Oh.no. Stupid me focussed completely on rules and active response configuration and totally missed the src IP decoding in the decoder.
Thanks! Am Mittwoch, 25. März 2015 16:57:10 UTC+1 schrieb Tester1234: > > Hi there! > After playing around now for several days with ossec I am now stuck with a > strange behaviour... maybe someone here on the list can point me to the > right direction? > > Situation: > OSSEC is up and running, several custom rules and decoders are running as > desired. But when trying to count events to escalate the event (of course > to trigger active response later) ossec seems to refuse its service :) > > Example rule: > > <group name="iplog"> > <rule id="180000" level="0"> > <decoded_as>iplog</decoded_as> > <description>Grouping for iplog rules</description> > </rule> > <rule id="180001" level="6"> > <if_sid>180000</if_sid> > <match>scan detected</match> > <description>iplog scan detect</description> > </rule> > <rule id="180002" level="6"> > <if_sid>180000</if_sid> > <match>ssh connection attempt from</match> > <description>SSH Connect falscher Port</description> > </rule> > <rule id="180003" level="10" frequency="2" timeframe="30"> > <if_matched_sid>180002</if_matched_sid> > <same_source_ip /> > <description>SSH Bruteforce am Fakeport</description> > </rule> > </group> > > > This seems to work as the alertlog shows up with rule events of rule > #180002 when trying to connect ot the wrong ssh port: > > ** Alert 1427298108.6245999: - iplog > 2015 Mar 25 15:41:48 main->/var/log/iplog > Rule: 180002 (level 6) -> 'SSH Connect falscher Port' > Mar 25 16:41:47 TCP: ssh connection attempt from > 089144208174.atnat0017.my.hoster.net (1.2.3.4):64214 > > ** Alert 1427298110.6246243: - iplog > 2015 Mar 25 15:41:50 main->/var/log/iplog > Rule: 180002 (level 6) -> 'SSH Connect falscher Port' > Mar 25 16:41:49 TCP: ssh connection attempt from > 089144208174.atnat0017.my.hoster.net (1.2.3.4):64215 > > BUT as I understand and wrote the rules above there should rule #180003 be > fired after 4 occurences of rule #180002.. but that doesnt happen - i can > see 10 and more #180002 events but never a #18003. > > What am I doing wrong? > Any hint is appreciated... > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
