On Mon, Mar 28, 2016 at 11:53 AM, theresa mic-snare <[email protected]> wrote: > Awesome, this worked!
Sweet. I'll submit a PR to change this. > I'm going to work on some more postfix rules and decoders over the next few > days, because I have tons of Level 2 - Rule 1002 alerts that I want gone. > > do you think they would be accepted (once they work properly) as a PR on > github? > I think it would be worthwhile. To make it more likely to be accepted include log samples or preferably tests in contrib/ossec-testing/tests/. You'll have to add a postfix.ini, but the file format is pretty simple. > Am Montag, 28. März 2016 17:45:58 UTC+2 schrieb dan (ddpbsd): >> >> On Mon, Mar 28, 2016 at 11:42 AM, theresa mic-snare >> <[email protected]> wrote: >> > Sorry, it's this one >> > 2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: warning: >> > 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name not >> > found. Name service error for name=199.249.24.179.list.dsbl.org type=A: >> > Host >> > not found, try again >> > >> >> Thanks. It decodes fine for me (but who knows what I've done): >> ossec-testrule: Type one log per line. >> >> >> >> **Phase 1: Completed pre-decoding. >> full event: '2016-03-23T01:09:28.962188+01:00 tron >> postfix/smtpd[472]: warning: 199.249.24.179.list.dsbl.org: RBL lookup >> error: Host or domain name not found. Name service error for >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' >> hostname: 'tron' >> program_name: 'postfix/smtpd' >> log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error: >> Host or domain name not found. Name service error for >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' >> >> **Phase 2: Completed decoding. >> decoder: 'postfix' >> >> Try changing the OpenSMTPd decoder to this: >> <decoder name="smtpd"> >> <program_name>^smtpd</program_name> >> </decoder> >> >> >> > Am Montag, 28. März 2016 17:39:32 UTC+2 schrieb dan (ddpbsd): >> >> >> >> On Mon, Mar 28, 2016 at 11:35 AM, theresa mic-snare >> >> <[email protected]> wrote: >> >> > Thanks, Dan! >> >> > I now almost got it fully working.... your advice was really good! >> >> > Here's my problem, somehow the OpenBSD smtpd decoders fire instead of >> >> > the >> >> > postfix....maybe I'd need to rearrange the order in the ossec.conf to >> >> > load >> >> > the postfix decoders last. >> >> > because it also triggers this >> >> > >> >> > <decoder name="smtpd"> >> >> > <program_name>smtpd</program_name> >> >> > </decoder> >> >> > >> >> > However, when I uncomment this, my new postfix decoder works just >> >> > fine >> >> > here's my postfix decoder: >> >> > <decoder name="postfix-rbl"> >> >> > <use_own_name>true</use_own_name> >> >> > <parent>postfix</parent> >> >> > <prematch>^warning: </prematch> >> >> > <regex offset="after_prematch">\d+.\d+\d+\d+.\w+.\w+.\w+: </regex> >> >> > <order>srcip</order> >> >> > </decoder> >> >> > >> >> >> >> This doesn't work with the previous log sample you supplied, what log >> >> message are you currently using? >> >> >> >> > Here are my postfix rules: >> >> > <rule id="3395" level="0"> >> >> > <decoded_as>postfix-rbl</decoded_as> >> >> > <description>Grouping of the postfix RBL rules.</description> >> >> > </rule> >> >> > >> >> > <rule id="3396" level="6"> >> >> > <if_sid>3395</if_sid> >> >> > <match> RBL lookup error: </match> >> >> > <description>Host or domain name not found. Name service >> >> > error</description> >> >> > <group>spam,pci_dss_10.6.1,pci_dss_11.4,</group> >> >> > </rule> >> >> > >> >> > ossec-logtest is now able to detect it: >> >> > **Phase 2: Completed decoding. >> >> > decoder: 'postfix' >> >> > >> >> > **Phase 3: Completed filtering (rules). >> >> > Rule id: '3396' >> >> > Level: '6' >> >> > Description: 'Host or domain name not found. Name service >> >> > error' >> >> > **Alert to be generated. >> >> > >> >> > At the moment I really don't know how to prevent the clash with the >> >> > openbsd >> >> > decoder...hmm >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > Am Montag, 28. März 2016 16:22:57 UTC+2 schrieb dan (ddpbsd): >> >> >> >> >> >> On Mon, Mar 28, 2016 at 10:00 AM, theresa mic-snare >> >> >> <[email protected]> wrote: >> >> >> > hmm, well I have this decoder in my ossec decoder set, >> >> >> > /var/ossec/etc/ossec_decoders/postfix_decoders.xml >> >> >> > <decoder name="postfix-failed"> >> >> >> > <prematch>^warning: </prematch> >> >> >> > <regex offset="after_prematch">^(\S+): hostname (\s+) >> >> >> > verification >> >> >> > failed</regex> >> >> >> > <order>srcip</order> >> >> >> > </decoder> >> >> >> > >> >> >> > don't remember if I have added this myself, or if it came with the >> >> >> > wazuh >> >> >> > decoders.... >> >> >> > then this decoder is used, by ossec-logtest >> >> >> > but unfortunately my rule isn't triggering...hmm >> >> >> > >> >> >> > **Phase 1: Completed pre-decoding. >> >> >> > full event: 'warning: 199.249.24.179.list.dsbl.org: RBL >> >> >> > lookup >> >> >> > error: >> >> >> > Host or domain name not found. Name service error for >> >> >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try >> >> >> > again' >> >> >> > hostname: 'tron' >> >> >> > program_name: '(null)' >> >> >> > log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup >> >> >> > error: >> >> >> > Host >> >> >> > or domain name not found. Name service error for >> >> >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try >> >> >> > again' >> >> >> > >> >> >> > **Phase 2: Completed decoding. >> >> >> > decoder: 'postfix-failed' >> >> >> > >> >> >> > **Phase 3: Completed filtering (rules). >> >> >> > Rule id: '1002' >> >> >> > Level: '2' >> >> >> > Description: 'Unknown problem somewhere in the system.' >> >> >> > **Alert to be generated. >> >> >> > >> >> >> > I've now had a look in my maillog and found the exact log message >> >> >> > as >> >> >> > postfix >> >> >> > logged it: >> >> >> > 2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: warning: >> >> >> > 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain >> >> >> > name >> >> >> > not >> >> >> > found. Name service error for name=199.249.24.179.list.dsbl.org >> >> >> > type=A: >> >> >> > Host >> >> >> > not found, try again >> >> >> > >> >> >> > after running this message now through ossec-logtest, I can see >> >> >> > that >> >> >> > another >> >> >> > decoder matches, namely the smtpd decoder (openbsd_decoders.xml) >> >> >> > >> >> >> > **Phase 1: Completed pre-decoding. >> >> >> > full event: '2016-03-23T01:09:28.962188+01:00 tron >> >> >> > postfix/smtpd[472]: warning: 199.249.24.179.list.dsbl.org: RBL >> >> >> > lookup >> >> >> > error: >> >> >> > Host or domain name not found. Name service error for >> >> >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try >> >> >> > again' >> >> >> > hostname: 'tron' >> >> >> > program_name: 'postfix/smtpd' >> >> >> > log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup >> >> >> > error: >> >> >> > Host >> >> >> > or domain name not found. Name service error for >> >> >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try >> >> >> > again' >> >> >> > >> >> >> > **Phase 2: Completed decoding. >> >> >> > decoder: 'smtpd' >> >> >> > >> >> >> > **Phase 3: Completed filtering (rules). >> >> >> > Rule id: '1002' >> >> >> > Level: '2' >> >> >> > Description: 'Unknown problem somewhere in the system.' >> >> >> > **Alert to be generated. >> >> >> > >> >> >> > However, what am I doing wrong here? Why is this rule not >> >> >> > triggering? >> >> >> > <rule id="3307" level="6"> >> >> >> > <if_sid>3300</if_sid> >> >> >> > <match>RBL lookup error:</match> >> >> >> > <description>Host or domain name not found. Name service >> >> >> > error</description> >> >> >> > <group>spam,pci_dss_10.6.1,pci_dss_11.4,</group> >> >> >> > </rule> >> >> >> > >> >> >> > Am I missing something here? >> >> >> > >> >> >> >> >> >> Rule 3300 requires the decoder to be postfix-reject, not >> >> >> postfix-failed: >> >> >> <rule id="3300" level="0"> >> >> >> <decoded_as>postfix-reject</decoded_as> >> >> >> <description>Grouping of the postfix reject rules.</description> >> >> >> </rule> >> >> >> >> >> >> >> >> >> > Am Montag, 28. März 2016 14:44:51 UTC+2 schrieb dan (ddpbsd): >> >> >> >> >> >> >> >> On Fri, Mar 25, 2016 at 4:17 PM, theresa mic-snare >> >> >> >> <[email protected]> wrote: >> >> >> >> > Hi, >> >> >> >> > >> >> >> >> > i'm trying to write my first rules, by extending the existing >> >> >> >> > postfix >> >> >> >> > rules. >> >> >> >> > >> >> >> >> > here's what i'm trying to test: >> >> >> >> > <rule id="3307" level="6"> >> >> >> >> > <if_sid>3300</if_sid> >> >> >> >> > <match>RBL lookup error:</match> >> >> >> >> > <description>Host or domain name not found. Name service >> >> >> >> > error</description> >> >> >> >> > <group>spam,</group> >> >> >> >> > </rule> >> >> >> >> > >> >> >> >> > along with the log entry that i'm trying to test >> >> >> >> > warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host >> >> >> >> > or >> >> >> >> > domain >> >> >> >> > name >> >> >> >> > not found. Name service error for >> >> >> >> > name=199.249.24.179.list.dsbl.org >> >> >> >> > type=A: >> >> >> >> > Host not found, try again >> >> >> >> > >> >> >> >> >> >> >> >> This log message, by itself, does not decode to a postfix log >> >> >> >> message: >> >> >> >> ossec-testrule: Type one log per line. >> >> >> >> >> >> >> >> warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host or >> >> >> >> domain name not found. Name service error for >> >> >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try >> >> >> >> again >> >> >> >> >> >> >> >> >> >> >> >> **Phase 1: Completed pre-decoding. >> >> >> >> full event: 'warning: 199.249.24.179.list.dsbl.org: RBL >> >> >> >> lookup >> >> >> >> error: Host or domain name not found. Name service error for >> >> >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try >> >> >> >> again' >> >> >> >> hostname: 'ix' >> >> >> >> program_name: '(null)' >> >> >> >> log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup >> >> >> >> error: >> >> >> >> Host or domain name not found. Name service error for >> >> >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try >> >> >> >> again' >> >> >> >> >> >> >> >> **Phase 2: Completed decoding. >> >> >> >> No decoder matched. >> >> >> >> >> >> >> >> Adding a random postfix + syslog header onto it helps: >> >> >> >> ossec-testrule: Type one log per line. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> **Phase 1: Completed pre-decoding. >> >> >> >> full event: 'Mar 27 13:00:01 ix postfix/smtpd[2222]: >> >> >> >> warning: >> >> >> >> 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain >> >> >> >> name >> >> >> >> not found. Name service error for >> >> >> >> name=199.249.24.179.list.dsbl.org >> >> >> >> type=A: Host not found, try again' >> >> >> >> hostname: 'ix' >> >> >> >> program_name: 'postfix/smtpd' >> >> >> >> log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup >> >> >> >> error: >> >> >> >> Host or domain name not found. Name service error for >> >> >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try >> >> >> >> again' >> >> >> >> >> >> >> >> **Phase 2: Completed decoding. >> >> >> >> decoder: 'postfix' >> >> >> >> >> >> >> >> **Phase 3: Completed filtering (rules). >> >> >> >> Rule id: '3320' >> >> >> >> Level: '0' >> >> >> >> Description: 'Grouping of the postfix rules.' >> >> >> >> >> >> >> >> >> >> >> >> But I'm not sure if your log sample is missing some bits or what. >> >> >> >> >> >> >> >> > the rule is not firing, instead ossec-logtest is marking it as >> >> >> >> > a >> >> >> >> > "Level >> >> >> >> > 2" >> >> >> >> > alert "Unknown problem somewhere in the system." >> >> >> >> > >> >> >> >> > what am I doing wrong here? >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to [email protected]. >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
