On Mon, Mar 11, 2013 at 2:52 PM, S Pratap Singh <[email protected]> wrote: > I am running Pure-FTPD. Sample Log is as below : > > Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] New connection > from example.com > Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] user1 is now > logged in > Mar 11 14:16:56 localhost pure-ftpd: ([email protected]) [NOTICE] Deleted > 2013-03-08 14.38 Content live-test.wmv > > > Above log is getting logged in syslog file. > > Another file which is storing the transfer log is > "/var/log/pure-ftpd/transfer.log" > > example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT > /ftpdrive/user1/FinalBackup.zip" 200 25268220 > example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET > /ftpdrive/user1/FinalBackup.zip" 200 25268220 > > I need to get an alert for all download/upload/delete over FTP for any > connection along with login alert too. >
How is this decoded? Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] New connection from example.com # /var/ossec/bin/ossec-logtest 2013/03/11 15:03:55 ossec-testrule: INFO: Reading local decoder file. 2013/03/11 15:03:55 ossec-testrule: INFO: Started (pid: 5374). ossec-testrule: Type one log per line. Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] New connection from example.com **Phase 1: Completed pre-decoding. full event: 'Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] New connection from example.com' hostname: 'localhost' program_name: 'pure-ftpd' log: '([email protected]) [INFO] New connection from example.com' **Phase 2: Completed decoding. decoder: 'pure-ftpd' dstuser: '?' srcip: 'example.com' **Phase 3: Completed filtering (rules). Rule id: '11301' Level: '3' Description: 'New FTP connection.' **Alert to be generated. The user we get is "?", and the rule that fires is 11301 "New FTP connection." I don't see anything special about the log message, so this seems correct. If you need e mail alerts, you may have to bump the level from 3 to whatever the minimum you have set is (default: 7). Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] user1 is now logged in **Phase 1: Completed pre-decoding. full event: 'Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] user1 is now logged in' hostname: 'localhost' program_name: 'pure-ftpd' log: '([email protected]) [INFO] user1 is now logged in' **Phase 2: Completed decoding. decoder: 'pure-ftpd' srcip: 'example.com' dstuser: 'user1' **Phase 3: Completed filtering (rules). Rule id: '11300' Level: '0' Description: 'Grouping for the pure-ftpd rules.' This one doesn't have a real alert associated to it, so let's create one. Add this rule to /var/ossec/rules/local_rules.xml: <rule id="300001" level="7"> <!-- Set it to trigger alerts at default levels, I would set this lower by default --> <if_sid>11300</if_sid> <!-- This is the catch-all pure-ftpd grouping rule --> <match> is now logged in$</match> <!-- The last bit of the log message --> <description>User successfully logged in.</description> </rule> Run ossec-logtest again: # /var/ossec/bin/ossec-logtest 2013/03/11 15:09:11 ossec-testrule: INFO: Reading local decoder file. 2013/03/11 15:09:11 ossec-testrule: INFO: Started (pid: 31416). ossec-testrule: Type one log per line. Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] user1 is now logged in **Phase 1: Completed pre-decoding. full event: 'Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] user1 is now logged in' hostname: 'localhost' program_name: 'pure-ftpd' log: '([email protected]) [INFO] user1 is now logged in' **Phase 2: Completed decoding. decoder: 'pure-ftpd' srcip: 'example.com' dstuser: 'user1' **Phase 3: Completed filtering (rules). Rule id: '300001' Level: '7' Description: 'User successfully logged in.' **Alert to be generated. We now have an alert for this log message. Next: Mar 11 14:16:56 localhost pure-ftpd: ([email protected]) [NOTICE] Deleted 2013-03-08 14.38 Content live-test.wmv **Phase 1: Completed pre-decoding. full event: 'Mar 11 14:16:56 localhost pure-ftpd: ([email protected]) [NOTICE] Deleted 2013-03-08 14.38 Content live-test.wmv' hostname: 'localhost' program_name: 'pure-ftpd' log: '([email protected]) [NOTICE] Deleted 2013-03-08 14.38 Content live-test.wmv' **Phase 2: Completed decoding. decoder: 'pure-ftpd' dstuser: 'user1' srcip: 'example.com' **Phase 3: Completed filtering (rules). Rule id: '11304' Level: '0' Description: 'FTP notice messages' This isn't good enough. Time to add another rule! <rule id="300002" level="7"> <if_sid>11304</if_sid> <match> Deleted </match> <description>Content deleted.</description> </rule> There is some possibility of false positives with the above (if the word Deleted appears in the content's name), but it seems good enough for now. Re-run ossec-logtest: # /var/ossec/bin/ossec-logtest 2013/03/11 15:11:00 ossec-testrule: INFO: Reading local decoder file. 2013/03/11 15:11:00 ossec-testrule: INFO: Started (pid: 24053). ossec-testrule: Type one log per line. Mar 11 14:16:56 localhost pure-ftpd: ([email protected]) [NOTICE] Deleted 2013-03-08 14.38 Content live-test.wmv **Phase 1: Completed pre-decoding. full event: 'Mar 11 14:16:56 localhost pure-ftpd: ([email protected]) [NOTICE] Deleted 2013-03-08 14.38 Content live-test.wmv' hostname: 'localhost' program_name: 'pure-ftpd' log: '([email protected]) [NOTICE] Deleted 2013-03-08 14.38 Content live-test.wmv' **Phase 2: Completed decoding. decoder: 'pure-ftpd' dstuser: 'user1' srcip: 'example.com' **Phase 3: Completed filtering (rules). Rule id: '300002' Level: '7' Description: 'Content deleted.' **Alert to be generated. Looking good! On to the transfer.log. These log entries look horrible, this probably won't be fun. example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT /ftpdrive/user1/FinalBackup.zip" 200 25268220 # /var/ossec/bin/ossec-logtest 2013/03/11 15:12:36 ossec-testrule: INFO: Reading local decoder file. 2013/03/11 15:12:36 ossec-testrule: INFO: Started (pid: 9921). ossec-testrule: Type one log per line. example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT /ftpdrive/user1/FinalBackup.zip" 200 25268220 **Phase 1: Completed pre-decoding. full event: 'example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT /ftpdrive/user1/FinalBackup.zip" 200 25268220' hostname: 'arrakis' program_name: '(null)' log: 'example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT /ftpdrive/user1/FinalBackup.zip" 200 25268220' **Phase 2: Completed decoding. No decoder matched. No decoder... Time to make one! Try adding this to /var/ossec/etc/local_decoder.xml: <decoder name="pure-transfer"> <prematch>^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] </prematch> </decoder> Re-run ossec-logtest: # /var/ossec/bin/ossec-logtest 2013/03/11 15:16:10 ossec-testrule: INFO: Reading local decoder file. 2013/03/11 15:16:10 ossec-testrule: INFO: Started (pid: 24178). ossec-testrule: Type one log per line. example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET /ftpdrive/user1/FinalBackup.zip" 200 25268220 **Phase 1: Completed pre-decoding. full event: 'example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET /ftpdrive/user1/FinalBackup.zip" 200 25268220' hostname: 'arrakis' program_name: '(null)' log: 'example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET /ftpdrive/user1/FinalBackup.zip" 200 25268220' **Phase 2: Completed decoding. decoder: 'pure-transfer' Sweet, that works! But we want some other info. So change the decoder to: <decoder name="pure-transfer"> <prematch>^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] </prematch> <regex>^(\S+) - (\S+) [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] "(\S+) (\.+) (\d+) \d+$</regex> <order>extra_data,dstuser,action,url,status</order> </decoder> Now we get: **Phase 1: Completed pre-decoding. full event: '[\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] ' hostname: 'arrakis' program_name: '(null)' log: '[\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] ' **Phase 2: Completed decoding. No decoder matched. example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET /ftpdrive/user1/FinalBackup.zip" 200 25268220 **Phase 1: Completed pre-decoding. full event: 'example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET /ftpdrive/user1/FinalBackup.zip" 200 25268220' hostname: 'arrakis' program_name: '(null)' log: 'example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET /ftpdrive/user1/FinalBackup.zip" 200 25268220' **Phase 2: Completed decoding. decoder: 'pure-transfer' extra_data: 'example.com' dstuser: 'user1' action: 'GET' url: '/ftpdrive/user1/FinalBackup.zip"' status: '200' This gives us plenty to work with in the decoder. Add a rule to local_rules.xml: <rule id="300003" level="7"> <decoded_as>pure-transfer</decoded_as> <action>PUT</action> <description>File added to the ftpd.</description> </rule> And the results: # /var/ossec/bin/ossec-logtest 2013/03/11 15:23:37 ossec-testrule: INFO: Reading local decoder file. 2013/03/11 15:23:38 ossec-testrule: INFO: Started (pid: 31151). ossec-testrule: Type one log per line. example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT /ftpdrive/user1/FinalBackup.zip" 200 25268220 **Phase 1: Completed pre-decoding. full event: 'example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT /ftpdrive/user1/FinalBackup.zip" 200 25268220' hostname: 'arrakis' program_name: '(null)' log: 'example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT /ftpdrive/user1/FinalBackup.zip" 200 25268220' **Phase 2: Completed decoding. decoder: 'pure-transfer' extra_data: 'example.com' dstuser: 'user1' action: 'PUT' url: '/ftpdrive/user1/FinalBackup.zip"' status: '200' **Phase 3: Completed filtering (rules). Rule id: '300003' Level: '7' Description: 'File added to the ftpd.' **Alert to be generated. Adding something similar for GETs should be super easy. If you have issues, let us know. > > On Mon, Mar 11, 2013 at 7:37 PM, dan (ddp) <[email protected]> wrote: >> >> On Mon, Mar 11, 2013 at 3:38 AM, Pratap <[email protected]> wrote: >> > Hi , >> > >> > I am trying to enable FTP log monitoring but my FTP logs are getting >> > stored >> > in syslog.log file and another file for transfer log for FTP. I need to >> > get >> > alert for any FTP user login/logout and file upload so that I can >> > monitor my >> > FTP server actively and keep an eye on it for any activity. >> > >> > Any help would be help full . >> > >> > Thanks, >> > >> >> What ftp daemon are you using? Is OSSEC monitoring the logfiles that >> it uses to log activity? Can you provide log samples? >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > > > -- > Regards, > Pratap Singh > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
