Dan,
You were right. The source ip field wasn't being decoded properly for my
version of proftpd, so I updated the decoder.xml as follows:
<decoder name="proftpd-ip">
<parent>proftpd</parent>
<!-- <regex>^\S+ \(\S+[(\S+)]\)</regex> -->
<regex>\(\S+[(\S+)]\)</regex>
<order>srcip</order>
</decoder>
Now all is good and the srcip is set.
Aug 18 11:22:55 207.158.10.18 proftpd[12112]: (24.249.207.4[24.249.207.4])
INFO: Login incorrect.
**Phase 1: Completed pre-decoding.
full event: 'Aug 18 11:22:55 207.158.10.18 proftpd[12112]:
(24.249.207.4[24.249.207.4]) INFO: Login incorrect.'
hostname: '207.158.10.18'
program_name: 'proftpd'
log: '(24.249.207.4[24.249.207.4]) INFO: Login incorrect.'
**Phase 2: Completed decoding.
decoder: 'proftpd'
srcip: '24.249.207.4' <============= THIS WAS MISSING BEFORE.
Gil Vidals / VM Racks
On Wed, Aug 15, 2012 at 6:27 AM, dan (ddp) <[email protected]> wrote:
> On Sat, Aug 11, 2012 at 3:22 AM, Gil Vidals <[email protected]> wrote:
> > I need in understanding why the frequency rule in proftpd_rules.xml isn't
> > triggering. I ran the following log line through ossec-logtest more than
> 15
> > times and yet active response isn't triggered:
> >
> > Aug 10 23:22:54 184.5.70.39 proftpd[15897] INFO: Login incorrect. PASS
> > (hidden)
> >
> > OSSEC SERVER RULE:
> > <!-- <rule id="11204" level="5"> -->
> > <rule id="11204" level="8">
> > <if_sid>11200</if_sid>
> > <match>Incorrect password.$|Login failed|Login incorrect</match>
> > <description>Login failed accessing the FTP server</description>
> > <group>authentication_failed,</group>
> > </rule>
> >
> > <rule id="11251" level="10" frequency="6" timeframe="120">
> > <if_matched_sid>11204</if_matched_sid>
> > <same_source_ip />
> > <description>FTP brute force (multiple failed logins).</description>
> > <group>authentication_failures,</group>
> > </rule>
> >
> > <active-response>
> > <disabled>no</disabled>
> > <command>firewall-drop</command>
> > <!-- local means on the server that had the event; e.g.,
> > lan.web.truepath.com -->
> > <location>local</location>
> > <!-- increased from 6 on 20120725 -->
> > <level>8</level>
> > <timeout>600</timeout>
> > </active-response>
> >
> >
> > **Phase 1: Completed pre-decoding.
> > full event: 'Aug 10 23:22:54 184.5.70.39 proftpd[15897] INFO:
> Login
> > incorrect. PASS (hidden)'
> > hostname: '184.5.70.39'
> > program_name: 'proftpd'
> > log: 'INFO: Login incorrect. PASS (hidden)'
> >
> > **Phase 2: Completed decoding.
> > decoder: 'proftpd'
> >
>
> Your active response probably <expect>s a srcip.
>
> > **Rule debugging:
> > Trying rule: 1 - Generic template for all syslog rules.
> > *Rule 1 matched.
> > *Trying child rules.
> > Trying rule: 5500 - Grouping of the pam_unix rules.
> > Trying rule: 5700 - SSHD messages grouped.
> > Trying rule: 5600 - Grouping for the telnetd rules
> > Trying rule: 2100 - NFS rules grouped.
> > Trying rule: 2507 - OpenLDAP group.
> > Trying rule: 2550 - rshd messages grouped.
> > Trying rule: 2701 - Ignoring procmail messages.
> > Trying rule: 2800 - Pre-match rule for smartd.
> > Trying rule: 5100 - Pre-match rule for kernel messages
> > Trying rule: 5200 - Ignoring hpiod for producing useless logs.
> > Trying rule: 2830 - Crontab rule group.
> > Trying rule: 5300 - Initial grouping for su messages.
> > Trying rule: 5400 - Initial group for sudo messages
> > Trying rule: 9100 - PPTPD messages grouped
> > Trying rule: 9200 - Squid syslog messages grouped
> > Trying rule: 2900 - Dpkg (Debian Package) log.
> > Trying rule: 2930 - Yum logs.
> > Trying rule: 2931 - Yum logs.
> > Trying rule: 7200 - Grouping of the arpwatch rules.
> > Trying rule: 7300 - Grouping of Symantec AV rules.
> > Trying rule: 7400 - Grouping of Symantec Web Security rules.
> > Trying rule: 4300 - Grouping of PIX rules
> > Trying rule: 12100 - Grouping of the named rules
> > Trying rule: 13100 - Grouping for the smbd rules.
> > Trying rule: 13106 - (null)
> > Trying rule: 11400 - Grouping for the vsftpd rules.
> > Trying rule: 11300 - Grouping for the pure-ftpd rules.
> > Trying rule: 11200 - Grouping for the proftpd rules.
> > *Rule 11200 matched.
> > *Trying child rules.
> > Trying rule: 11202 - FTP session closed.
> > Trying rule: 11221 - IPv6 error and mod-delay info (ignored).
> > Trying rule: 11209 - Attempt to bypass firewall that can't adequately
> > keep state of FTP traffic.
> > Trying rule: 11218 - FTP process crashed.
> > Trying rule: 11219 - FTP server Buffer overflow attempt.
> > Trying rule: 11210 - Multiple failed login attempts.
> > Trying rule: 11204 - Login failed accessing the FTP server
> > *Rule 11204 matched.
> > *Trying child rules.
> > Trying rule: 11251 - FTP brute force (multiple failed logins).
> > Trying rule: 40111 - Multiple authentication failures.
> >
> > **Phase 3: Completed filtering (rules).
> > Rule id: '11204'
> > Level: '8'
> > Description: 'Login failed accessing the FTP server'
> > **Alert to be generated.
> >
> >
> >
> > --
> > Gil Vidals
> >
> > CONFIDENTIALITY NOTICE: The information contained in this transmission
> may
> > contain privileged and confidential information. It is intended only for
> > the use of the person(s) named above. If you are not the intended
> > recipient, please contact the sender by reply email and permanently
> delete
> > the original message.
> >
>
--
Gil Vidals
CONFIDENTIALITY NOTICE: The information contained in this transmission may
contain privileged and confidential information. It is intended only for
the use of the person(s) named above. If you are not the intended
recipient, please contact the sender by reply email and permanently delete
the original message.
