I misspoke in the original email. I was attempting to fire 100506 based on 
100504.

A side question: My openvpn install does not log to syslog and does not 
contain the program name. I was forced to name all decoders the same in 
order to get the rule to match. Is there a more elegant way to handle this. 
Or better yet indicate that a certain log file should only have certain 
decoders applied?

Thank you very much for the help.

-b

On Tuesday, September 20, 2016 at 12:59:53 PM UTC-4, bar...@bossanova.com 
wrote:
>
> I didn't post the entire ruleset or my decoders
>
> Rule 100500 exists. I have a decoder that also extract the src IP
>
> I have attached the complete rules and decoders
>
> On Tuesday, September 20, 2016 at 12:25:30 PM UTC-4, dan (ddpbsd) wrote:
>>
>> On Tue, Sep 20, 2016 at 12:20 PM, dan (ddp) <ddp...@gmail.com> wrote: 
>> > On Tue, Sep 20, 2016 at 11:58 AM,  <bar...@bossanova.com> wrote: 
>> >> Question: I have a custom decoder/rule which I believe should lead to 
>> an 
>> >> active response 
>> >> 
>> >> 
>> >> My alert logs show: 
>> >> 
>> >> OSSEC - TS:"1474385165", RID: "100504", RL: "5", RG: 
>> >> "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", 
>> USER: 
>> >> "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", 
>> >> LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 
>> 15:26:04 
>> >> 2016 us=815044 100.99.88.77:37778 CRL CHECK FAILED: C=US, ST=PA, 
>> >> L=Pittsburgh, O=bossa_nova_robotics, OU=Software, 
>> CN=barret_revoke_key, 
>> >> name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]" 
>> >> 
>> >> I have a set of rules like the below snippet shows 
>> >> 
>> >> custom_rules.xml snippet 
>> >> 
>> >> <rule id="100504" level="5"> 
>> >>     <if_sid>100500</if_sid> 
>> > 
>> > Rule 100500 is missing. 
>> > 
>> >>     <match>CRL CHECK FAILED</match> 
>> >>     <description>Revoked Certificate Usage.</description> 
>> >>     <group>authentication_failed,</group> 
>> >> </rule> 
>> >> 
>> >> <rule id="100505" level="5"> 
>> >>     <if_sid>100500</if_sid> 
>> >>     <match>TLS handshake failed</match> 
>> >>     <description>TLS handshake failed</description> 
>> >>     <group>authentication_failed,</group> 
>> >> </rule> 
>> >> 
>> >> 
>> >> <rule id="100506" level="10" frequency="3" timeframe="120" 
>>  ignore="90"> 
>> >>     <if_matched_sid>100504</if_matched_sid> 
>> >>     <same_source_ip/> 
>> >>     <description>Multiple Revoked CRL OpenVPN authentication 
>> >> failures.</description> 
>> >>     <group>authentication_failures,</group> 
>> >> </rule> 
>> >> 
>> >> 
>> >> <rule id="100507" level="10" frequency="3" timeframe="120" 
>>  ignore="90"> 
>> >>     <if_matched_sid>100505</if_matched_sid> 
>> >>     <same_source_ip/> 
>> >>     <description>Multiple OpenVPN authentication 
>> failures.</description> 
>> >>     <group>authentication_failures,</group> 
>> >> </rule> 
>> >> 
>> >> <rule id="100508" level="0"> 
>> >>     <if_sid>100500</if_sid> 
>> >>     <match>error trying to bind as user|</match> 
>> >>     <match>PLUGIN_AUTH_USER_PASS_VERIFY failed with status|</match> 
>> >>     <match>Username/Password verification failed for peer|</match> 
>> >>     <match>SIGUSR1[soft,tls-error] received, client-instance 
>> >> restarting</match> 
>> >>     <description>OpenVPN message that is useless, redundant, or 
>> lacking 
>> >> context.</description> 
>> >> </rule> 
>> >> 
>> >> 
>> >> 
>> >> 
>> >> My expectation is that rule 100507 should match if 100504 matches 3 
>> times 
>> >> within 2 minutes 
>> >> 
>> > 
>> > Rule 100507 is setup to fire if 100505 (not 100504) fires 5+ times 
>> > within 90 seconds. 
>> > 
>>
>> Adding a 100500 and a decoder (to match the IP address so that 
>> <same_ip /> has something to work with), I can get 100506 to fire 
>> after a number of 100504s. 
>> I haven't verified 100507 yet though. 
>>
>>
>> >> 
>> >> I have active response enable in my ossec.conf but my 
>> active_response.log 
>> >> shows no activity 
>> >> 
>> > 
>> > Do they rely on 100507? If so, that shouldn't be a surprise. 
>> > 
>> > 
>> >> Any advice? 
>> >> 
>> >> Thanks 
>> >> 
>> >> -barrett 
>> >> 
>> >> -- 
>> >> 
>> >> --- 
>> >> You received this message because you are subscribed to the Google 
>> Groups 
>> >> "ossec-list" group. 
>> >> To unsubscribe from this group and stop receiving emails from it, send 
>> an 
>> >> email to ossec-list+...@googlegroups.com. 
>> >> For more options, visit https://groups.google.com/d/optout. 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to