Sorry, it's this one 2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: warning: 199.249. 24.179.list.dsbl.org: RBL lookup error: Host or domain name not found. Name service error for name=199.249.24.179.list.dsbl.org type=A: Host not found, try again
Am Montag, 28. März 2016 17:39:32 UTC+2 schrieb dan (ddpbsd): > > On Mon, Mar 28, 2016 at 11:35 AM, theresa mic-snare > <[email protected] <javascript:>> wrote: > > Thanks, Dan! > > I now almost got it fully working.... your advice was really good! > > Here's my problem, somehow the OpenBSD smtpd decoders fire instead of > the > > postfix....maybe I'd need to rearrange the order in the ossec.conf to > load > > the postfix decoders last. > > because it also triggers this > > > > <decoder name="smtpd"> > > <program_name>smtpd</program_name> > > </decoder> > > > > However, when I uncomment this, my new postfix decoder works just fine > > here's my postfix decoder: > > <decoder name="postfix-rbl"> > > <use_own_name>true</use_own_name> > > <parent>postfix</parent> > > <prematch>^warning: </prematch> > > <regex offset="after_prematch">\d+.\d+\d+\d+.\w+.\w+.\w+: </regex> > > <order>srcip</order> > > </decoder> > > > > This doesn't work with the previous log sample you supplied, what log > message are you currently using? > > > Here are my postfix rules: > > <rule id="3395" level="0"> > > <decoded_as>postfix-rbl</decoded_as> > > <description>Grouping of the postfix RBL rules.</description> > > </rule> > > > > <rule id="3396" level="6"> > > <if_sid>3395</if_sid> > > <match> RBL lookup error: </match> > > <description>Host or domain name not found. Name service > > error</description> > > <group>spam,pci_dss_10.6.1,pci_dss_11.4,</group> > > </rule> > > > > ossec-logtest is now able to detect it: > > **Phase 2: Completed decoding. > > decoder: 'postfix' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '3396' > > Level: '6' > > Description: 'Host or domain name not found. Name service error' > > **Alert to be generated. > > > > At the moment I really don't know how to prevent the clash with the > openbsd > > decoder...hmm > > > > > > > > > > > > Am Montag, 28. März 2016 16:22:57 UTC+2 schrieb dan (ddpbsd): > >> > >> On Mon, Mar 28, 2016 at 10:00 AM, theresa mic-snare > >> <[email protected]> wrote: > >> > hmm, well I have this decoder in my ossec decoder set, > >> > /var/ossec/etc/ossec_decoders/postfix_decoders.xml > >> > <decoder name="postfix-failed"> > >> > <prematch>^warning: </prematch> > >> > <regex offset="after_prematch">^(\S+): hostname (\s+) verification > >> > failed</regex> > >> > <order>srcip</order> > >> > </decoder> > >> > > >> > don't remember if I have added this myself, or if it came with the > wazuh > >> > decoders.... > >> > then this decoder is used, by ossec-logtest > >> > but unfortunately my rule isn't triggering...hmm > >> > > >> > **Phase 1: Completed pre-decoding. > >> > full event: 'warning: 199.249.24.179.list.dsbl.org: RBL > lookup > >> > error: > >> > Host or domain name not found. Name service error for > >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' > >> > hostname: 'tron' > >> > program_name: '(null)' > >> > log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup > error: > >> > Host > >> > or domain name not found. Name service error for > >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' > >> > > >> > **Phase 2: Completed decoding. > >> > decoder: 'postfix-failed' > >> > > >> > **Phase 3: Completed filtering (rules). > >> > Rule id: '1002' > >> > Level: '2' > >> > Description: 'Unknown problem somewhere in the system.' > >> > **Alert to be generated. > >> > > >> > I've now had a look in my maillog and found the exact log message as > >> > postfix > >> > logged it: > >> > 2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: warning: > >> > 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name > not > >> > found. Name service error for name=199.249.24.179.list.dsbl.org > type=A: > >> > Host > >> > not found, try again > >> > > >> > after running this message now through ossec-logtest, I can see that > >> > another > >> > decoder matches, namely the smtpd decoder (openbsd_decoders.xml) > >> > > >> > **Phase 1: Completed pre-decoding. > >> > full event: '2016-03-23T01:09:28.962188+01:00 tron > >> > postfix/smtpd[472]: warning: 199.249.24.179.list.dsbl.org: RBL > lookup > >> > error: > >> > Host or domain name not found. Name service error for > >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' > >> > hostname: 'tron' > >> > program_name: 'postfix/smtpd' > >> > log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup > error: > >> > Host > >> > or domain name not found. Name service error for > >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' > >> > > >> > **Phase 2: Completed decoding. > >> > decoder: 'smtpd' > >> > > >> > **Phase 3: Completed filtering (rules). > >> > Rule id: '1002' > >> > Level: '2' > >> > Description: 'Unknown problem somewhere in the system.' > >> > **Alert to be generated. > >> > > >> > However, what am I doing wrong here? Why is this rule not triggering? > >> > <rule id="3307" level="6"> > >> > <if_sid>3300</if_sid> > >> > <match>RBL lookup error:</match> > >> > <description>Host or domain name not found. Name service > >> > error</description> > >> > <group>spam,pci_dss_10.6.1,pci_dss_11.4,</group> > >> > </rule> > >> > > >> > Am I missing something here? > >> > > >> > >> Rule 3300 requires the decoder to be postfix-reject, not > postfix-failed: > >> <rule id="3300" level="0"> > >> <decoded_as>postfix-reject</decoded_as> > >> <description>Grouping of the postfix reject rules.</description> > >> </rule> > >> > >> > >> > Am Montag, 28. März 2016 14:44:51 UTC+2 schrieb dan (ddpbsd): > >> >> > >> >> On Fri, Mar 25, 2016 at 4:17 PM, theresa mic-snare > >> >> <[email protected]> wrote: > >> >> > Hi, > >> >> > > >> >> > i'm trying to write my first rules, by extending the existing > postfix > >> >> > rules. > >> >> > > >> >> > here's what i'm trying to test: > >> >> > <rule id="3307" level="6"> > >> >> > <if_sid>3300</if_sid> > >> >> > <match>RBL lookup error:</match> > >> >> > <description>Host or domain name not found. Name service > >> >> > error</description> > >> >> > <group>spam,</group> > >> >> > </rule> > >> >> > > >> >> > along with the log entry that i'm trying to test > >> >> > warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host or > >> >> > domain > >> >> > name > >> >> > not found. Name service error for name= > 199.249.24.179.list.dsbl.org > >> >> > type=A: > >> >> > Host not found, try again > >> >> > > >> >> > >> >> This log message, by itself, does not decode to a postfix log > message: > >> >> ossec-testrule: Type one log per line. > >> >> > >> >> warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host or > >> >> domain name not found. Name service error for > >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again > >> >> > >> >> > >> >> **Phase 1: Completed pre-decoding. > >> >> full event: 'warning: 199.249.24.179.list.dsbl.org: RBL > lookup > >> >> error: Host or domain name not found. Name service error for > >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try > again' > >> >> hostname: 'ix' > >> >> program_name: '(null)' > >> >> log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup > error: > >> >> Host or domain name not found. Name service error for > >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try > again' > >> >> > >> >> **Phase 2: Completed decoding. > >> >> No decoder matched. > >> >> > >> >> Adding a random postfix + syslog header onto it helps: > >> >> ossec-testrule: Type one log per line. > >> >> > >> >> > >> >> > >> >> **Phase 1: Completed pre-decoding. > >> >> full event: 'Mar 27 13:00:01 ix postfix/smtpd[2222]: warning: > >> >> 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name > >> >> not found. Name service error for name=199.249.24.179.list.dsbl.org > >> >> type=A: Host not found, try again' > >> >> hostname: 'ix' > >> >> program_name: 'postfix/smtpd' > >> >> log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup > error: > >> >> Host or domain name not found. Name service error for > >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try > again' > >> >> > >> >> **Phase 2: Completed decoding. > >> >> decoder: 'postfix' > >> >> > >> >> **Phase 3: Completed filtering (rules). > >> >> Rule id: '3320' > >> >> Level: '0' > >> >> Description: 'Grouping of the postfix rules.' > >> >> > >> >> > >> >> But I'm not sure if your log sample is missing some bits or what. > >> >> > >> >> > the rule is not firing, instead ossec-logtest is marking it as a > >> >> > "Level > >> >> > 2" > >> >> > alert "Unknown problem somewhere in the system." > >> >> > > >> >> > what am I doing wrong here? > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
