On Mon, Mar 28, 2016 at 10:00 AM, theresa mic-snare
<[email protected]> wrote:
> hmm, well I have this decoder in my ossec decoder set,
> /var/ossec/etc/ossec_decoders/postfix_decoders.xml
> <decoder name="postfix-failed">
> <prematch>^warning: </prematch>
> <regex offset="after_prematch">^(\S+): hostname (\s+) verification
> failed</regex>
> <order>srcip</order>
> </decoder>
>
> don't remember if I have added this myself, or if it came with the wazuh
> decoders....
> then this decoder is used, by ossec-logtest
> but unfortunately my rule isn't triggering...hmm
>
> **Phase 1: Completed pre-decoding.
> full event: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error:
> Host or domain name not found. Name service error for
> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
> hostname: 'tron'
> program_name: '(null)'
> log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host
> or domain name not found. Name service error for
> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
>
> **Phase 2: Completed decoding.
> decoder: 'postfix-failed'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '1002'
> Level: '2'
> Description: 'Unknown problem somewhere in the system.'
> **Alert to be generated.
>
> I've now had a look in my maillog and found the exact log message as postfix
> logged it:
> 2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: warning:
> 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name not
> found. Name service error for name=199.249.24.179.list.dsbl.org type=A: Host
> not found, try again
>
> after running this message now through ossec-logtest, I can see that another
> decoder matches, namely the smtpd decoder (openbsd_decoders.xml)
>
> **Phase 1: Completed pre-decoding.
> full event: '2016-03-23T01:09:28.962188+01:00 tron
> postfix/smtpd[472]: warning: 199.249.24.179.list.dsbl.org: RBL lookup error:
> Host or domain name not found. Name service error for
> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
> hostname: 'tron'
> program_name: 'postfix/smtpd'
> log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host
> or domain name not found. Name service error for
> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
>
> **Phase 2: Completed decoding.
> decoder: 'smtpd'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '1002'
> Level: '2'
> Description: 'Unknown problem somewhere in the system.'
> **Alert to be generated.
>
> However, what am I doing wrong here? Why is this rule not triggering?
> <rule id="3307" level="6">
> <if_sid>3300</if_sid>
> <match>RBL lookup error:</match>
> <description>Host or domain name not found. Name service
> error</description>
> <group>spam,pci_dss_10.6.1,pci_dss_11.4,</group>
> </rule>
>
> Am I missing something here?
>
Rule 3300 requires the decoder to be postfix-reject, not postfix-failed:
<rule id="3300" level="0">
<decoded_as>postfix-reject</decoded_as>
<description>Grouping of the postfix reject rules.</description>
</rule>
> Am Montag, 28. März 2016 14:44:51 UTC+2 schrieb dan (ddpbsd):
>>
>> On Fri, Mar 25, 2016 at 4:17 PM, theresa mic-snare
>> <[email protected]> wrote:
>> > Hi,
>> >
>> > i'm trying to write my first rules, by extending the existing postfix
>> > rules.
>> >
>> > here's what i'm trying to test:
>> > <rule id="3307" level="6">
>> > <if_sid>3300</if_sid>
>> > <match>RBL lookup error:</match>
>> > <description>Host or domain name not found. Name service
>> > error</description>
>> > <group>spam,</group>
>> > </rule>
>> >
>> > along with the log entry that i'm trying to test
>> > warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain
>> > name
>> > not found. Name service error for name=199.249.24.179.list.dsbl.org
>> > type=A:
>> > Host not found, try again
>> >
>>
>> This log message, by itself, does not decode to a postfix log message:
>> ossec-testrule: Type one log per line.
>>
>> warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host or
>> domain name not found. Name service error for
>> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again
>>
>>
>> **Phase 1: Completed pre-decoding.
>> full event: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup
>> error: Host or domain name not found. Name service error for
>> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
>> hostname: 'ix'
>> program_name: '(null)'
>> log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error:
>> Host or domain name not found. Name service error for
>> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
>>
>> **Phase 2: Completed decoding.
>> No decoder matched.
>>
>> Adding a random postfix + syslog header onto it helps:
>> ossec-testrule: Type one log per line.
>>
>>
>>
>> **Phase 1: Completed pre-decoding.
>> full event: 'Mar 27 13:00:01 ix postfix/smtpd[2222]: warning:
>> 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name
>> not found. Name service error for name=199.249.24.179.list.dsbl.org
>> type=A: Host not found, try again'
>> hostname: 'ix'
>> program_name: 'postfix/smtpd'
>> log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error:
>> Host or domain name not found. Name service error for
>> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
>>
>> **Phase 2: Completed decoding.
>> decoder: 'postfix'
>>
>> **Phase 3: Completed filtering (rules).
>> Rule id: '3320'
>> Level: '0'
>> Description: 'Grouping of the postfix rules.'
>>
>>
>> But I'm not sure if your log sample is missing some bits or what.
>>
>> > the rule is not firing, instead ossec-logtest is marking it as a "Level
>> > 2"
>> > alert "Unknown problem somewhere in the system."
>> >
>> > what am I doing wrong here?
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
