I didn't post the entire ruleset or my decoders

Rule 100500 exists. I have a decoder that also extract the src IP

I have attached the complete rules and decoders

On Tuesday, September 20, 2016 at 12:25:30 PM UTC-4, dan (ddpbsd) wrote:
>
> On Tue, Sep 20, 2016 at 12:20 PM, dan (ddp) <ddp...@gmail.com 
> <javascript:>> wrote: 
> > On Tue, Sep 20, 2016 at 11:58 AM,  <bar...@bossanova.com <javascript:>> 
> wrote: 
> >> Question: I have a custom decoder/rule which I believe should lead to 
> an 
> >> active response 
> >> 
> >> 
> >> My alert logs show: 
> >> 
> >> OSSEC - TS:"1474385165", RID: "100504", RL: "5", RG: 
> >> "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", 
> USER: 
> >> "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", 
> >> LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 
> 15:26:04 
> >> 2016 us=815044 100.99.88.77:37778 CRL CHECK FAILED: C=US, ST=PA, 
> >> L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, 
> >> name=EasyRSA, emailAddress=m...@email.com <javascript:> is 
> REVOKED[END]" 
> >> 
> >> I have a set of rules like the below snippet shows 
> >> 
> >> custom_rules.xml snippet 
> >> 
> >> <rule id="100504" level="5"> 
> >>     <if_sid>100500</if_sid> 
> > 
> > Rule 100500 is missing. 
> > 
> >>     <match>CRL CHECK FAILED</match> 
> >>     <description>Revoked Certificate Usage.</description> 
> >>     <group>authentication_failed,</group> 
> >> </rule> 
> >> 
> >> <rule id="100505" level="5"> 
> >>     <if_sid>100500</if_sid> 
> >>     <match>TLS handshake failed</match> 
> >>     <description>TLS handshake failed</description> 
> >>     <group>authentication_failed,</group> 
> >> </rule> 
> >> 
> >> 
> >> <rule id="100506" level="10" frequency="3" timeframe="120" 
>  ignore="90"> 
> >>     <if_matched_sid>100504</if_matched_sid> 
> >>     <same_source_ip/> 
> >>     <description>Multiple Revoked CRL OpenVPN authentication 
> >> failures.</description> 
> >>     <group>authentication_failures,</group> 
> >> </rule> 
> >> 
> >> 
> >> <rule id="100507" level="10" frequency="3" timeframe="120" 
>  ignore="90"> 
> >>     <if_matched_sid>100505</if_matched_sid> 
> >>     <same_source_ip/> 
> >>     <description>Multiple OpenVPN authentication 
> failures.</description> 
> >>     <group>authentication_failures,</group> 
> >> </rule> 
> >> 
> >> <rule id="100508" level="0"> 
> >>     <if_sid>100500</if_sid> 
> >>     <match>error trying to bind as user|</match> 
> >>     <match>PLUGIN_AUTH_USER_PASS_VERIFY failed with status|</match> 
> >>     <match>Username/Password verification failed for peer|</match> 
> >>     <match>SIGUSR1[soft,tls-error] received, client-instance 
> >> restarting</match> 
> >>     <description>OpenVPN message that is useless, redundant, or lacking 
> >> context.</description> 
> >> </rule> 
> >> 
> >> 
> >> 
> >> 
> >> My expectation is that rule 100507 should match if 100504 matches 3 
> times 
> >> within 2 minutes 
> >> 
> > 
> > Rule 100507 is setup to fire if 100505 (not 100504) fires 5+ times 
> > within 90 seconds. 
> > 
>
> Adding a 100500 and a decoder (to match the IP address so that 
> <same_ip /> has something to work with), I can get 100506 to fire 
> after a number of 100504s. 
> I haven't verified 100507 yet though. 
>
>
> >> 
> >> I have active response enable in my ossec.conf but my 
> active_response.log 
> >> shows no activity 
> >> 
> > 
> > Do they rely on 100507? If so, that shouldn't be a surprise. 
> > 
> > 
> >> Any advice? 
> >> 
> >> Thanks 
> >> 
> >> -barrett 
> >> 
> >> -- 
> >> 
> >> --- 
> >> You received this message because you are subscribed to the Google 
> Groups 
> >> "ossec-list" group. 
> >> To unsubscribe from this group and stop receiving emails from it, send 
> an 
> >> email to ossec-list+...@googlegroups.com <javascript:>. 
> >> For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Attachment: openvpn_rule.xml
Description: XML document

Attachment: openvpn_decoder.xml
Description: XML document

Reply via email to