Hi Jacob,
I have no idea what is happening.
ossec.conf:
<rules>
<decoder>etc/decoder.xml</decoder>
<decoder>etc/local_decoder.xml</decoder>
local_decoder.xml:
<decoder name="msftp8">
<parent>windows-date-format</parent>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC</prematch>
<regex offset="after_parent">^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S+ \S+
</regex>
<regex>\d+ (\S+) \S+ (\d+) </regex>
<order>srcip,user,action,id</order>
</decoder>
local_rules.xml:
<group name="msftp8,syslog,">
<rule id="100004" level="0">
<decoded_as>msftp8</decoded_as>
<description>Grouping for the Microsoft ftp 8 rules.</description>
</rule>
<rule id="100005" level="5">
<if_sid>100004</if_sid>
<action>PASS</action>
<id>530</id>
<description>FTP Authentication failed.</description>
<group>authentication_failed,</group>
</rule>
<rule id="100006" level="10" frequency="6" timeframe="120">
<if_matched_sid>100005</if_matched_sid>
<description>FTP brute force (multiple failed logins).</description>
<group>authentication_failures,</group>
</rule>
</group>
ossec-logtest:
2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157
12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 -
An+error+occurred+during+the+authentication+process.
**Phase 1: Completed pre-decoding.
full event: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4
SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0
6ecb4d92-0515-44a5-ad58-9f057ff2fd18 -
An+error+occurred+during+the+authentication+process.'
hostname: 'v280'
program_name: '(null)'
log: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 -
10.20.199.157 12600 PASS *** 530 1326 41 101 16 0
6ecb4d92-0515-44a5-ad58-9f057ff2fd18 -
An+error+occurred+during+the+authentication+process.'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
srcip: '10.18.100.24'
dstuser: '-'
action: 'PASS'
id: '530'
**Phase 3: Completed filtering (rules).
Rule id: '100005'
Level: '5'
Description: 'FTP Authentication failed.'
**Alert to be generated.
cat /etc/ossec-init.conf
DIRECTORY="/var/ossec"
VERSION="v2.8"
DATE="Wed May 25 10:13:08 CEST 2016"
TYPE="server"
I tested it with the log:
2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157
12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 -
An+error+occurred+during+the+authentication+process.
but in your last post, the log looks like:
2016-05-24 19:02:01 10.18.100.24 53101 - FTPSVC4 SPMEDIA1 - 10.20.199.157
12600 PASS *** 530 1326 41 101 11 0
1475ab80-1b75-43ce-9b59-d2d61cf15c63 - An+error+oc
curred+during+the+authentication+process.
I guess the white spaces are due to a format issue when you pasted the log,
or are you receiving the log with white spaces?.
Regards.
On Tuesday, May 24, 2016 at 9:05:59 PM UTC+2, Jacob Mcgrath wrote:
>
>
> As far as alert.log
>
>
> ** Alert 1464116536.2709526: mail - syslog,errors,
> 2016 May 24 19:02:16 (spmedia1)
> 10.20.199.157->\inetpub\logs\LogFiles\FTPSVC4\u_
> ex160524.log
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> Src IP: 10.18.100.24
> User: -
> 2016-05-24 19:02:01 10.18.100.24 53101 - FTPSVC4 SPMEDIA1 - 10.20.199.157
> 12600 PASS *** 530 1326 41 101 11 0
> 1475ab80-1b75-43ce-9b59-d2d61cf15c63 - An+error+oc
> curred+during+the+authentication+process.
>
> On Monday, May 23, 2016 at 3:51:28 PM UTC-5, Jacob Mcgrath wrote:
>>
>> Here is what I have so far...
>>
>> *Agent config*
>>
>>
>>
>> <localfile>
>> <location>C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log</location>
>> <log_format>iis</log_format>
>> </localfile>
>>
>> *Server local_decoder.xml*
>>
>> <decoder name="msftp8">
>> <parent>windows-date-format</parent>
>> <use_own_name>true</use_own_name>
>> <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC</
>> prematch>
>> <regex offset="after_parent">^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S
>> + \S+ </regex>
>> <regex>\d+ (\S+) \S+ (\d+) </regex>
>> <order>srcip,user,action,id</order>
>> </decoder>
>>
>> *Server local_rules.xml*
>>
>> <group name="msftp8,syslog,">
>> <rule id="100004" level="0">
>> <decoded_as>msftp8</decoded_as>
>> <description>Grouping for the Microsoft ftp 8 rules.</description>
>> </rule>
>>
>> <rule id="100005" level="5">
>> <if_sid>100004</if_sid>
>> <action>PASS</action>
>> <id>530</id>
>> <description>FTP Authentication failed.</description>
>> <group>authentication_failed,</group>
>> </rule>
>>
>> <rule id="100006" level="10" frequency="6" timeframe="120">
>> <if_matched_sid>100005</if_matched_sid>
>> <description>FTP brute force (multiple failed logins).</
>> description>
>> <group>authentication_failures,</group>
>> </rule>
>>
>> </group>
>>
>>
>>
>> *No My IIS 8 ftp server log looks like this for the 530 error:*
>>
>> 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157
>> 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 -
>> An+error+occurred+during+the+authentication+process.
>>
>>
>> The plan is to check the IIS 8 FTP server log looking for brute force
>> attempts and in addition drop the IP that is offending to agents.
>>
>> I have set these up and restarted both server and agent and run 10+ rapid
>> ftp login attempts but do not see any real alerts as designed.
>>
>> Any direction would be welcomed...
>>
>>
>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
