I can't thank you (not help ...lol obviously I need to go to sleep hehehehehe)
On Dec 6, 2:37 am, alsdks <[email protected]> wrote: > Dan, > > I can't help you enough for your help ... > > I went again through each step and stuck again at the ossec-config > part . The first time you mentioned it, I must have done something > wrong and did not work . > I try these settings in two environments , a vm-lab and a live setup, > so I must have mixed or missed something . > > So I went and again and changed the path of my list in ossec.conf. > Which seems to make perfect sense according to what you said .Since > lists should take the chroot into account they must be doing so at any > case ...So the full path of my lists (/var/ossec/rules/trusted_ips) > is not recognized as an absolute path but rather ossec must think it > is under /var/ossec/var/ossec/rules/trusted_ips and of course this > doesn't work .(A nice debug procedure , message would be nice though > to spot this out earlier, or at least should be mentioned clearly in > the documentation somewhere). > > I changed it, run makelists again , it said the list needs to be > updated , restarted ossec and did makelists again (just to be safe ) > and tested the rules.It works as it should !!! > > Again I can't thank you enough Dan , > This has troubled me so much I lost hours and hours of sleep and got > lost in the xml tags (most probably due to luck of sleep :) ) > > Thank you very much for your help! > > On Dec 5, 11:13 pm, "dan (ddp)" <[email protected]> wrote: > > > > > > > > > On Mon, Dec 5, 2011 at 8:30 AM, alsdks <[email protected]> wrote: > > > Hello Dan, > > > > As it turn out , it doesn't work for ssh too .The cdb list lookup > > > <list field="srcip" lookup="not_address_match_key">rules/ > > > trusted_ips</list> is not working .Major disappointment ! > > > > Any ideas why it is not working ? > > > > What I am trying to achieve is for each successful login (via ssh,rdp > > > etc ) check the source IP against a list of trusted IP's and if it is > > > not there create an alert. > > > > Thank you ! > > > Like I said, this works for me. > > > =============================================================== > > This is with OSSEC 2.6: > > > /var/ossec/etc/ossec.conf: > > <rules> > > ... > > <include>dropbear_rules.xml</include> > > <list>lists/test.txt</list> <!-- DANGEROUS IPs --> > > <list>lists/test2.txt</list> <!-- TRUSTED IPs --> > > <include>local_rules.xml</include> > > </rules> > > > /var/ossec/rules/local_rules.xml: > > > <rule id="100102" level="0"> > > <if_sid>18107</if_sid> > > <match>Logon Type: 10</match> > > <description>Remote Interactive Login (Terminal Services) </description> > > </rule> > > > <rule id="100103" level="10"> > > <if_sid>100102</if_sid> > > <list field="srcip" lookup="not_address_match_key">lists/test2.txt</list> > > <description>Alert when a user succesfully logs in from an</description> > > </rule> > > > With an approved IP: > > # cat /tmp/xxx | /var/ossec/bin/ossec-logtest > > 2011/12/05 16:05:37 ossec-testrule: INFO: Reading local decoder file. > > 2011/12/05 16:05:37 ossec-testrule: INFO: Reading loading the lists > > file: 'lists/test.txt' > > 2011/12/05 16:05:37 ossec-testrule: INFO: Reading loading the lists > > file: 'lists/test2.txt' > > 2011/12/05 16:05:38 ossec-testrule: INFO: Started (pid: 4831). > > ossec-testrule: Type one log per line. > > > **Phase 1: Completed pre-decoding. > > full event: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security: > > Administrator: OLDDOM: TESTSRV: Successful Logon: User Name: > > administrator Domain: TESTDOM Logon ID: > > (0x0,0x2D656E) Logon Type: 10 Logon Process: User32 > > Authentication Package: Negotiate Workstation Name: > > TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128-f424fe653b09} > > Caller User Name: TESTSRV$ Caller Domain: TESTDOM > > Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1688 > > Transited Services: - Source Network Address: 10.10.10.2 > > Source Port: 49485 ' > > hostname: 'richese' > > program_name: '(null)' > > log: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security: > > Administrator: OLDDOM: TESTSRV: Successful Logon: User Name: > > administrator Domain: TESTDOM Logon ID: > > (0x0,0x2D656E) Logon Type: 10 Logon Process: User32 > > Authentication Package: Negotiate Workstation Name: > > TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128-f424fe653b09} > > Caller User Name: TESTSRV$ Caller Domain: TESTDOM > > Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1688 > > Transited Services: - Source Network Address: 10.10.10.2 > > Source Port: 49485 ' > > > **Phase 2: Completed decoding. > > decoder: 'windows' > > status: 'AUDIT_SUCCESS' > > id: '528' > > extra_data: 'Security' > > dstuser: 'Administrator' > > system_name: 'TESTSRV' > > srcip: '10.10.10.2' > > > **Phase 3: Completed filtering (rules). > > Rule id: '100102' > > Level: '0' > > Description: 'Remote Interactive Login (Terminal Services) ' > > # > > > With a NON-approved IP: > > # cat /tmp/yyy | /var/ossec/bin/ossec-logtest > > 2011/12/05 16:06:21 ossec-testrule: INFO: Reading local decoder file. > > 2011/12/05 16:06:21 ossec-testrule: INFO: Reading loading the lists > > file: 'lists/test.txt' > > 2011/12/05 16:06:21 ossec-testrule: INFO: Reading loading the lists > > file: 'lists/test2.txt' > > 2011/12/05 16:06:22 ossec-testrule: INFO: Started (pid: 22812). > > ossec-testrule: Type one log per line. > > > **Phase 1: Completed pre-decoding. > > full event: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security: > > Administrator: OLDDOM: TESTSRV: Successful Logon: User Name: > > administrator Domain: TESTDOM Logon ID: > > (0x0,0x2D656E) Logon Type: 10 Logon Process: User32 > > Authentication Package: Negotiate Workstation Name: > > TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128-f424fe653b09} > > Caller User Name: TESTSRV$ Caller Domain: TESTDOM > > Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1688 > > Transited Services: - Source Network Address: 10.10.10.20 > > Source Port: 49485 ' > > hostname: 'richese' > > program_name: '(null)' > > log: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security: > > Administrator: OLDDOM: TESTSRV: Successful Logon: User Name: > > administrator Domain: TESTDOM Logon ID: > > (0x0,0x2D656E) Logon Type: 10 Logon Process: User32 > > Authentication Package: Negotiate Workstation Name: > > TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128-f424fe653b09} > > Caller User Name: TESTSRV$ Caller Domain: TESTDOM > > Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1688 > > Transited Services: - Source Network Address: 10.10.10.20 > > Source Port: 49485 ' > > > **Phase 2: Completed decoding. > > decoder: 'windows' > > status: 'AUDIT_SUCCESS' > > id: '528' > > extra_data: 'Security' > > dstuser: 'Administrator' > > system_name: 'TESTSRV' > > srcip: '10.10.10.20' > > > **Phase 3: Completed filtering (rules). > > Rule id: '100103' > > Level: '10' > > Description: 'Alert when a user succesfully logs in from an > > unapproved source IP ' > > **Alert to be generated. > > > # > > > =============================================================== > > > I setup a list lookup for ssh, and it also worked. I didn't even rely > > on ossec-logtest this time: > > > OSSEC HIDS Notification. > > 2011 Dec 05 16:10:55 > > > Received From: richese->/var/log/authlog > > Rule: 100104 fired (level 10) -> "BAD LOGIN!" > > Portion of the log(s): > > > Dec 5 16:10:54 richese sshd[11780]: Accepted publickey for ddp from > > 192.168.17.9 port 32407 ssh2 > > > --END OF NOTIFICATION > > > So there must be a typo or something we aren't spotting, because the > > options are functional.
