I need in understanding why the frequency rule in proftpd_rules.xml isn't
triggering. I ran the following log line through ossec-logtest more than 15
times and yet active response isn't triggered:
Aug 10 23:22:54 184.5.70.39 proftpd[15897] INFO: Login incorrect. PASS
(hidden)
OSSEC SERVER RULE:
<!-- <rule id="11204" level="5"> -->
<rule id="11204" level="8">
<if_sid>11200</if_sid>
<match>Incorrect password.$|Login failed|Login incorrect</match>
<description>Login failed accessing the FTP server</description>
<group>authentication_failed,</group>
</rule>
<rule id="11251" level="10" frequency="6" timeframe="120">
<if_matched_sid>11204</if_matched_sid>
<same_source_ip />
<description>FTP brute force (multiple failed logins).</description>
<group>authentication_failures,</group>
</rule>
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<!-- local means on the server that had the event; e.g.,
lan.web.truepath.com -->
<location>local</location>
<!-- increased from 6 on 20120725 -->
<level>8</level>
<timeout>600</timeout>
</active-response>
**Phase 1: Completed pre-decoding.
full event: 'Aug 10 23:22:54 184.5.70.39 proftpd[15897] INFO: Login
incorrect. PASS (hidden)'
hostname: '184.5.70.39'
program_name: 'proftpd'
log: 'INFO: Login incorrect. PASS (hidden)'
**Phase 2: Completed decoding.
decoder: 'proftpd'
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched.
*Trying child rules.
Trying rule: 5500 - Grouping of the pam_unix rules.
Trying rule: 5700 - SSHD messages grouped.
Trying rule: 5600 - Grouping for the telnetd rules
Trying rule: 2100 - NFS rules grouped.
Trying rule: 2507 - OpenLDAP group.
Trying rule: 2550 - rshd messages grouped.
Trying rule: 2701 - Ignoring procmail messages.
Trying rule: 2800 - Pre-match rule for smartd.
Trying rule: 5100 - Pre-match rule for kernel messages
Trying rule: 5200 - Ignoring hpiod for producing useless logs.
Trying rule: 2830 - Crontab rule group.
Trying rule: 5300 - Initial grouping for su messages.
Trying rule: 5400 - Initial group for sudo messages
Trying rule: 9100 - PPTPD messages grouped
Trying rule: 9200 - Squid syslog messages grouped
Trying rule: 2900 - Dpkg (Debian Package) log.
Trying rule: 2930 - Yum logs.
Trying rule: 2931 - Yum logs.
Trying rule: 7200 - Grouping of the arpwatch rules.
Trying rule: 7300 - Grouping of Symantec AV rules.
Trying rule: 7400 - Grouping of Symantec Web Security rules.
Trying rule: 4300 - Grouping of PIX rules
Trying rule: 12100 - Grouping of the named rules
Trying rule: 13100 - Grouping for the smbd rules.
Trying rule: 13106 - (null)
Trying rule: 11400 - Grouping for the vsftpd rules.
Trying rule: 11300 - Grouping for the pure-ftpd rules.
Trying rule: 11200 - Grouping for the proftpd rules.
*Rule 11200 matched.
*Trying child rules.
Trying rule: 11202 - FTP session closed.
Trying rule: 11221 - IPv6 error and mod-delay info (ignored).
Trying rule: 11209 - Attempt to bypass firewall that can't adequately
keep state of FTP traffic.
Trying rule: 11218 - FTP process crashed.
Trying rule: 11219 - FTP server Buffer overflow attempt.
Trying rule: 11210 - Multiple failed login attempts.
Trying rule: 11204 - Login failed accessing the FTP server
*Rule 11204 matched.
*Trying child rules.
Trying rule: 11251 - FTP brute force (multiple failed logins).
Trying rule: 40111 - Multiple authentication failures.
**Phase 3: Completed filtering (rules).
Rule id: '11204'
Level: '8'
Description: 'Login failed accessing the FTP server'
**Alert to be generated.
--
Gil Vidals
CONFIDENTIALITY NOTICE: The information contained in this transmission may
contain privileged and confidential information. It is intended only for
the use of the person(s) named above. If you are not the intended
recipient, please contact the sender by reply email and permanently delete
the original message.
