On 28.10.2013 10:46, Ryan Short wrote:
Hi all,
I'm having an issue with a brute force password attempt not being
blocked and I'm not sure why, there are two rules as far as I can
tell
in the asterisk_rules.xml file, the latter should trigger when the
former hits a certain number of failed attempts.
Thanks for all of the detailed information. It really helps. Before you
decide to switch to fail2ban, let's see if we can actually address your
issue. I noticed that the srcip wasn't being decoded properly, which is
likely the issue. So, try this:
1. Comment out the asterisk decoder from decoder.xml.
2. Copy it into local_decoders.xml (create if needed, with the same
permissions as decoder.xml)
3. Paste it into local_decoders.xml and replace the asterisk-denied
sub-decoder with this one.
<decoder name="asterisk-denied">
<parent>asterisk</parent>
<prematch>^NOTICE[\d+]: \S+ in \S+: Registration from </prematch>
<regex offset="after_prematch">^'"\d+" \p\.+' failed for
'(\d+.\d+.\d+.\d+):(\d+)</regex>
<order>srcip,srcport</order>
</decoder>
Note that I don't know how this will affect other versions of Asterisk
logs, but it should decode yours. Let us know how it turns out.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
