Weird I run the logtest and I get this:
2016-05-24 14:41:16 10.18.100.24 45491 - FTPSVC4 SPMEDIA1 - 10.20.199.157
12600 PASS *** 530 1326 41 101 11 0 e9bd6228-d83c-4b29-9163-e191716a1180 -
An+error+occurred+during+the+authentication+process.
**Phase 1: Completed pre-decoding.
full event: '2016-05-24 14:41:16 10.18.100.24 45491 - FTPSVC4
SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 11 0
e9bd6228-d83c-4b29-9163-e191716a1180 -
An+error+occurred+during+the+authentication+process.'
hostname: 'alamo'
program_name: '(null)'
log: '2016-05-24 14:41:16 10.18.100.24 45491 - FTPSVC4 SPMEDIA1 -
10.20.199.157 12600 PASS *** 530 1326 41 101 11 0
e9bd6228-d83c-4b29-9163-e191716a1180 -
An+error+occurred+during+the+authentication+process.'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
srcip: '10.18.100.24'
dstuser: '-'
action: 'PASS'
id: '530'
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
On Tuesday, May 24, 2016 at 7:10:10 AM UTC-5, Jesus Linares wrote:
>
> Hi Jacob,
>
> the rule 100006 will be fired when rule 100005 fires 8 times (6+2). It
> seems to work:
>
> **Phase 1: Completed pre-decoding.
> full event: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4
> SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0
> 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 -
> An+error+occurred+during+the+authentication+process.'
> hostname: 'LinMV'
> program_name: '(null)'
> log: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 -
> 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0
> 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 -
> An+error+occurred+during+the+authentication+process.'
>
>
> **Phase 2: Completed decoding.
> decoder: 'windows-date-format'
> srcip: '10.18.100.24'
> dstuser: '-'
> action: 'PASS'
> id: '530'
>
>
> **Phase 3: Completed filtering (rules).
> Rule id: '100006'
> Level: '10'
> Description: 'FTP brute force (multiple failed logins).'
> **Alert to be generated.
>
> So, your rules are fine. Maybe the problem is that you are receiving a
> different log (with other format) or just you are not receiving anything.
> Configure ossec to log all events:
> <global>
> <logall>yes</logall>
>
> Then, review archives/archives.log. In case you are receiving the ftp
> logs, paste here some examples and we can help a little more.
>
>
> Regards.
>
> On Monday, May 23, 2016 at 10:51:28 PM UTC+2, Jacob Mcgrath wrote:
>>
>> Here is what I have so far...
>>
>> *Agent config*
>>
>>
>>
>> <localfile>
>> <location>C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log</location>
>> <log_format>iis</log_format>
>> </localfile>
>>
>> *Server local_decoder.xml*
>>
>> <decoder name="msftp8">
>> <parent>windows-date-format</parent>
>> <use_own_name>true</use_own_name>
>> <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC</
>> prematch>
>> <regex offset="after_parent">^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S
>> + \S+ </regex>
>> <regex>\d+ (\S+) \S+ (\d+) </regex>
>> <order>srcip,user,action,id</order>
>> </decoder>
>>
>> *Server local_rules.xml*
>>
>> <group name="msftp8,syslog,">
>> <rule id="100004" level="0">
>> <decoded_as>msftp8</decoded_as>
>> <description>Grouping for the Microsoft ftp 8 rules.</description>
>> </rule>
>>
>> <rule id="100005" level="5">
>> <if_sid>100004</if_sid>
>> <action>PASS</action>
>> <id>530</id>
>> <description>FTP Authentication failed.</description>
>> <group>authentication_failed,</group>
>> </rule>
>>
>> <rule id="100006" level="10" frequency="6" timeframe="120">
>> <if_matched_sid>100005</if_matched_sid>
>> <description>FTP brute force (multiple failed logins).</
>> description>
>> <group>authentication_failures,</group>
>> </rule>
>>
>> </group>
>>
>>
>>
>> *No My IIS 8 ftp server log looks like this for the 530 error:*
>>
>> 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157
>> 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 -
>> An+error+occurred+during+the+authentication+process.
>>
>>
>> The plan is to check the IIS 8 FTP server log looking for brute force
>> attempts and in addition drop the IP that is offending to agents.
>>
>> I have set these up and restarted both server and agent and run 10+ rapid
>> ftp login attempts but do not see any real alerts as designed.
>>
>> Any direction would be welcomed...
>>
>>
>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
