Default OSSEC rules
[root@brolabs bin]# ./ossec-logtest
2016/01/19 19:22:26 ossec-testrule: INFO: Reading local decoder file.
2016/01/19 19:22:26 ossec-testrule: INFO: Started (pid: 18441).
ossec-testrule: Type one log per line.
Jan 19 17:58:40 tech2srv12 sendmail[24741]: u0JGwbD8024741:
xxx-xxx-x-xx.xxx.xxxxxx.xxx [ip.add.rre.ss] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
**Phase 1: Completed pre-decoding.
full event: 'Jan 19 17:58:40 tech2srv12 sendmail[24741]:
u0JGwbD8024741: xxx-xxx-x-xx.xxx.xxxxxx.xxx [ip.add.rre.ss] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA'
hostname: 'tech2srv12'
program_name: 'sendmail'
log: 'u0JGwbD8024741: xxx-xxx-x-xx.xxx.xxxxxx.xxx [ip.add.rre.ss]
did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA'
**Phase 2: Completed decoding.
decoder: 'sendmail-reject'
**Phase 3: Completed filtering (rules).
Rule id: '3100'
Level: '0'
Description: 'Grouping of the sendmail rules.'
So I created something very basic and added to local_rules.xml
<rule id="1000111" level="7">
<if_sid>3100</if_sid>
<decoded_as>sendmail-reject</decoded_as>
<match>did not issue MAIL/EXPN/VRFY/ETRN</match>
<description>Possible SMTP Auth Bruteforce</description>
</rule>
And added this to decoder.xml
<decoder name="sendmail-reject-bf">
<parent>sendmail-reject</parent>
<regex>[(\d+.\d+.\d+.\d+)] did not issue</regex>
<order>srcip</order>
</decoder>
Results:
[root@brolabs rules]# ../bin/ossec-logtest
2016/01/19 19:47:21 ossec-testrule: INFO: Reading local decoder file.
2016/01/19 19:47:21 ossec-testrule: INFO: Started (pid: 18518).
ossec-testrule: Type one log per line.
Jan 19 17:58:40 tech2srv12 sendmail[24741]: u0JGwbD8024741:
xxx-xxx-x-xx.xxx.xxxxxx.xxx [200.1.10.20] did not issue MAIL/EXPN/VRFY/ETRN
during connection to MTA
**Phase 1: Completed pre-decoding.
full event: 'Jan 19 17:58:40 tech2srv12 sendmail[24741]:
u0JGwbD8024741: xxx-xxx-x-xx.xxx.xxxxxx.xxx [200.1.10.20] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA'
hostname: 'tech2srv12'
program_name: 'sendmail'
log: 'u0JGwbD8024741: xxx-xxx-x-xx.xxx.xxxxxx.xxx [200.1.10.20] did
not issue MAIL/EXPN/VRFY/ETRN during connection to MTA'
**Phase 2: Completed decoding.
decoder: 'sendmail-reject'
srcip: '200.1.10.20'
**Phase 3: Completed filtering (rules).
Rule id: '100011'
Level: '5'
Description: 'Possible SMTP Auth Bruteforce'
**Alert to be generated.
Just make sure you set correct level to active a AR and I just tried it
quickly, but at least something closer that you want. Since trying to add
BF detection, adding frequency to this rule would be better.
Hope it helps!
On Tue, Jan 19, 2016 at 3:37 PM, Giorgio Biondi <[email protected]>
wrote:
> Hi,
>
> on my linux box have some attack via smtp/saslauthd but ossec don't block
> attacker via 'active-response' because don't have rules suitable.
> I have think to create new rules, but don't have skill to build, so ask
> for help.
>
> I want block attacker when read this in the maillog file:
>
> /var/log/maillog:Jan 19 17:58:40 tech2srv12 sendmail[24741]:
> u0JGwbD8024741: xxx-xxx-x-xx.xxx.xxxxxx.xxx [ip.add.rre.ss] did not issue
> MAIL/EXPN/VRFY/ETRN during connection to MTA
>
> I want block ip address when ossec read (for example) "did not issue
> MAIL/EXPN/VRFY/ETRN during"
>
> I hope in you..
>
> All the best
>
> Giorgio Biondi.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
Rodrigo Montoro (Sp0oKeR)
http://spookerlabs.blogspot.com
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
