On Tue, Sep 20, 2016 at 1:26 PM,  <barr...@bossanova.com> wrote:
> Also in my original logs it does show SRCIP as being set and identical
> across those entries.
>

Which doesn't matter if there is no decoder to decode the IP address.

>
> On Tuesday, September 20, 2016 at 1:04:01 PM UTC-4, bar...@bossanova.com
> wrote:
>>
>> I misspoke in the original email. I was attempting to fire 100506 based on
>> 100504.
>>
>> A side question: My openvpn install does not log to syslog and does not
>> contain the program name. I was forced to name all decoders the same in
>> order to get the rule to match. Is there a more elegant way to handle this.
>> Or better yet indicate that a certain log file should only have certain
>> decoders applied?
>>
>> Thank you very much for the help.
>>
>> -b
>>
>> On Tuesday, September 20, 2016 at 12:59:53 PM UTC-4, bar...@bossanova.com
>> wrote:
>>>
>>> I didn't post the entire ruleset or my decoders
>>>
>>> Rule 100500 exists. I have a decoder that also extract the src IP
>>>
>>> I have attached the complete rules and decoders
>>>
>>> On Tuesday, September 20, 2016 at 12:25:30 PM UTC-4, dan (ddpbsd) wrote:
>>>>
>>>> On Tue, Sep 20, 2016 at 12:20 PM, dan (ddp) <ddp...@gmail.com> wrote:
>>>> > On Tue, Sep 20, 2016 at 11:58 AM,  <bar...@bossanova.com> wrote:
>>>> >> Question: I have a custom decoder/rule which I believe should lead to
>>>> >> an
>>>> >> active response
>>>> >>
>>>> >>
>>>> >> My alert logs show:
>>>> >>
>>>> >> OSSEC - TS:"1474385165", RID: "100504", RL: "5", RG:
>>>> >> "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.",
>>>> >> USER:
>>>> >> "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME:
>>>> >> "hostgateway-0",
>>>> >> LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20
>>>> >> 15:26:04
>>>> >> 2016 us=815044 100.99.88.77:37778 CRL CHECK FAILED: C=US, ST=PA,
>>>> >> L=Pittsburgh, O=bossa_nova_robotics, OU=Software,
>>>> >> CN=barret_revoke_key,
>>>> >> name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]"
>>>> >>
>>>> >> I have a set of rules like the below snippet shows
>>>> >>
>>>> >> custom_rules.xml snippet
>>>> >>
>>>> >> <rule id="100504" level="5">
>>>> >>     <if_sid>100500</if_sid>
>>>> >
>>>> > Rule 100500 is missing.
>>>> >
>>>> >>     <match>CRL CHECK FAILED</match>
>>>> >>     <description>Revoked Certificate Usage.</description>
>>>> >>     <group>authentication_failed,</group>
>>>> >> </rule>
>>>> >>
>>>> >> <rule id="100505" level="5">
>>>> >>     <if_sid>100500</if_sid>
>>>> >>     <match>TLS handshake failed</match>
>>>> >>     <description>TLS handshake failed</description>
>>>> >>     <group>authentication_failed,</group>
>>>> >> </rule>
>>>> >>
>>>> >>
>>>> >> <rule id="100506" level="10" frequency="3" timeframe="120"
>>>> >> ignore="90">
>>>> >>     <if_matched_sid>100504</if_matched_sid>
>>>> >>     <same_source_ip/>
>>>> >>     <description>Multiple Revoked CRL OpenVPN authentication
>>>> >> failures.</description>
>>>> >>     <group>authentication_failures,</group>
>>>> >> </rule>
>>>> >>
>>>> >>
>>>> >> <rule id="100507" level="10" frequency="3" timeframe="120"
>>>> >> ignore="90">
>>>> >>     <if_matched_sid>100505</if_matched_sid>
>>>> >>     <same_source_ip/>
>>>> >>     <description>Multiple OpenVPN authentication
>>>> >> failures.</description>
>>>> >>     <group>authentication_failures,</group>
>>>> >> </rule>
>>>> >>
>>>> >> <rule id="100508" level="0">
>>>> >>     <if_sid>100500</if_sid>
>>>> >>     <match>error trying to bind as user|</match>
>>>> >>     <match>PLUGIN_AUTH_USER_PASS_VERIFY failed with status|</match>
>>>> >>     <match>Username/Password verification failed for peer|</match>
>>>> >>     <match>SIGUSR1[soft,tls-error] received, client-instance
>>>> >> restarting</match>
>>>> >>     <description>OpenVPN message that is useless, redundant, or
>>>> >> lacking
>>>> >> context.</description>
>>>> >> </rule>
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >> My expectation is that rule 100507 should match if 100504 matches 3
>>>> >> times
>>>> >> within 2 minutes
>>>> >>
>>>> >
>>>> > Rule 100507 is setup to fire if 100505 (not 100504) fires 5+ times
>>>> > within 90 seconds.
>>>> >
>>>>
>>>> Adding a 100500 and a decoder (to match the IP address so that
>>>> <same_ip /> has something to work with), I can get 100506 to fire
>>>> after a number of 100504s.
>>>> I haven't verified 100507 yet though.
>>>>
>>>>
>>>> >>
>>>> >> I have active response enable in my ossec.conf but my
>>>> >> active_response.log
>>>> >> shows no activity
>>>> >>
>>>> >
>>>> > Do they rely on 100507? If so, that shouldn't be a surprise.
>>>> >
>>>> >
>>>> >> Any advice?
>>>> >>
>>>> >> Thanks
>>>> >>
>>>> >> -barrett
>>>> >>
>>>> >> --
>>>> >>
>>>> >> ---
>>>> >> You received this message because you are subscribed to the Google
>>>> >> Groups
>>>> >> "ossec-list" group.
>>>> >> To unsubscribe from this group and stop receiving emails from it,
>>>> >> send an
>>>> >> email to ossec-list+...@googlegroups.com.
>>>> >> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to