That regex looks IPv4 specific. Can you make it allow IPv6 addresses? Sent from my iPad
> On Mar 28, 2016, at 05:35, theresa mic-snare <[email protected]> wrote: > > Thanks, Dan! > I now almost got it fully working.... your advice was really good! > Here's my problem, somehow the OpenBSD smtpd decoders fire instead of the > postfix....maybe I'd need to rearrange the order in the ossec.conf to load > the postfix decoders last. > because it also triggers this > > <decoder name="smtpd"> > <program_name>smtpd</program_name> > </decoder> > > However, when I uncomment this, my new postfix decoder works just fine > here's my postfix decoder: > <decoder name="postfix-rbl"> > <use_own_name>true</use_own_name> > <parent>postfix</parent> > <prematch>^warning: </prematch> > <regex offset="after_prematch">\d+.\d+\d+\d+.\w+.\w+.\w+: </regex> > <order>srcip</order> > </decoder> > > Here are my postfix rules: > <rule id="3395" level="0"> > <decoded_as>postfix-rbl</decoded_as> > <description>Grouping of the postfix RBL rules.</description> > </rule> > > <rule id="3396" level="6"> > <if_sid>3395</if_sid> > <match> RBL lookup error: </match> > <description>Host or domain name not found. Name service > error</description> > <group>spam,pci_dss_10.6.1,pci_dss_11.4,</group> > </rule> > > ossec-logtest is now able to detect it: > **Phase 2: Completed decoding. > decoder: 'postfix' > > **Phase 3: Completed filtering (rules). > Rule id: '3396' > Level: '6' > Description: 'Host or domain name not found. Name service error' > **Alert to be generated. > > At the moment I really don't know how to prevent the clash with the openbsd > decoder...hmm > > > > > > Am Montag, 28. März 2016 16:22:57 UTC+2 schrieb dan (ddpbsd): >> >> On Mon, Mar 28, 2016 at 10:00 AM, theresa mic-snare >> <[email protected]> wrote: >> > hmm, well I have this decoder in my ossec decoder set, >> > /var/ossec/etc/ossec_decoders/postfix_decoders.xml >> > <decoder name="postfix-failed"> >> > <prematch>^warning: </prematch> >> > <regex offset="after_prematch">^(\S+): hostname (\s+) verification >> > failed</regex> >> > <order>srcip</order> >> > </decoder> >> > >> > don't remember if I have added this myself, or if it came with the wazuh >> > decoders.... >> > then this decoder is used, by ossec-logtest >> > but unfortunately my rule isn't triggering...hmm >> > >> > **Phase 1: Completed pre-decoding. >> > full event: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup >> > error: >> > Host or domain name not found. Name service error for >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' >> > hostname: 'tron' >> > program_name: '(null)' >> > log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host >> > or domain name not found. Name service error for >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' >> > >> > **Phase 2: Completed decoding. >> > decoder: 'postfix-failed' >> > >> > **Phase 3: Completed filtering (rules). >> > Rule id: '1002' >> > Level: '2' >> > Description: 'Unknown problem somewhere in the system.' >> > **Alert to be generated. >> > >> > I've now had a look in my maillog and found the exact log message as >> > postfix >> > logged it: >> > 2016-03-23T01:09:28.962188+01:00 tron postfix/smtpd[472]: warning: >> > 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name not >> > found. Name service error for name=199.249.24.179.list.dsbl.org type=A: >> > Host >> > not found, try again >> > >> > after running this message now through ossec-logtest, I can see that >> > another >> > decoder matches, namely the smtpd decoder (openbsd_decoders.xml) >> > >> > **Phase 1: Completed pre-decoding. >> > full event: '2016-03-23T01:09:28.962188+01:00 tron >> > postfix/smtpd[472]: warning: 199.249.24.179.list.dsbl.org: RBL lookup >> > error: >> > Host or domain name not found. Name service error for >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' >> > hostname: 'tron' >> > program_name: 'postfix/smtpd' >> > log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host >> > or domain name not found. Name service error for >> > name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' >> > >> > **Phase 2: Completed decoding. >> > decoder: 'smtpd' >> > >> > **Phase 3: Completed filtering (rules). >> > Rule id: '1002' >> > Level: '2' >> > Description: 'Unknown problem somewhere in the system.' >> > **Alert to be generated. >> > >> > However, what am I doing wrong here? Why is this rule not triggering? >> > <rule id="3307" level="6"> >> > <if_sid>3300</if_sid> >> > <match>RBL lookup error:</match> >> > <description>Host or domain name not found. Name service >> > error</description> >> > <group>spam,pci_dss_10.6.1,pci_dss_11.4,</group> >> > </rule> >> > >> > Am I missing something here? >> > >> >> Rule 3300 requires the decoder to be postfix-reject, not postfix-failed: >> <rule id="3300" level="0"> >> <decoded_as>postfix-reject</decoded_as> >> <description>Grouping of the postfix reject rules.</description> >> </rule> >> >> >> > Am Montag, 28. März 2016 14:44:51 UTC+2 schrieb dan (ddpbsd): >> >> >> >> On Fri, Mar 25, 2016 at 4:17 PM, theresa mic-snare >> >> <[email protected]> wrote: >> >> > Hi, >> >> > >> >> > i'm trying to write my first rules, by extending the existing postfix >> >> > rules. >> >> > >> >> > here's what i'm trying to test: >> >> > <rule id="3307" level="6"> >> >> > <if_sid>3300</if_sid> >> >> > <match>RBL lookup error:</match> >> >> > <description>Host or domain name not found. Name service >> >> > error</description> >> >> > <group>spam,</group> >> >> > </rule> >> >> > >> >> > along with the log entry that i'm trying to test >> >> > warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain >> >> > name >> >> > not found. Name service error for name=199.249.24.179.list.dsbl.org >> >> > type=A: >> >> > Host not found, try again >> >> > >> >> >> >> This log message, by itself, does not decode to a postfix log message: >> >> ossec-testrule: Type one log per line. >> >> >> >> warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host or >> >> domain name not found. Name service error for >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again >> >> >> >> >> >> **Phase 1: Completed pre-decoding. >> >> full event: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup >> >> error: Host or domain name not found. Name service error for >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' >> >> hostname: 'ix' >> >> program_name: '(null)' >> >> log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error: >> >> Host or domain name not found. Name service error for >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' >> >> >> >> **Phase 2: Completed decoding. >> >> No decoder matched. >> >> >> >> Adding a random postfix + syslog header onto it helps: >> >> ossec-testrule: Type one log per line. >> >> >> >> >> >> >> >> **Phase 1: Completed pre-decoding. >> >> full event: 'Mar 27 13:00:01 ix postfix/smtpd[2222]: warning: >> >> 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name >> >> not found. Name service error for name=199.249.24.179.list.dsbl.org >> >> type=A: Host not found, try again' >> >> hostname: 'ix' >> >> program_name: 'postfix/smtpd' >> >> log: 'warning: 199.249.24.179.list.dsbl.org: RBL lookup error: >> >> Host or domain name not found. Name service error for >> >> name=199.249.24.179.list.dsbl.org type=A: Host not found, try again' >> >> >> >> **Phase 2: Completed decoding. >> >> decoder: 'postfix' >> >> >> >> **Phase 3: Completed filtering (rules). >> >> Rule id: '3320' >> >> Level: '0' >> >> Description: 'Grouping of the postfix rules.' >> >> >> >> >> >> But I'm not sure if your log sample is missing some bits or what. >> >> >> >> > the rule is not firing, instead ossec-logtest is marking it as a "Level >> >> > 2" >> >> > alert "Unknown problem somewhere in the system." >> >> > >> >> > what am I doing wrong here? >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
