On Tue, Sep 20, 2016 at 11:58 AM,  <barr...@bossanova.com> wrote:
> Question: I have a custom decoder/rule which I believe should lead to an
> active response
>
>
> My alert logs show:
>
> OSSEC - TS:"1474385165", RID: "100504", RL: "5", RG:
> "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER:
> "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0",
> LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:26:04
> 2016 us=815044 100.99.88.77:37778 CRL CHECK FAILED: C=US, ST=PA,
> L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key,
> name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]"
> OSSEC - TS:"1474385171", RID: "100504", RL: "5", RG:
> "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER:
> "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0",
> LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:26:10
> 2016 us=65544 100.99.88.77:62693 CRL CHECK FAILED: C=US, ST=PA,
> L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key,
> name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]"
> OSSEC - TS:"1474385203", RID: "100504", RL: "5", RG:
> "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER:
> "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0",
> LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:26:42
> 2016 us=65834 100.99.88.77:28569 CRL CHECK FAILED: C=US, ST=PA,
> L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key,
> name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]"
> OSSEC - TS:"1474385211", RID: "100504", RL: "5", RG:
> "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER:
> "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0",
> LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:26:50
> 2016 us=806194 100.99.88.77:59297 CRL CHECK FAILED: C=US, ST=PA,
> L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key,
> name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]"
> OSSEC - TS:"1474385440", RID: "100504", RL: "5", RG:
> "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER:
> "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0",
> LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:30:38
> 2016 us=310533 100.99.88.77:25104 CRL CHECK FAILED: C=US, ST=PA,
> L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key,
> name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]"
> OSSEC - TS:"1474385448", RID: "100504", RL: "5", RG:
> "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER:
> "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0",
> LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:30:46
> 2016 us=987802 100.99.88.77:4767 CRL CHECK FAILED: C=US, ST=PA,
> L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key,
> name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]"
> OSSEC - TS:"1474385454", RID: "100504", RL: "5", RG:
> "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER:
> "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0",
> LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:30:53
> 2016 us=807904 100.99.88.77:10344 CRL CHECK FAILED: C=US, ST=PA,
> L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key,
> name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]"
>
>
> I have a set of rules like the below snippet shows
>
> custom_rules.xml snippet
>
> <rule id="100504" level="5">
>     <if_sid>100500</if_sid>

Rule 100500 is missing.

>     <match>CRL CHECK FAILED</match>
>     <description>Revoked Certificate Usage.</description>
>     <group>authentication_failed,</group>
> </rule>
>
> <rule id="100505" level="5">
>     <if_sid>100500</if_sid>
>     <match>TLS handshake failed</match>
>     <description>TLS handshake failed</description>
>     <group>authentication_failed,</group>
> </rule>
>
>
> <rule id="100506" level="10" frequency="3" timeframe="120"  ignore="90">
>     <if_matched_sid>100504</if_matched_sid>
>     <same_source_ip/>
>     <description>Multiple Revoked CRL OpenVPN authentication
> failures.</description>
>     <group>authentication_failures,</group>
> </rule>
>
>
> <rule id="100507" level="10" frequency="3" timeframe="120"  ignore="90">
>     <if_matched_sid>100505</if_matched_sid>
>     <same_source_ip/>
>     <description>Multiple OpenVPN authentication failures.</description>
>     <group>authentication_failures,</group>
> </rule>
>
> <rule id="100508" level="0">
>     <if_sid>100500</if_sid>
>     <match>error trying to bind as user|</match>
>     <match>PLUGIN_AUTH_USER_PASS_VERIFY failed with status|</match>
>     <match>Username/Password verification failed for peer|</match>
>     <match>SIGUSR1[soft,tls-error] received, client-instance
> restarting</match>
>     <description>OpenVPN message that is useless, redundant, or lacking
> context.</description>
> </rule>
>
>
>
>
> My expectation is that rule 100507 should match if 100504 matches 3 times
> within 2 minutes
>

Rule 100507 is setup to fire if 100505 (not 100504) fires 5+ times
within 90 seconds.

>
> I have active response enable in my ossec.conf but my active_response.log
> shows no activity
>

Do they rely on 100507? If so, that shouldn't be a surprise.


> Any advice?
>
> Thanks
>
> -barrett
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to