Hi all, I'm having an issue with a brute force password attempt not being blocked and I'm not sure why, there are two rules as far as I can tell in the asterisk_rules.xml file, the latter should trigger when the former hits a certain number of failed attempts.
The 6210 rule is being hit and is being logged in the alerts.log file: ** Alert 1382974360.1666067: - syslog,asterisk,authentication_failed, 2013 Oct 28 15:32:40 demopbx->/var/log/messages Rule: 6210 (level 5) -> 'Login session failed.' Oct 28 15:32:38 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password ** Alert 1382974390.1666442: - syslog,asterisk,authentication_failed, 2013 Oct 28 15:33:10 demopbx->/var/log/messages Rule: 6210 (level 5) -> 'Login session failed.' Oct 28 15:33:09 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password ** Alert 1382974420.1666817: - syslog,asterisk,authentication_failed, 2013 Oct 28 15:33:40 demopbx->/var/log/messages Rule: 6210 (level 5) -> 'Login session failed.' Oct 28 15:33:39 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password However nothing is being done about it as the multiple failed logins rule (6251) is not being triggered. Not sure if this is useful, but when I try and test the rules by performing: cat ossectest | /var/ossec/bin/ossec-logtest -v I get: Trying rule: 6200 - Asterisk messages grouped. *Rule 6200 matched. *Trying child rules. Trying rule: 6201 - Asterisk notice messages grouped. *Rule 6201 matched. *Trying child rules. Trying rule: 6210 - Login session failed. *Rule 6210 matched. *Trying child rules. Trying rule: 6251 - Multiple failed logins. Trying rule: 40111 - Multiple authentication failures. **Phase 3: Completed filtering (rules). Rule id: '6210' Level: '5' Description: 'Login session failed.' **Alert to be generated. ossectest contains: Oct 28 15:02:17 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password Oct 28 15:02:18 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password Oct 28 15:02:19 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password Oct 28 15:02:20 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password Oct 28 15:02:21 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password Oct 28 15:02:22 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password Oct 28 15:02:23 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password Oct 28 15:02:24 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password Oct 28 15:02:25 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in handle_request_register: Registration from '"502" <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password Not sure if ossec-logtest tests the file as a whole or just takes them line by line. I've tried altering the threshold and number of failed attempts before a block occurs because I noticed they're only trying a connection every 30 seconds and wasn't sure if they were bypassing the checks like that, the two rules are as follows: <rule id="6210" level="5"> <if_sid>6201</if_sid> <match>Wrong password</match> <description>Login session failed.</description> <group>authentication_failed,</group> </rule> <rule id="6251" level="10" frequency="2"> <if_matched_sid>6210</if_matched_sid> <same_source_ip /> <description>Multiple failed logins.</description> </rule> I tried 6251 with a threshold of the default 300 and an increased 600. Any help would be appreciated. Best Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
