Hi, you are right, the problem should be with your rule. Do you have local_rules.xml included in ossec.conf?. What OSSEC version are you running?.
In my version it is working (Wazuh <https://github.com/wazuh>): 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - An+error+occurred+during+the+authentication+process. **Phase 1: Completed pre-decoding. full event: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - An+error+occurred+during+the+authentication+process.' hostname: 'LinMV' program_name: '(null)' log: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - An+error+occurred+during+the+authentication+process.' **Phase 2: Completed decoding. decoder: 'windows-date-format' srcip: '10.18.100.24' dstuser: '-' action: 'PASS' id: '530' **Phase 3: Completed filtering (rules). Rule id: '100005' Level: '5' Description: 'FTP Authentication failed.' **Alert to be generated. On Tuesday, May 24, 2016 at 5:39:55 PM UTC+2, Jacob Mcgrath wrote: > > I can run 8-10 failed logins and do get email alerts for them so I believe > the decoder is working but the rules are not being applied and the fall > back is rule:1002 for some reason???? > > OSSEC HIDS Notification. > > 2016 May 24 15:32:13 > > > > Received From: (spmedia1) > 10.20.199.157->\inetpub\logs\LogFiles\FTPSVC4\u_ex160524.log > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > > Portion of the log(s): > > > > 2016-05-24 15:31:20 10.18.100.24 46986 - FTPSVC4 SPMEDIA1 - 10.20.199.157 > 12600 PASS *** 530 1326 41 101 10 16 ffbd0e67-ff45-4c49-b29f-26692a1975da - > An+error+occurred+during+the+authentication+process. > > > > > > > > --END OF NOTIFICATION > > > > On Monday, May 23, 2016 at 3:51:28 PM UTC-5, Jacob Mcgrath wrote: >> >> Here is what I have so far... >> >> *Agent config* >> >> >> >> <localfile> >> <location>C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log</location> >> <log_format>iis</log_format> >> </localfile> >> >> *Server local_decoder.xml* >> >> <decoder name="msftp8"> >> <parent>windows-date-format</parent> >> <use_own_name>true</use_own_name> >> <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC</ >> prematch> >> <regex offset="after_parent">^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S >> + \S+ </regex> >> <regex>\d+ (\S+) \S+ (\d+) </regex> >> <order>srcip,user,action,id</order> >> </decoder> >> >> *Server local_rules.xml* >> >> <group name="msftp8,syslog,"> >> <rule id="100004" level="0"> >> <decoded_as>msftp8</decoded_as> >> <description>Grouping for the Microsoft ftp 8 rules.</description> >> </rule> >> >> <rule id="100005" level="5"> >> <if_sid>100004</if_sid> >> <action>PASS</action> >> <id>530</id> >> <description>FTP Authentication failed.</description> >> <group>authentication_failed,</group> >> </rule> >> >> <rule id="100006" level="10" frequency="6" timeframe="120"> >> <if_matched_sid>100005</if_matched_sid> >> <description>FTP brute force (multiple failed logins).</ >> description> >> <group>authentication_failures,</group> >> </rule> >> >> </group> >> >> >> >> *No My IIS 8 ftp server log looks like this for the 530 error:* >> >> 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 >> 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - >> An+error+occurred+during+the+authentication+process. >> >> >> The plan is to check the IIS 8 FTP server log looking for brute force >> attempts and in addition drop the IP that is offending to agents. >> >> I have set these up and restarted both server and agent and run 10+ rapid >> ftp login attempts but do not see any real alerts as designed. >> >> Any direction would be welcomed... >> >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
