On Mon, Dec 5, 2011 at 7:37 PM, alsdks <[email protected]> wrote: > Dan, > > I can't help you enough for your help ... > > I went again through each step and stuck again at the ossec-config > part . The first time you mentioned it, I must have done something > wrong and did not work . > I try these settings in two environments , a vm-lab and a live setup, > so I must have mixed or missed something . > > So I went and again and changed the path of my list in ossec.conf. > Which seems to make perfect sense according to what you said .Since > lists should take the chroot into account they must be doing so at any > case ...So the full path of my lists (/var/ossec/rules/trusted_ips) > is not recognized as an absolute path but rather ossec must think it > is under /var/ossec/var/ossec/rules/trusted_ips and of course this > doesn't work .(A nice debug procedure , message would be nice though > to spot this out earlier, or at least should be mentioned clearly in > the documentation somewhere). > > I changed it, run makelists again , it said the list needs to be > updated , restarted ossec and did makelists again (just to be safe ) > and tested the rules.It works as it should !!! > > Again I can't thank you enough Dan , > This has troubled me so much I lost hours and hours of sleep and got > lost in the xml tags (most probably due to luck of sleep :) ) > > Thank you very much for your help! >
We've all been there. Glad it's working! > On Dec 5, 11:13 pm, "dan (ddp)" <[email protected]> wrote: >> On Mon, Dec 5, 2011 at 8:30 AM, alsdks <[email protected]> wrote: >> > Hello Dan, >> >> > As it turn out , it doesn't work for ssh too .The cdb list lookup >> > <list field="srcip" lookup="not_address_match_key">rules/ >> > trusted_ips</list> is not working .Major disappointment ! >> >> > Any ideas why it is not working ? >> >> > What I am trying to achieve is for each successful login (via ssh,rdp >> > etc ) check the source IP against a list of trusted IP's and if it is >> > not there create an alert. >> >> > Thank you ! >> >> Like I said, this works for me. >> >> =============================================================== >> This is with OSSEC 2.6: >> >> /var/ossec/etc/ossec.conf: >> <rules> >> ... >> <include>dropbear_rules.xml</include> >> <list>lists/test.txt</list> <!-- DANGEROUS IPs --> >> <list>lists/test2.txt</list> <!-- TRUSTED IPs --> >> <include>local_rules.xml</include> >> </rules> >> >> /var/ossec/rules/local_rules.xml: >> >> <rule id="100102" level="0"> >> <if_sid>18107</if_sid> >> <match>Logon Type: 10</match> >> <description>Remote Interactive Login (Terminal Services) </description> >> </rule> >> >> <rule id="100103" level="10"> >> <if_sid>100102</if_sid> >> <list field="srcip" lookup="not_address_match_key">lists/test2.txt</list> >> <description>Alert when a user succesfully logs in from an</description> >> </rule> >> >> With an approved IP: >> # cat /tmp/xxx | /var/ossec/bin/ossec-logtest >> 2011/12/05 16:05:37 ossec-testrule: INFO: Reading local decoder file. >> 2011/12/05 16:05:37 ossec-testrule: INFO: Reading loading the lists >> file: 'lists/test.txt' >> 2011/12/05 16:05:37 ossec-testrule: INFO: Reading loading the lists >> file: 'lists/test2.txt' >> 2011/12/05 16:05:38 ossec-testrule: INFO: Started (pid: 4831). >> ossec-testrule: Type one log per line. >> >> **Phase 1: Completed pre-decoding. >> full event: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security: >> Administrator: OLDDOM: TESTSRV: Successful Logon: User Name: >> administrator Domain: TESTDOM Logon ID: >> (0x0,0x2D656E) Logon Type: 10 Logon Process: User32 >> Authentication Package: Negotiate Workstation Name: >> TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128-f424fe653b09} >> Caller User Name: TESTSRV$ Caller Domain: TESTDOM >> Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1688 >> Transited Services: - Source Network Address: 10.10.10.2 >> Source Port: 49485 ' >> hostname: 'richese' >> program_name: '(null)' >> log: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security: >> Administrator: OLDDOM: TESTSRV: Successful Logon: User Name: >> administrator Domain: TESTDOM Logon ID: >> (0x0,0x2D656E) Logon Type: 10 Logon Process: User32 >> Authentication Package: Negotiate Workstation Name: >> TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128-f424fe653b09} >> Caller User Name: TESTSRV$ Caller Domain: TESTDOM >> Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1688 >> Transited Services: - Source Network Address: 10.10.10.2 >> Source Port: 49485 ' >> >> **Phase 2: Completed decoding. >> decoder: 'windows' >> status: 'AUDIT_SUCCESS' >> id: '528' >> extra_data: 'Security' >> dstuser: 'Administrator' >> system_name: 'TESTSRV' >> srcip: '10.10.10.2' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '100102' >> Level: '0' >> Description: 'Remote Interactive Login (Terminal Services) ' >> # >> >> With a NON-approved IP: >> # cat /tmp/yyy | /var/ossec/bin/ossec-logtest >> 2011/12/05 16:06:21 ossec-testrule: INFO: Reading local decoder file. >> 2011/12/05 16:06:21 ossec-testrule: INFO: Reading loading the lists >> file: 'lists/test.txt' >> 2011/12/05 16:06:21 ossec-testrule: INFO: Reading loading the lists >> file: 'lists/test2.txt' >> 2011/12/05 16:06:22 ossec-testrule: INFO: Started (pid: 22812). >> ossec-testrule: Type one log per line. >> >> **Phase 1: Completed pre-decoding. >> full event: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security: >> Administrator: OLDDOM: TESTSRV: Successful Logon: User Name: >> administrator Domain: TESTDOM Logon ID: >> (0x0,0x2D656E) Logon Type: 10 Logon Process: User32 >> Authentication Package: Negotiate Workstation Name: >> TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128-f424fe653b09} >> Caller User Name: TESTSRV$ Caller Domain: TESTDOM >> Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1688 >> Transited Services: - Source Network Address: 10.10.10.20 >> Source Port: 49485 ' >> hostname: 'richese' >> program_name: '(null)' >> log: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security: >> Administrator: OLDDOM: TESTSRV: Successful Logon: User Name: >> administrator Domain: TESTDOM Logon ID: >> (0x0,0x2D656E) Logon Type: 10 Logon Process: User32 >> Authentication Package: Negotiate Workstation Name: >> TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128-f424fe653b09} >> Caller User Name: TESTSRV$ Caller Domain: TESTDOM >> Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1688 >> Transited Services: - Source Network Address: 10.10.10.20 >> Source Port: 49485 ' >> >> **Phase 2: Completed decoding. >> decoder: 'windows' >> status: 'AUDIT_SUCCESS' >> id: '528' >> extra_data: 'Security' >> dstuser: 'Administrator' >> system_name: 'TESTSRV' >> srcip: '10.10.10.20' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '100103' >> Level: '10' >> Description: 'Alert when a user succesfully logs in from an >> unapproved source IP ' >> **Alert to be generated. >> >> # >> >> =============================================================== >> >> I setup a list lookup for ssh, and it also worked. I didn't even rely >> on ossec-logtest this time: >> >> OSSEC HIDS Notification. >> 2011 Dec 05 16:10:55 >> >> Received From: richese->/var/log/authlog >> Rule: 100104 fired (level 10) -> "BAD LOGIN!" >> Portion of the log(s): >> >> Dec 5 16:10:54 richese sshd[11780]: Accepted publickey for ddp from >> 192.168.17.9 port 32407 ssh2 >> >> --END OF NOTIFICATION >> >> So there must be a typo or something we aren't spotting, because the >> options are functional.
