Thanks, Dan!
I now almost got it fully working.... your advice was really good!
Here's my problem, somehow the OpenBSD smtpd decoders fire instead of the
postfix....maybe I'd need to rearrange the order in the ossec.conf to load
the postfix decoders last.
because it also triggers this
<decoder name="smtpd">
<program_name>smtpd</program_name>
</decoder>
However, when I uncomment this, my new postfix decoder works just fine
here's my postfix decoder:
<decoder name="postfix-rbl">
<use_own_name>true</use_own_name>
<parent>postfix</parent>
<prematch>^warning: </prematch>
<regex offset="after_prematch">\d+.\d+\d+\d+.\w+.\w+.\w+: </regex>
<order>srcip</order>
</decoder>
Here are my postfix rules:
<rule id="3395" level="0">
<decoded_as>postfix-rbl</decoded_as>
<description>Grouping of the postfix RBL rules.</description>
</rule>
<rule id="3396" level="6">
<if_sid>3395</if_sid>
<match> RBL lookup error: </match>
<description>Host or domain name not found. Name service error
</description>
<group>spam,pci_dss_10.6.1,pci_dss_11.4,</group>
</rule>
ossec-logtest is now able to detect it:
**Phase 2: Completed decoding.
decoder: 'postfix'
***Phase 3: Completed filtering (rules). Rule id: '3396' Level:
'6' Description: 'Host or domain name not found. Name service
error'**Alert to be generated.*
At the moment I really don't know how to prevent the clash with the openbsd
decoder...hmm
Am Montag, 28. März 2016 16:22:57 UTC+2 schrieb dan (ddpbsd):
>
> On Mon, Mar 28, 2016 at 10:00 AM, theresa mic-snare
> <[email protected] <javascript:>> wrote:
> > hmm, well I have this decoder in my ossec decoder set,
> > /var/ossec/etc/ossec_decoders/postfix_decoders.xml
> > <decoder name="postfix-failed">
> > <prematch>^warning: </prematch>
> > <regex offset="after_prematch">^(\S+): hostname (\s+) verification
> > failed</regex>
> > <order>srcip</order>
> > </decoder>
> >
> > don't remember if I have added this myself, or if it came with the wazuh
> > decoders....
> > then this decoder is used, by ossec-logtest
> > but unfortunately my rule isn't triggering...hmm
> >
> > **Phase 1: Completed pre-decoding.
> > full event: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup
> error:
> > Host or domain name not found. Name service error for
> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
> > hostname: 'tron'
> > program_name: '(null)'
> > log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error:
> Host
> > or domain name not found. Name service error for
> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
> >
> > **Phase 2: Completed decoding.
> > decoder: 'postfix-failed'
> >
> > **Phase 3: Completed filtering (rules).
> > Rule id: '1002'
> > Level: '2'
> > Description: 'Unknown problem somewhere in the system.'
> > **Alert to be generated.
> >
> > I've now had a look in my maillog and found the exact log message as
> postfix
> > logged it:
> > 2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: warning:
> > 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name not
> > found. Name service error for name=199.249.24.179.list.dsbl.org type=A:
> Host
> > not found, try again
> >
> > after running this message now through ossec-logtest, I can see that
> another
> > decoder matches, namely the smtpd decoder (openbsd_decoders.xml)
> >
> > **Phase 1: Completed pre-decoding.
> > full event: '2016-03-23T01:09:28.962188+01:00 tron
> > postfix/smtpd[472]: warning: 199.249.24.179.list.dsbl.org: RBL lookup
> error:
> > Host or domain name not found. Name service error for
> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
> > hostname: 'tron'
> > program_name: 'postfix/smtpd'
> > log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error:
> Host
> > or domain name not found. Name service error for
> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
> >
> > **Phase 2: Completed decoding.
> > decoder: 'smtpd'
> >
> > **Phase 3: Completed filtering (rules).
> > Rule id: '1002'
> > Level: '2'
> > Description: 'Unknown problem somewhere in the system.'
> > **Alert to be generated.
> >
> > However, what am I doing wrong here? Why is this rule not triggering?
> > <rule id="3307" level="6">
> > <if_sid>3300</if_sid>
> > <match>RBL lookup error:</match>
> > <description>Host or domain name not found. Name service
> > error</description>
> > <group>spam,pci_dss_10.6.1,pci_dss_11.4,</group>
> > </rule>
> >
> > Am I missing something here?
> >
>
> Rule 3300 requires the decoder to be postfix-reject, not postfix-failed:
> <rule id="3300" level="0">
> <decoded_as>postfix-reject</decoded_as>
> <description>Grouping of the postfix reject rules.</description>
> </rule>
>
>
> > Am Montag, 28. März 2016 14:44:51 UTC+2 schrieb dan (ddpbsd):
> >>
> >> On Fri, Mar 25, 2016 at 4:17 PM, theresa mic-snare
> >> <[email protected]> wrote:
> >> > Hi,
> >> >
> >> > i'm trying to write my first rules, by extending the existing postfix
> >> > rules.
> >> >
> >> > here's what i'm trying to test:
> >> > <rule id="3307" level="6">
> >> > <if_sid>3300</if_sid>
> >> > <match>RBL lookup error:</match>
> >> > <description>Host or domain name not found. Name service
> >> > error</description>
> >> > <group>spam,</group>
> >> > </rule>
> >> >
> >> > along with the log entry that i'm trying to test
> >> > warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host or
> domain
> >> > name
> >> > not found. Name service error for name=199.249.24.179.list.dsbl.org
> >> > type=A:
> >> > Host not found, try again
> >> >
> >>
> >> This log message, by itself, does not decode to a postfix log message:
> >> ossec-testrule: Type one log per line.
> >>
> >> warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host or
> >> domain name not found. Name service error for
> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again
> >>
> >>
> >> **Phase 1: Completed pre-decoding.
> >> full event: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup
> >> error: Host or domain name not found. Name service error for
> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
> >> hostname: 'ix'
> >> program_name: '(null)'
> >> log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error:
> >> Host or domain name not found. Name service error for
> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
> >>
> >> **Phase 2: Completed decoding.
> >> No decoder matched.
> >>
> >> Adding a random postfix + syslog header onto it helps:
> >> ossec-testrule: Type one log per line.
> >>
> >>
> >>
> >> **Phase 1: Completed pre-decoding.
> >> full event: 'Mar 27 13:00:01 ix postfix/smtpd[2222]: warning:
> >> 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name
> >> not found. Name service error for name=199.249.24.179.list.dsbl.org
> >> type=A: Host not found, try again'
> >> hostname: 'ix'
> >> program_name: 'postfix/smtpd'
> >> log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error:
> >> Host or domain name not found. Name service error for
> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again'
> >>
> >> **Phase 2: Completed decoding.
> >> decoder: 'postfix'
> >>
> >> **Phase 3: Completed filtering (rules).
> >> Rule id: '3320'
> >> Level: '0'
> >> Description: 'Grouping of the postfix rules.'
> >>
> >>
> >> But I'm not sure if your log sample is missing some bits or what.
> >>
> >> > the rule is not firing, instead ossec-logtest is marking it as a
> "Level
> >> > 2"
> >> > alert "Unknown problem somewhere in the system."
> >> >
> >> > what am I doing wrong here?
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
