I spent some time the last few days working on why my OSSEC
installation (v2.6) did not seem to be running active response for all
the FTP authentication hammering that was going on. The issue ended up
being that Microsoft changed the FTP logging around a little with IIS
7.5 and the existing decoder for MSFTP will not work. My solution
might not be the absolute best way to handle this but I thought I'd
share what I did in case someone else needs it. You'll notice I'm
editing the "local_" versions of these files and that's because I read
that it makes life easier when you update OSSEC.
1. Open the "/var/ossec/etc/local_decoder.xml" file (you may need to
create it).
2. Add the following decoder and save the file:
<decoder name="msftp7">
<parent>windows-date-format</parent>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC</
prematch>
<regex offset="after_parent">^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S
+ \S+ </regex>
<regex>\d+ (\S+) \S+ (\d+) </regex>
<order>srcip,user,action,id</order>
</decoder>
3. Open the "/var/ossec/rules/local_rules.xml" file
4. Add the following group/rules (if you already have custom rules
make sure the id's don't collide with these!):
<group name="msftp7,syslog,">
<rule id="100004" level="0">
<decoded_as>msftp7</decoded_as>
<description>Grouping for the Microsoft ftp 7 rules.</description>
</rule>
<rule id="100005" level="5">
<if_sid>100004</if_sid>
<action>PASS</action>
<id>530</id>
<description>FTP Authentication failed.</description>
<group>authentication_failed,</group>
</rule>
<rule id="100006" level="10" frequency="6" timeframe="120">
<if_matched_sid>100005</if_matched_sid>
<description>FTP brute force (multiple failed logins).</
description>
<group>authentication_failures,</group>
</rule>
</group>
5. Test that your rules are working by running "/var/ossec/bin/ossec-
logtest". Once running, paste in the following and hit enter:
2012-04-04 09:00:18 192.168.10.100 4966 - FTPSVC2 SRV-1 -
192.168.83.163 21 PASS *** 530 0 0 35 13 109 6decfbb1-b038-4191-956a-
c5adb81314ab - -
(You should see some output about what decoder and filters (rules)
were found to match as well as show the variable values.)
6. Restart your OSSEC server by running "/var/ossec/bin/ossec-control
restart"
7. Back on your Windows server, open IIS 7.5
8. Click on the server node
9. Scroll down in the main pane to the "FTP" section
10. Open "FTP Logging"
11. Click on "Select W3C Fields"
12. Enable *all* the logging options and click "Ok"
13. Set the "Log File Rollover" to "Schedule > Daily" and check the
"Use local time" box
14. Click "Apply" on the right side.
As long as you already have your OSSEC agent set up on this server
with and it's scanning your FTP log files you should be all set!
