On Tue, Sep 20, 2016 at 12:20 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Tue, Sep 20, 2016 at 11:58 AM,  <barr...@bossanova.com> wrote:
>> Question: I have a custom decoder/rule which I believe should lead to an
>> active response
>>
>>
>> My alert logs show:
>>
>> OSSEC - TS:"1474385165", RID: "100504", RL: "5", RG:
>> "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER:
>> "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0",
>> LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:26:04
>> 2016 us=815044 100.99.88.77:37778 CRL CHECK FAILED: C=US, ST=PA,
>> L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key,
>> name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]"
>>
>> I have a set of rules like the below snippet shows
>>
>> custom_rules.xml snippet
>>
>> <rule id="100504" level="5">
>>     <if_sid>100500</if_sid>
>
> Rule 100500 is missing.
>
>>     <match>CRL CHECK FAILED</match>
>>     <description>Revoked Certificate Usage.</description>
>>     <group>authentication_failed,</group>
>> </rule>
>>
>> <rule id="100505" level="5">
>>     <if_sid>100500</if_sid>
>>     <match>TLS handshake failed</match>
>>     <description>TLS handshake failed</description>
>>     <group>authentication_failed,</group>
>> </rule>
>>
>>
>> <rule id="100506" level="10" frequency="3" timeframe="120"  ignore="90">
>>     <if_matched_sid>100504</if_matched_sid>
>>     <same_source_ip/>
>>     <description>Multiple Revoked CRL OpenVPN authentication
>> failures.</description>
>>     <group>authentication_failures,</group>
>> </rule>
>>
>>
>> <rule id="100507" level="10" frequency="3" timeframe="120"  ignore="90">
>>     <if_matched_sid>100505</if_matched_sid>
>>     <same_source_ip/>
>>     <description>Multiple OpenVPN authentication failures.</description>
>>     <group>authentication_failures,</group>
>> </rule>
>>
>> <rule id="100508" level="0">
>>     <if_sid>100500</if_sid>
>>     <match>error trying to bind as user|</match>
>>     <match>PLUGIN_AUTH_USER_PASS_VERIFY failed with status|</match>
>>     <match>Username/Password verification failed for peer|</match>
>>     <match>SIGUSR1[soft,tls-error] received, client-instance
>> restarting</match>
>>     <description>OpenVPN message that is useless, redundant, or lacking
>> context.</description>
>> </rule>
>>
>>
>>
>>
>> My expectation is that rule 100507 should match if 100504 matches 3 times
>> within 2 minutes
>>
>
> Rule 100507 is setup to fire if 100505 (not 100504) fires 5+ times
> within 90 seconds.
>

Adding a 100500 and a decoder (to match the IP address so that
<same_ip /> has something to work with), I can get 100506 to fire
after a number of 100504s.
I haven't verified 100507 yet though.


>>
>> I have active response enable in my ossec.conf but my active_response.log
>> shows no activity
>>
>
> Do they rely on 100507? If so, that shouldn't be a surprise.
>
>
>> Any advice?
>>
>> Thanks
>>
>> -barrett
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to