hmm, well I have this decoder in my ossec decoder set,
/var/ossec/etc/ossec_decoders/postfix_decoders.xml
<decoder name="postfix-failed">
<prematch>^warning: </prematch>
<regex offset="after_prematch">^(\S+): hostname (\s+) verification
failed</regex>
<order>srcip</order>
</decoder>
don't remember if I have added this myself, or if it came with the wazuh
decoders....
then this decoder is used, by ossec-logtest
but unfortunately my rule isn't triggering...hmm
**Phase 1: Completed pre-decoding.
full event: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup
error: Host or domain name not found. Name service error for
name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
hostname: 'tron'
program_name: '(null)'
log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host
or domain name not found. Name service error for
name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
***Phase 2: Completed decoding. decoder: 'postfix-failed'*
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
*I've now had a look in my maillog and found the exact log message as
postfix logged it:2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]:
warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain
name not found. Name service error for name=199.249.24.179.list.dsbl.org
type=A: Host not found, try again*
after running this message now through ossec-logtest, I can see that
another decoder matches, namely the smtpd decoder (openbsd_decoders.xml)
**Phase 1: Completed pre-decoding.
full event: '2016-03-23T01:09:28.962188+01:00 tron
postfix/smtpd[472]: warning: 199.249.24.179.list.dsbl.org: RBL lookup
error: Host or domain name not found. Name service error for
name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
hostname: 'tron'
program_name: 'postfix/smtpd'
log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host
or domain name not found. Name service error for
name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
***Phase 2: Completed decoding. decoder: 'smtpd'*
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
However, what am I doing wrong here? Why is this rule not triggering?
<rule id="3307" level="6">
<if_sid>3300</if_sid>
<match>RBL lookup error:</match>
<description>Host or domain name not found. Name service error
</description>
<group>spam,pci_dss_10.6.1,pci_dss_11.4,</group>
</rule>
Am I missing something here?
Am Montag, 28. März 2016 14:44:51 UTC+2 schrieb dan (ddpbsd):
>
> On Fri, Mar 25, 2016 at 4:17 PM, theresa mic-snare
> <[email protected] <javascript:>> wrote:
> > Hi,
> >
> > i'm trying to write my first rules, by extending the existing postfix
> rules.
> >
> > here's what i'm trying to test:
> > <rule id="3307" level="6">
> > <if_sid>3300</if_sid>
> > <match>RBL lookup error:</match>
> > <description>Host or domain name not found. Name service
> > error</description>
> > <group>spam,</group>
> > </rule>
> >
> > along with the log entry that i'm trying to test
> > warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain
> name
> > not found. Name service error for name=199.249.24.179.list.dsbl.org
> type=A:
> > Host not found, try again
> >
>
> This log message, by itself, does not decode to a postfix log message:
> ossec-testrule: Type one log per line.
>
> warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host or
> domain name not found. Name service error for
> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup
> error: Host or domain name not found. Name service error for
> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
> hostname: 'ix'
> program_name: '(null)'
> log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error:
> Host or domain name not found. Name service error for
> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
> Adding a random postfix + syslog header onto it helps:
> ossec-testrule: Type one log per line.
>
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'Mar 27 13:00:01 ix postfix/smtpd[2222]: warning:
> 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name
> not found. Name service error for name=199.249.24.179.list.dsbl.org
> type=A: Host not found, try again'
> hostname: 'ix'
> program_name: 'postfix/smtpd'
> log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error:
> Host or domain name not found. Name service error for
> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
>
> **Phase 2: Completed decoding.
> decoder: 'postfix'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '3320'
> Level: '0'
> Description: 'Grouping of the postfix rules.'
>
>
> But I'm not sure if your log sample is missing some bits or what.
>
> > the rule is not firing, instead ossec-logtest is marking it as a "Level
> 2"
> > alert "Unknown problem somewhere in the system."
> >
> > what am I doing wrong here?
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
