Also in my original logs it does show SRCIP as being set and identical 
across those entries.

On Tuesday, September 20, 2016 at 1:04:01 PM UTC-4, bar...@bossanova.com 
wrote:
>
> I misspoke in the original email. I was attempting to fire 100506 based on 
> 100504.
>
> A side question: My openvpn install does not log to syslog and does not 
> contain the program name. I was forced to name all decoders the same in 
> order to get the rule to match. Is there a more elegant way to handle this. 
> Or better yet indicate that a certain log file should only have certain 
> decoders applied?
>
> Thank you very much for the help.
>
> -b
>
> On Tuesday, September 20, 2016 at 12:59:53 PM UTC-4, bar...@bossanova.com 
> wrote:
>>
>> I didn't post the entire ruleset or my decoders
>>
>> Rule 100500 exists. I have a decoder that also extract the src IP
>>
>> I have attached the complete rules and decoders
>>
>> On Tuesday, September 20, 2016 at 12:25:30 PM UTC-4, dan (ddpbsd) wrote:
>>>
>>> On Tue, Sep 20, 2016 at 12:20 PM, dan (ddp) <ddp...@gmail.com> wrote: 
>>> > On Tue, Sep 20, 2016 at 11:58 AM,  <bar...@bossanova.com> wrote: 
>>> >> Question: I have a custom decoder/rule which I believe should lead to 
>>> an 
>>> >> active response 
>>> >> 
>>> >> 
>>> >> My alert logs show: 
>>> >> 
>>> >> OSSEC - TS:"1474385165", RID: "100504", RL: "5", RG: 
>>> >> "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", 
>>> USER: 
>>> >> "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: 
>>> "hostgateway-0", 
>>> >> LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 
>>> 15:26:04 
>>> >> 2016 us=815044 100.99.88.77:37778 CRL CHECK FAILED: C=US, ST=PA, 
>>> >> L=Pittsburgh, O=bossa_nova_robotics, OU=Software, 
>>> CN=barret_revoke_key, 
>>> >> name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]" 
>>> >> 
>>> >> I have a set of rules like the below snippet shows 
>>> >> 
>>> >> custom_rules.xml snippet 
>>> >> 
>>> >> <rule id="100504" level="5"> 
>>> >>     <if_sid>100500</if_sid> 
>>> > 
>>> > Rule 100500 is missing. 
>>> > 
>>> >>     <match>CRL CHECK FAILED</match> 
>>> >>     <description>Revoked Certificate Usage.</description> 
>>> >>     <group>authentication_failed,</group> 
>>> >> </rule> 
>>> >> 
>>> >> <rule id="100505" level="5"> 
>>> >>     <if_sid>100500</if_sid> 
>>> >>     <match>TLS handshake failed</match> 
>>> >>     <description>TLS handshake failed</description> 
>>> >>     <group>authentication_failed,</group> 
>>> >> </rule> 
>>> >> 
>>> >> 
>>> >> <rule id="100506" level="10" frequency="3" timeframe="120" 
>>>  ignore="90"> 
>>> >>     <if_matched_sid>100504</if_matched_sid> 
>>> >>     <same_source_ip/> 
>>> >>     <description>Multiple Revoked CRL OpenVPN authentication 
>>> >> failures.</description> 
>>> >>     <group>authentication_failures,</group> 
>>> >> </rule> 
>>> >> 
>>> >> 
>>> >> <rule id="100507" level="10" frequency="3" timeframe="120" 
>>>  ignore="90"> 
>>> >>     <if_matched_sid>100505</if_matched_sid> 
>>> >>     <same_source_ip/> 
>>> >>     <description>Multiple OpenVPN authentication 
>>> failures.</description> 
>>> >>     <group>authentication_failures,</group> 
>>> >> </rule> 
>>> >> 
>>> >> <rule id="100508" level="0"> 
>>> >>     <if_sid>100500</if_sid> 
>>> >>     <match>error trying to bind as user|</match> 
>>> >>     <match>PLUGIN_AUTH_USER_PASS_VERIFY failed with status|</match> 
>>> >>     <match>Username/Password verification failed for peer|</match> 
>>> >>     <match>SIGUSR1[soft,tls-error] received, client-instance 
>>> >> restarting</match> 
>>> >>     <description>OpenVPN message that is useless, redundant, or 
>>> lacking 
>>> >> context.</description> 
>>> >> </rule> 
>>> >> 
>>> >> 
>>> >> 
>>> >> 
>>> >> My expectation is that rule 100507 should match if 100504 matches 3 
>>> times 
>>> >> within 2 minutes 
>>> >> 
>>> > 
>>> > Rule 100507 is setup to fire if 100505 (not 100504) fires 5+ times 
>>> > within 90 seconds. 
>>> > 
>>>
>>> Adding a 100500 and a decoder (to match the IP address so that 
>>> <same_ip /> has something to work with), I can get 100506 to fire 
>>> after a number of 100504s. 
>>> I haven't verified 100507 yet though. 
>>>
>>>
>>> >> 
>>> >> I have active response enable in my ossec.conf but my 
>>> active_response.log 
>>> >> shows no activity 
>>> >> 
>>> > 
>>> > Do they rely on 100507? If so, that shouldn't be a surprise. 
>>> > 
>>> > 
>>> >> Any advice? 
>>> >> 
>>> >> Thanks 
>>> >> 
>>> >> -barrett 
>>> >> 
>>> >> -- 
>>> >> 
>>> >> --- 
>>> >> You received this message because you are subscribed to the Google 
>>> Groups 
>>> >> "ossec-list" group. 
>>> >> To unsubscribe from this group and stop receiving emails from it, 
>>> send an 
>>> >> email to ossec-list+...@googlegroups.com. 
>>> >> For more options, visit https://groups.google.com/d/optout. 
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to