On Sat, Aug 11, 2012 at 3:22 AM, Gil Vidals <[email protected]> wrote: > I need in understanding why the frequency rule in proftpd_rules.xml isn't > triggering. I ran the following log line through ossec-logtest more than 15 > times and yet active response isn't triggered: > > Aug 10 23:22:54 184.5.70.39 proftpd[15897] INFO: Login incorrect. PASS > (hidden) > > OSSEC SERVER RULE: > <!-- <rule id="11204" level="5"> --> > <rule id="11204" level="8"> > <if_sid>11200</if_sid> > <match>Incorrect password.$|Login failed|Login incorrect</match> > <description>Login failed accessing the FTP server</description> > <group>authentication_failed,</group> > </rule> > > <rule id="11251" level="10" frequency="6" timeframe="120"> > <if_matched_sid>11204</if_matched_sid> > <same_source_ip /> > <description>FTP brute force (multiple failed logins).</description> > <group>authentication_failures,</group> > </rule> > > <active-response> > <disabled>no</disabled> > <command>firewall-drop</command> > <!-- local means on the server that had the event; e.g., > lan.web.truepath.com --> > <location>local</location> > <!-- increased from 6 on 20120725 --> > <level>8</level> > <timeout>600</timeout> > </active-response> > > > **Phase 1: Completed pre-decoding. > full event: 'Aug 10 23:22:54 184.5.70.39 proftpd[15897] INFO: Login > incorrect. PASS (hidden)' > hostname: '184.5.70.39' > program_name: 'proftpd' > log: 'INFO: Login incorrect. PASS (hidden)' > > **Phase 2: Completed decoding. > decoder: 'proftpd' >
Your active response probably <expect>s a srcip. > **Rule debugging: > Trying rule: 1 - Generic template for all syslog rules. > *Rule 1 matched. > *Trying child rules. > Trying rule: 5500 - Grouping of the pam_unix rules. > Trying rule: 5700 - SSHD messages grouped. > Trying rule: 5600 - Grouping for the telnetd rules > Trying rule: 2100 - NFS rules grouped. > Trying rule: 2507 - OpenLDAP group. > Trying rule: 2550 - rshd messages grouped. > Trying rule: 2701 - Ignoring procmail messages. > Trying rule: 2800 - Pre-match rule for smartd. > Trying rule: 5100 - Pre-match rule for kernel messages > Trying rule: 5200 - Ignoring hpiod for producing useless logs. > Trying rule: 2830 - Crontab rule group. > Trying rule: 5300 - Initial grouping for su messages. > Trying rule: 5400 - Initial group for sudo messages > Trying rule: 9100 - PPTPD messages grouped > Trying rule: 9200 - Squid syslog messages grouped > Trying rule: 2900 - Dpkg (Debian Package) log. > Trying rule: 2930 - Yum logs. > Trying rule: 2931 - Yum logs. > Trying rule: 7200 - Grouping of the arpwatch rules. > Trying rule: 7300 - Grouping of Symantec AV rules. > Trying rule: 7400 - Grouping of Symantec Web Security rules. > Trying rule: 4300 - Grouping of PIX rules > Trying rule: 12100 - Grouping of the named rules > Trying rule: 13100 - Grouping for the smbd rules. > Trying rule: 13106 - (null) > Trying rule: 11400 - Grouping for the vsftpd rules. > Trying rule: 11300 - Grouping for the pure-ftpd rules. > Trying rule: 11200 - Grouping for the proftpd rules. > *Rule 11200 matched. > *Trying child rules. > Trying rule: 11202 - FTP session closed. > Trying rule: 11221 - IPv6 error and mod-delay info (ignored). > Trying rule: 11209 - Attempt to bypass firewall that can't adequately > keep state of FTP traffic. > Trying rule: 11218 - FTP process crashed. > Trying rule: 11219 - FTP server Buffer overflow attempt. > Trying rule: 11210 - Multiple failed login attempts. > Trying rule: 11204 - Login failed accessing the FTP server > *Rule 11204 matched. > *Trying child rules. > Trying rule: 11251 - FTP brute force (multiple failed logins). > Trying rule: 40111 - Multiple authentication failures. > > **Phase 3: Completed filtering (rules). > Rule id: '11204' > Level: '8' > Description: 'Login failed accessing the FTP server' > **Alert to be generated. > > > > -- > Gil Vidals > > CONFIDENTIALITY NOTICE: The information contained in this transmission may > contain privileged and confidential information. It is intended only for > the use of the person(s) named above. If you are not the intended > recipient, please contact the sender by reply email and permanently delete > the original message. >
