I guess you know it, but you must restart OSSEC after changing decoder, rules or ossec.conf.
On Wednesday, May 25, 2016 at 10:37:49 AM UTC+2, Jesus Linares wrote: > > Hi Jacob, > > I have no idea what is happening. > > ossec.conf: > <rules> > <decoder>etc/decoder.xml</decoder> > <decoder>etc/local_decoder.xml</decoder> > > local_decoder.xml: > <decoder name="msftp8"> > <parent>windows-date-format</parent> > <use_own_name>true</use_own_name> > <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC > </prematch> > <regex offset="after_parent">^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S+ > \S+ </regex> > <regex>\d+ (\S+) \S+ (\d+) </regex> > <order>srcip,user,action,id</order> > </decoder> > > local_rules.xml: > <group name="msftp8,syslog,"> > <rule id="100004" level="0"> > <decoded_as>msftp8</decoded_as> > <description>Grouping for the Microsoft ftp 8 rules.</description> > </rule> > > > <rule id="100005" level="5"> > <if_sid>100004</if_sid> > <action>PASS</action> > <id>530</id> > <description>FTP Authentication failed.</description> > <group>authentication_failed,</group> > </rule> > > > <rule id="100006" level="10" frequency="6" timeframe="120"> > <if_matched_sid>100005</if_matched_sid> > <description>FTP brute force (multiple failed logins).</description> > <group>authentication_failures,</group> > </rule> > > > </group> > > ossec-logtest: > 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 > 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - > An+error+occurred+during+the+authentication+process. > > > > > **Phase 1: Completed pre-decoding. > full event: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 > SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 > 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - > An+error+occurred+during+the+authentication+process.' > hostname: 'v280' > program_name: '(null)' > log: '2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - > 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 > 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - > An+error+occurred+during+the+authentication+process.' > > > **Phase 2: Completed decoding. > decoder: 'windows-date-format' > srcip: '10.18.100.24' > dstuser: '-' > action: 'PASS' > id: '530' > > > **Phase 3: Completed filtering (rules). > Rule id: '100005' > Level: '5' > Description: 'FTP Authentication failed.' > **Alert to be generated. > > cat /etc/ossec-init.conf > DIRECTORY="/var/ossec" > VERSION="v2.8" > DATE="Wed May 25 10:13:08 CEST 2016" > TYPE="server" > > I tested it with the log: > 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 > 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - > An+error+occurred+during+the+authentication+process. > > but in your last post, the log looks like: > 2016-05-24 19:02:01 10.18.100.24 53101 - FTPSVC4 SPMEDIA1 - 10.20.199.157 > 12600 PASS *** 530 1326 41 101 11 0 > 1475ab80-1b75-43ce-9b59-d2d61cf15c63 - An+error+oc > curred+during+the+authentication+process. > > I guess the white spaces are due to a format issue when you pasted the > log, or are you receiving the log with white spaces?. > > Regards. > > > On Tuesday, May 24, 2016 at 9:05:59 PM UTC+2, Jacob Mcgrath wrote: >> >> >> As far as alert.log >> >> >> ** Alert 1464116536.2709526: mail - syslog,errors, >> 2016 May 24 19:02:16 (spmedia1) >> 10.20.199.157->\inetpub\logs\LogFiles\FTPSVC4\u_ >> ex160524.log >> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' >> Src IP: 10.18.100.24 >> User: - >> 2016-05-24 19:02:01 10.18.100.24 53101 - FTPSVC4 SPMEDIA1 - 10.20.199.157 >> 12600 PASS *** 530 1326 41 101 11 0 >> 1475ab80-1b75-43ce-9b59-d2d61cf15c63 - An+error+oc >> curred+during+the+authentication+process. >> >> On Monday, May 23, 2016 at 3:51:28 PM UTC-5, Jacob Mcgrath wrote: >>> >>> Here is what I have so far... >>> >>> *Agent config* >>> >>> >>> >>> <localfile> >>> <location>C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log</location> >>> <log_format>iis</log_format> >>> </localfile> >>> >>> *Server local_decoder.xml* >>> >>> <decoder name="msftp8"> >>> <parent>windows-date-format</parent> >>> <use_own_name>true</use_own_name> >>> <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC</ >>> prematch> >>> <regex offset="after_parent">^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S >>> + \S+ </regex> >>> <regex>\d+ (\S+) \S+ (\d+) </regex> >>> <order>srcip,user,action,id</order> >>> </decoder> >>> >>> *Server local_rules.xml* >>> >>> <group name="msftp8,syslog,"> >>> <rule id="100004" level="0"> >>> <decoded_as>msftp8</decoded_as> >>> <description>Grouping for the Microsoft ftp 8 rules.</description> >>> </rule> >>> >>> <rule id="100005" level="5"> >>> <if_sid>100004</if_sid> >>> <action>PASS</action> >>> <id>530</id> >>> <description>FTP Authentication failed.</description> >>> <group>authentication_failed,</group> >>> </rule> >>> >>> <rule id="100006" level="10" frequency="6" timeframe="120"> >>> <if_matched_sid>100005</if_matched_sid> >>> <description>FTP brute force (multiple failed logins).</ >>> description> >>> <group>authentication_failures,</group> >>> </rule> >>> >>> </group> >>> >>> >>> >>> *No My IIS 8 ftp server log looks like this for the 530 error:* >>> >>> 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - >>> 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 >>> 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - >>> An+error+occurred+during+the+authentication+process. >>> >>> >>> The plan is to check the IIS 8 FTP server log looking for brute force >>> attempts and in addition drop the IP that is offending to agents. >>> >>> I have set these up and restarted both server and agent and run 10+ >>> rapid ftp login attempts but do not see any real alerts as designed. >>> >>> Any direction would be welcomed... >>> >>> >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
