Authentication Package: Negotiate Workstation Name: > TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128-f424fe653b09} > Caller User Name: TESTSRV$ Caller Domain: TESTDOM > Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1688 > Transited Services: - Source Network Address: 10.10.10.2 > Source Port: 49485 ' > hostname: 'richese' > program_name: '(null)' > log: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security: > Administrator: OLDDOM: TESTSRV: Successful Logon: User Name: > administrator Domain: TESTDOM Logon ID: > (0x0,0x2D656E) Logon Type: 10 Logon Process: User32 > Authentication Package: Negotiate Workstation Name: > TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128-f424fe653b09} > Caller User Name: TESTSRV$ Caller Domain: TESTDOM > Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1688 > Transited Services: - Source Network Address: 10.10.10.2 > Source Port: 49485 ' > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_SUCCESS' > id: '528' > extra_data: 'Security' > dstuser: 'Administrator' > system_name: 'TESTSRV' > srcip: '10.10.10.2' > > **Phase 3: Completed filtering (rules). > Rule id: '100102' > Level: '0' > Description: 'Remote Interactive Login (Terminal Services) ' > # > > With a NON-approved IP: > # cat /tmp/yyy | /var/ossec/bin/ossec-logtest > 2011/12/05 16:06:21 ossec-testrule: INFO: Reading local decoder file. > 2011/12/05 16:06:21 ossec-testrule: INFO: Reading loading the lists > file: 'lists/test.txt' > 2011/12/05 16:06:21 ossec-testrule: INFO: Reading loading the lists > file: 'lists/test2.txt' > 2011/12/05 16:06:22 ossec-testrule: INFO: Started (pid: 22812). > ossec-testrule: Type one log per line. > > **Phase 1: Completed pre-decoding. > full event: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security: > Administrator: OLDDOM: TESTSRV: Successful Logon: User Name: > administrator Domain: TESTDOM Logon ID: > (0x0,0x2D656E) Logon Type: 10 Logon Process: User32 > Authentication Package: Negotiate Workstation Name: > TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128-f424fe653b09} > Caller User Name: TESTSRV$ Caller Domain: TESTDOM > Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1688 > Transited Services: - Source Network Address: 10.10.10.20 > Source Port: 49485 ' > hostname: 'richese' > program_name: '(null)' > log: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security: > Administrator: OLDDOM: TESTSRV: Successful Logon: User Name: > administrator Domain: TESTDOM Logon ID: > (0x0,0x2D656E) Logon Type: 10 Logon Process: User32 > Authentication Package: Negotiate Workstation Name: > TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128-f424fe653b09} > Caller User Name: TESTSRV$ Caller Domain: TESTDOM > Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1688 > Transited Services: - Source Network Address: 10.10.10.20 > Source Port: 49485 ' > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_SUCCESS' > id: '528' > extra_data: 'Security' > dstuser: 'Administrator' > system_name: 'TESTSRV' > srcip: '10.10.10.20' > > **Phase 3: Completed filtering (rules). > Rule id: '100103' > Level: '10' > Description: 'Alert when a user succesfully logs in from an > unapproved source IP ' > **Alert to be generated. > > # > > =============================================================== > > I setup a list lookup for ssh, and it also worked. I didn't even rely > on ossec-logtest this time: > > OSSEC HIDS Notification. > 2011 Dec 05 16:10:55 > > Received From: richese->/var/log/authlog > Rule: 100104 fired (level 10) -> "BAD LOGIN!" > Portion of the log(s): > > Dec 5 16:10:54 richese sshd[11780]: Accepted publickey for ddp from > 192.168.17.9 port 32407 ssh2 > > --END OF NOTIFICATION > > So there must be a typo or something we aren't spotting, because the > options are functional.
