Awesome, this worked! I'm going to work on some more postfix rules and decoders over the next few days, because I have tons of Level 2 - Rule 1002 alerts that I want gone.
do you think they would be accepted (once they work properly) as a PR on github? Am Montag, 28. März 2016 17:45:58 UTC+2 schrieb dan (ddpbsd): > > On Mon, Mar 28, 2016 at 11:42 AM, theresa mic-snare > <[email protected] <javascript:>> wrote: > > Sorry, it's this one > > 2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: warning: > > 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name not > > found. Name service error for name=199.249.24.179.list.dsbl.org type=A: > Host > > not found, try again > > > > Thanks. It decodes fine for me (but who knows what I've done): > ossec-testrule: Type one log per line. > > > > **Phase 1: Completed pre-decoding. > full event: '2016-03-23T01:09:28.962188+01:00 tron > postfix/smtpd[472]: warning: 199.249.24.179.list.dsbl.org: RBL lookup > error: Host or domain name not found. Name service error for > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' > hostname: 'tron' > program_name: 'postfix/smtpd' > log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error: > Host or domain name not found. Name service error for > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' > > **Phase 2: Completed decoding. > decoder: 'postfix' > > Try changing the OpenSMTPd decoder to this: > <decoder name="smtpd"> > <program_name>^smtpd</program_name> > </decoder> > > > > Am Montag, 28. März 2016 17:39:32 UTC+2 schrieb dan (ddpbsd): > >> > >> On Mon, Mar 28, 2016 at 11:35 AM, theresa mic-snare > >> <[email protected]> wrote: > >> > Thanks, Dan! > >> > I now almost got it fully working.... your advice was really good! > >> > Here's my problem, somehow the OpenBSD smtpd decoders fire instead of > >> > the > >> > postfix....maybe I'd need to rearrange the order in the ossec.conf to > >> > load > >> > the postfix decoders last. > >> > because it also triggers this > >> > > >> > <decoder name="smtpd"> > >> > <program_name>smtpd</program_name> > >> > </decoder> > >> > > >> > However, when I uncomment this, my new postfix decoder works just > fine > >> > here's my postfix decoder: > >> > <decoder name="postfix-rbl"> > >> > <use_own_name>true</use_own_name> > >> > <parent>postfix</parent> > >> > <prematch>^warning: </prematch> > >> > <regex offset="after_prematch">\d+.\d+\d+\d+.\w+.\w+.\w+: </regex> > >> > <order>srcip</order> > >> > </decoder> > >> > > >> > >> This doesn't work with the previous log sample you supplied, what log > >> message are you currently using? > >> > >> > Here are my postfix rules: > >> > <rule id="3395" level="0"> > >> > <decoded_as>postfix-rbl</decoded_as> > >> > <description>Grouping of the postfix RBL rules.</description> > >> > </rule> > >> > > >> > <rule id="3396" level="6"> > >> > <if_sid>3395</if_sid> > >> > <match> RBL lookup error: </match> > >> > <description>Host or domain name not found. Name service > >> > error</description> > >> > <group>spam,pci_dss_10.6.1,pci_dss_11.4,</group> > >> > </rule> > >> > > >> > ossec-logtest is now able to detect it: > >> > **Phase 2: Completed decoding. > >> > decoder: 'postfix' > >> > > >> > **Phase 3: Completed filtering (rules). > >> > Rule id: '3396' > >> > Level: '6' > >> > Description: 'Host or domain name not found. Name service > error' > >> > **Alert to be generated. > >> > > >> > At the moment I really don't know how to prevent the clash with the > >> > openbsd > >> > decoder...hmm > >> > > >> > > >> > > >> > > >> > > >> > Am Montag, 28. März 2016 16:22:57 UTC+2 schrieb dan (ddpbsd): > >> >> > >> >> On Mon, Mar 28, 2016 at 10:00 AM, theresa mic-snare > >> >> <[email protected]> wrote: > >> >> > hmm, well I have this decoder in my ossec decoder set, > >> >> > /var/ossec/etc/ossec_decoders/postfix_decoders.xml > >> >> > <decoder name="postfix-failed"> > >> >> > <prematch>^warning: </prematch> > >> >> > <regex offset="after_prematch">^(\S+): hostname (\s+) > verification > >> >> > failed</regex> > >> >> > <order>srcip</order> > >> >> > </decoder> > >> >> > > >> >> > don't remember if I have added this myself, or if it came with the > >> >> > wazuh > >> >> > decoders.... > >> >> > then this decoder is used, by ossec-logtest > >> >> > but unfortunately my rule isn't triggering...hmm > >> >> > > >> >> > **Phase 1: Completed pre-decoding. > >> >> > full event: 'warning: 199.249.24.179.list.dsbl.org: RBL > lookup > >> >> > error: > >> >> > Host or domain name not found. Name service error for > >> >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try > again' > >> >> > hostname: 'tron' > >> >> > program_name: '(null)' > >> >> > log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup > error: > >> >> > Host > >> >> > or domain name not found. Name service error for > >> >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try > again' > >> >> > > >> >> > **Phase 2: Completed decoding. > >> >> > decoder: 'postfix-failed' > >> >> > > >> >> > **Phase 3: Completed filtering (rules). > >> >> > Rule id: '1002' > >> >> > Level: '2' > >> >> > Description: 'Unknown problem somewhere in the system.' > >> >> > **Alert to be generated. > >> >> > > >> >> > I've now had a look in my maillog and found the exact log message > as > >> >> > postfix > >> >> > logged it: > >> >> > 2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: warning: > >> >> > 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain > name > >> >> > not > >> >> > found. Name service error for name=199.249.24.179.list.dsbl.org > >> >> > type=A: > >> >> > Host > >> >> > not found, try again > >> >> > > >> >> > after running this message now through ossec-logtest, I can see > that > >> >> > another > >> >> > decoder matches, namely the smtpd decoder (openbsd_decoders.xml) > >> >> > > >> >> > **Phase 1: Completed pre-decoding. > >> >> > full event: '2016-03-23T01:09:28.962188+01:00 tron > >> >> > postfix/smtpd[472]: warning: 199.249.24.179.list.dsbl.org: RBL > lookup > >> >> > error: > >> >> > Host or domain name not found. Name service error for > >> >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try > again' > >> >> > hostname: 'tron' > >> >> > program_name: 'postfix/smtpd' > >> >> > log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup > error: > >> >> > Host > >> >> > or domain name not found. Name service error for > >> >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try > again' > >> >> > > >> >> > **Phase 2: Completed decoding. > >> >> > decoder: 'smtpd' > >> >> > > >> >> > **Phase 3: Completed filtering (rules). > >> >> > Rule id: '1002' > >> >> > Level: '2' > >> >> > Description: 'Unknown problem somewhere in the system.' > >> >> > **Alert to be generated. > >> >> > > >> >> > However, what am I doing wrong here? Why is this rule not > triggering? > >> >> > <rule id="3307" level="6"> > >> >> > <if_sid>3300</if_sid> > >> >> > <match>RBL lookup error:</match> > >> >> > <description>Host or domain name not found. Name service > >> >> > error</description> > >> >> > <group>spam,pci_dss_10.6.1,pci_dss_11.4,</group> > >> >> > </rule> > >> >> > > >> >> > Am I missing something here? > >> >> > > >> >> > >> >> Rule 3300 requires the decoder to be postfix-reject, not > >> >> postfix-failed: > >> >> <rule id="3300" level="0"> > >> >> <decoded_as>postfix-reject</decoded_as> > >> >> <description>Grouping of the postfix reject rules.</description> > >> >> </rule> > >> >> > >> >> > >> >> > Am Montag, 28. März 2016 14:44:51 UTC+2 schrieb dan (ddpbsd): > >> >> >> > >> >> >> On Fri, Mar 25, 2016 at 4:17 PM, theresa mic-snare > >> >> >> <[email protected]> wrote: > >> >> >> > Hi, > >> >> >> > > >> >> >> > i'm trying to write my first rules, by extending the existing > >> >> >> > postfix > >> >> >> > rules. > >> >> >> > > >> >> >> > here's what i'm trying to test: > >> >> >> > <rule id="3307" level="6"> > >> >> >> > <if_sid>3300</if_sid> > >> >> >> > <match>RBL lookup error:</match> > >> >> >> > <description>Host or domain name not found. Name service > >> >> >> > error</description> > >> >> >> > <group>spam,</group> > >> >> >> > </rule> > >> >> >> > > >> >> >> > along with the log entry that i'm trying to test > >> >> >> > warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host > or > >> >> >> > domain > >> >> >> > name > >> >> >> > not found. Name service error for > >> >> >> > name=199.249.24.179.list.dsbl.org > >> >> >> > type=A: > >> >> >> > Host not found, try again > >> >> >> > > >> >> >> > >> >> >> This log message, by itself, does not decode to a postfix log > >> >> >> message: > >> >> >> ossec-testrule: Type one log per line. > >> >> >> > >> >> >> warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host or > >> >> >> domain name not found. Name service error for > >> >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try > again > >> >> >> > >> >> >> > >> >> >> **Phase 1: Completed pre-decoding. > >> >> >> full event: 'warning: 199.249.24.179.list.dsbl.org: RBL > >> >> >> lookup > >> >> >> error: Host or domain name not found. Name service error for > >> >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try > again' > >> >> >> hostname: 'ix' > >> >> >> program_name: '(null)' > >> >> >> log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup > >> >> >> error: > >> >> >> Host or domain name not found. Name service error for > >> >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try > again' > >> >> >> > >> >> >> **Phase 2: Completed decoding. > >> >> >> No decoder matched. > >> >> >> > >> >> >> Adding a random postfix + syslog header onto it helps: > >> >> >> ossec-testrule: Type one log per line. > >> >> >> > >> >> >> > >> >> >> > >> >> >> **Phase 1: Completed pre-decoding. > >> >> >> full event: 'Mar 27 13:00:01 ix postfix/smtpd[2222]: > warning: > >> >> >> 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain > name > >> >> >> not found. Name service error for name= > 199.249.24.179.list.dsbl.org > >> >> >> type=A: Host not found, try again' > >> >> >> hostname: 'ix' > >> >> >> program_name: 'postfix/smtpd' > >> >> >> log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup > >> >> >> error: > >> >> >> Host or domain name not found. Name service error for > >> >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try > again' > >> >> >> > >> >> >> **Phase 2: Completed decoding. > >> >> >> decoder: 'postfix' > >> >> >> > >> >> >> **Phase 3: Completed filtering (rules). > >> >> >> Rule id: '3320' > >> >> >> Level: '0' > >> >> >> Description: 'Grouping of the postfix rules.' > >> >> >> > >> >> >> > >> >> >> But I'm not sure if your log sample is missing some bits or what. > >> >> >> > >> >> >> > the rule is not firing, instead ossec-logtest is marking it as > a > >> >> >> > "Level > >> >> >> > 2" > >> >> >> > alert "Unknown problem somewhere in the system." > >> >> >> > > >> >> >> > what am I doing wrong here? > >> >> >> > > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to [email protected]. > >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
