On Wed, Aug 22, 2012 at 9:29 AM, dkoleary <[email protected]> wrote: > Hey; > > While not a direct answer, I think I have the direction in which you want to > go. I've been reading the online manual (http://www.ossec.net/doc/) which > has a section on cdb list lookups from within rules > (http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html). Cdb is > 'constant database'; effectively a standalone perl hash, if you're familiar > with perl. > > So, in english, what you want is a rule that will block IPs that are > attempting access to the dovecot port with a user that is not in the list of > valid users. That is an excellent idea. If you get the entire process > worked out, let me know as I would like to do the same exact thing. > Unfortunately, no time to work on it at the moment. > > My understanding (which is probably inaccurate in some places) > > * ossec.conf needs a line in the rules section similar to: > > > <list>rules/users</list> > > > * You make a text file called rules/users formatted as: > ${valid_user1}: 1 > ${valid_user2}: 1 > ${valid_user3}: 1 > ... > > * You then run ossec-makelists > > * Assuming all that works, you then create a rule with a line that looks > something like: > > <list field="program_name" lookup="not_match_key">rules/users</list> > > > then use the active response if that rule triggers... > > There's a *bunch* in there that needs work. I'm very new to ossec myself > but that seems like it'd be the right way to go. And, if not, someone more > experienced will pipe up, call me all sorts of names, and tell us both the > right way to do it :) > > Hope that helps. > > Doug O'Leary
That's where I would have gone with it. In fact, I have a "banned_user.cdb" in one of my setups.
