great, I will just do that :) thanks for all your help! Am Montag, 28. März 2016 17:56:09 UTC+2 schrieb dan (ddpbsd): > > On Mon, Mar 28, 2016 at 11:53 AM, theresa mic-snare > <[email protected] <javascript:>> wrote: > > Awesome, this worked! > > Sweet. I'll submit a PR to change this. > > > I'm going to work on some more postfix rules and decoders over the next > few > > days, because I have tons of Level 2 - Rule 1002 alerts that I want > gone. > > > > do you think they would be accepted (once they work properly) as a PR on > > github? > > > > I think it would be worthwhile. To make it more likely to be accepted > include log samples or preferably tests in > contrib/ossec-testing/tests/. > You'll have to add a postfix.ini, but the file format is pretty simple. > > > Am Montag, 28. März 2016 17:45:58 UTC+2 schrieb dan (ddpbsd): > >> > >> On Mon, Mar 28, 2016 at 11:42 AM, theresa mic-snare > >> <[email protected]> wrote: > >> > Sorry, it's this one > >> > 2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: warning: > >> > 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name > not > >> > found. Name service error for name=199.249.24.179.list.dsbl.org > type=A: > >> > Host > >> > not found, try again > >> > > >> > >> Thanks. It decodes fine for me (but who knows what I've done): > >> ossec-testrule: Type one log per line. > >> > >> > >> > >> **Phase 1: Completed pre-decoding. > >> full event: '2016-03-23T01:09:28.962188+01:00 tron > >> postfix/smtpd[472]: warning: 199.249.24.179.list.dsbl.org: RBL lookup > >> error: Host or domain name not found. Name service error for > >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' > >> hostname: 'tron' > >> program_name: 'postfix/smtpd' > >> log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error: > >> Host or domain name not found. Name service error for > >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'postfix' > >> > >> Try changing the OpenSMTPd decoder to this: > >> <decoder name="smtpd"> > >> <program_name>^smtpd</program_name> > >> </decoder> > >> > >> > >> > Am Montag, 28. März 2016 17:39:32 UTC+2 schrieb dan (ddpbsd): > >> >> > >> >> On Mon, Mar 28, 2016 at 11:35 AM, theresa mic-snare > >> >> <[email protected]> wrote: > >> >> > Thanks, Dan! > >> >> > I now almost got it fully working.... your advice was really good! > >> >> > Here's my problem, somehow the OpenBSD smtpd decoders fire instead > of > >> >> > the > >> >> > postfix....maybe I'd need to rearrange the order in the ossec.conf > to > >> >> > load > >> >> > the postfix decoders last. > >> >> > because it also triggers this > >> >> > > >> >> > <decoder name="smtpd"> > >> >> > <program_name>smtpd</program_name> > >> >> > </decoder> > >> >> > > >> >> > However, when I uncomment this, my new postfix decoder works just > >> >> > fine > >> >> > here's my postfix decoder: > >> >> > <decoder name="postfix-rbl"> > >> >> > <use_own_name>true</use_own_name> > >> >> > <parent>postfix</parent> > >> >> > <prematch>^warning: </prematch> > >> >> > <regex offset="after_prematch">\d+.\d+\d+\d+.\w+.\w+.\w+: > </regex> > >> >> > <order>srcip</order> > >> >> > </decoder> > >> >> > > >> >> > >> >> This doesn't work with the previous log sample you supplied, what > log > >> >> message are you currently using? > >> >> > >> >> > Here are my postfix rules: > >> >> > <rule id="3395" level="0"> > >> >> > <decoded_as>postfix-rbl</decoded_as> > >> >> > <description>Grouping of the postfix RBL rules.</description> > >> >> > </rule> > >> >> > > >> >> > <rule id="3396" level="6"> > >> >> > <if_sid>3395</if_sid> > >> >> > <match> RBL lookup error: </match> > >> >> > <description>Host or domain name not found. Name service > >> >> > error</description> > >> >> > <group>spam,pci_dss_10.6.1,pci_dss_11.4,</group> > >> >> > </rule> > >> >> > > >> >> > ossec-logtest is now able to detect it: > >> >> > **Phase 2: Completed decoding. > >> >> > decoder: 'postfix' > >> >> > > >> >> > **Phase 3: Completed filtering (rules). > >> >> > Rule id: '3396' > >> >> > Level: '6' > >> >> > Description: 'Host or domain name not found. Name service > >> >> > error' > >> >> > **Alert to be generated. > >> >> > > >> >> > At the moment I really don't know how to prevent the clash with > the > >> >> > openbsd > >> >> > decoder...hmm > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > Am Montag, 28. März 2016 16:22:57 UTC+2 schrieb dan (ddpbsd): > >> >> >> > >> >> >> On Mon, Mar 28, 2016 at 10:00 AM, theresa mic-snare > >> >> >> <[email protected]> wrote: > >> >> >> > hmm, well I have this decoder in my ossec decoder set, > >> >> >> > /var/ossec/etc/ossec_decoders/postfix_decoders.xml > >> >> >> > <decoder name="postfix-failed"> > >> >> >> > <prematch>^warning: </prematch> > >> >> >> > <regex offset="after_prematch">^(\S+): hostname (\s+) > >> >> >> > verification > >> >> >> > failed</regex> > >> >> >> > <order>srcip</order> > >> >> >> > </decoder> > >> >> >> > > >> >> >> > don't remember if I have added this myself, or if it came with > the > >> >> >> > wazuh > >> >> >> > decoders.... > >> >> >> > then this decoder is used, by ossec-logtest > >> >> >> > but unfortunately my rule isn't triggering...hmm > >> >> >> > > >> >> >> > **Phase 1: Completed pre-decoding. > >> >> >> > full event: 'warning: 199.249.24.179.list.dsbl.org: RBL > >> >> >> > lookup > >> >> >> > error: > >> >> >> > Host or domain name not found. Name service error for > >> >> >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try > >> >> >> > again' > >> >> >> > hostname: 'tron' > >> >> >> > program_name: '(null)' > >> >> >> > log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup > >> >> >> > error: > >> >> >> > Host > >> >> >> > or domain name not found. Name service error for > >> >> >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try > >> >> >> > again' > >> >> >> > > >> >> >> > **Phase 2: Completed decoding. > >> >> >> > decoder: 'postfix-failed' > >> >> >> > > >> >> >> > **Phase 3: Completed filtering (rules). > >> >> >> > Rule id: '1002' > >> >> >> > Level: '2' > >> >> >> > Description: 'Unknown problem somewhere in the system.' > >> >> >> > **Alert to be generated. > >> >> >> > > >> >> >> > I've now had a look in my maillog and found the exact log > message > >> >> >> > as > >> >> >> > postfix > >> >> >> > logged it: > >> >> >> > 2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: > warning: > >> >> >> > 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain > >> >> >> > name > >> >> >> > not > >> >> >> > found. Name service error for name=199.249.24.179.list.dsbl.org > >> >> >> > type=A: > >> >> >> > Host > >> >> >> > not found, try again > >> >> >> > > >> >> >> > after running this message now through ossec-logtest, I can see > >> >> >> > that > >> >> >> > another > >> >> >> > decoder matches, namely the smtpd decoder > (openbsd_decoders.xml) > >> >> >> > > >> >> >> > **Phase 1: Completed pre-decoding. > >> >> >> > full event: '2016-03-23T01:09:28.962188+01:00 tron > >> >> >> > postfix/smtpd[472]: warning: 199.249.24.179.list.dsbl.org: RBL > >> >> >> > lookup > >> >> >> > error: > >> >> >> > Host or domain name not found. Name service error for > >> >> >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try > >> >> >> > again' > >> >> >> > hostname: 'tron' > >> >> >> > program_name: 'postfix/smtpd' > >> >> >> > log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup > >> >> >> > error: > >> >> >> > Host > >> >> >> > or domain name not found. Name service error for > >> >> >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try > >> >> >> > again' > >> >> >> > > >> >> >> > **Phase 2: Completed decoding. > >> >> >> > decoder: 'smtpd' > >> >> >> > > >> >> >> > **Phase 3: Completed filtering (rules). > >> >> >> > Rule id: '1002' > >> >> >> > Level: '2' > >> >> >> > Description: 'Unknown problem somewhere in the system.' > >> >> >> > **Alert to be generated. > >> >> >> > > >> >> >> > However, what am I doing wrong here? Why is this rule not > >> >> >> > triggering? > >> >> >> > <rule id="3307" level="6"> > >> >> >> > <if_sid>3300</if_sid> > >> >> >> > <match>RBL lookup error:</match> > >> >> >> > <description>Host or domain name not found. Name service > >> >> >> > error</description> > >> >> >> > <group>spam,pci_dss_10.6.1,pci_dss_11.4,</group> > >> >> >> > </rule> > >> >> >> > > >> >> >> > Am I missing something here? > >> >> >> > > >> >> >> > >> >> >> Rule 3300 requires the decoder to be postfix-reject, not > >> >> >> postfix-failed: > >> >> >> <rule id="3300" level="0"> > >> >> >> <decoded_as>postfix-reject</decoded_as> > >> >> >> <description>Grouping of the postfix reject > rules.</description> > >> >> >> </rule> > >> >> >> > >> >> >> > >> >> >> > Am Montag, 28. März 2016 14:44:51 UTC+2 schrieb dan (ddpbsd): > >> >> >> >> > >> >> >> >> On Fri, Mar 25, 2016 at 4:17 PM, theresa mic-snare > >> >> >> >> <[email protected]> wrote: > >> >> >> >> > Hi, > >> >> >> >> > > >> >> >> >> > i'm trying to write my first rules, by extending the > existing > >> >> >> >> > postfix > >> >> >> >> > rules. > >> >> >> >> > > >> >> >> >> > here's what i'm trying to test: > >> >> >> >> > <rule id="3307" level="6"> > >> >> >> >> > <if_sid>3300</if_sid> > >> >> >> >> > <match>RBL lookup error:</match> > >> >> >> >> > <description>Host or domain name not found. Name service > >> >> >> >> > error</description> > >> >> >> >> > <group>spam,</group> > >> >> >> >> > </rule> > >> >> >> >> > > >> >> >> >> > along with the log entry that i'm trying to test > >> >> >> >> > warning: 199.249.24.179.list.dsbl.org: RBL lookup error: > Host > >> >> >> >> > or > >> >> >> >> > domain > >> >> >> >> > name > >> >> >> >> > not found. Name service error for > >> >> >> >> > name=199.249.24.179.list.dsbl.org > >> >> >> >> > type=A: > >> >> >> >> > Host not found, try again > >> >> >> >> > > >> >> >> >> > >> >> >> >> This log message, by itself, does not decode to a postfix log > >> >> >> >> message: > >> >> >> >> ossec-testrule: Type one log per line. > >> >> >> >> > >> >> >> >> warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host > or > >> >> >> >> domain name not found. Name service error for > >> >> >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try > >> >> >> >> again > >> >> >> >> > >> >> >> >> > >> >> >> >> **Phase 1: Completed pre-decoding. > >> >> >> >> full event: 'warning: 199.249.24.179.list.dsbl.org: > RBL > >> >> >> >> lookup > >> >> >> >> error: Host or domain name not found. Name service error for > >> >> >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try > >> >> >> >> again' > >> >> >> >> hostname: 'ix' > >> >> >> >> program_name: '(null)' > >> >> >> >> log: 'warning: 199.249.24.179.list.dsbl.org: RBL > lookup > >> >> >> >> error: > >> >> >> >> Host or domain name not found. Name service error for > >> >> >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try > >> >> >> >> again' > >> >> >> >> > >> >> >> >> **Phase 2: Completed decoding. > >> >> >> >> No decoder matched. > >> >> >> >> > >> >> >> >> Adding a random postfix + syslog header onto it helps: > >> >> >> >> ossec-testrule: Type one log per line. > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> **Phase 1: Completed pre-decoding. > >> >> >> >> full event: 'Mar 27 13:00:01 ix postfix/smtpd[2222]: > >> >> >> >> warning: > >> >> >> >> 199.249.24.179.list.dsbl.org: RBL lookup error: Host or > domain > >> >> >> >> name > >> >> >> >> not found. Name service error for > >> >> >> >> name=199.249.24.179.list.dsbl.org > >> >> >> >> type=A: Host not found, try again' > >> >> >> >> hostname: 'ix' > >> >> >> >> program_name: 'postfix/smtpd' > >> >> >> >> log: 'warning: 199.249.24.179.list.dsbl.org: RBL > lookup > >> >> >> >> error: > >> >> >> >> Host or domain name not found. Name service error for > >> >> >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try > >> >> >> >> again' > >> >> >> >> > >> >> >> >> **Phase 2: Completed decoding. > >> >> >> >> decoder: 'postfix' > >> >> >> >> > >> >> >> >> **Phase 3: Completed filtering (rules). > >> >> >> >> Rule id: '3320' > >> >> >> >> Level: '0' > >> >> >> >> Description: 'Grouping of the postfix rules.' > >> >> >> >> > >> >> >> >> > >> >> >> >> But I'm not sure if your log sample is missing some bits or > what. > >> >> >> >> > >> >> >> >> > the rule is not firing, instead ossec-logtest is marking it > as > >> >> >> >> > a > >> >> >> >> > "Level > >> >> >> >> > 2" > >> >> >> >> > alert "Unknown problem somewhere in the system." > >> >> >> >> > > >> >> >> >> > what am I doing wrong here? > >> >> >> >> > > >> >> >> >> > -- > >> >> >> >> > > >> >> >> >> > --- > >> >> >> >> > You received this message because you are subscribed to the > >> >> >> >> > Google > >> >> >> >> > Groups > >> >> >> >> > "ossec-list" group. > >> >> >> >> > To unsubscribe from this group and stop receiving emails > from > >> >> >> >> > it, > >> >> >> >> > send > >> >> >> >> > an > >> >> >> >> > email to [email protected]. > >> >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> >> > > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to [email protected]. > >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
