On Tue, Sep 20, 2016 at 1:04 PM,  <barr...@bossanova.com> wrote:
> I misspoke in the original email. I was attempting to fire 100506 based on
> 100504.
>



> A side question: My openvpn install does not log to syslog and does not
> contain the program name. I was forced to name all decoders the same in
> order to get the rule to match. Is there a more elegant way to handle this.
> Or better yet indicate that a certain log file should only have certain
> decoders applied?
>

There is no way to bind decoders to log files.
Handling bad log sources can be difficult. It's best to abstract as
much as possible.

These decoders get the IP address in the log messages (not tested for
conflicts with anything else, and I obviously don't have the log
samples you do):
<decoder name="openvpn">
  <prematch>^\w\w\w \w\w\w \d\d \d\d:\d\d:\d\d \d\d\d\d us=\d+ </prematch>
</decoder>

<decoder name="openvpn-ip">
  <parent>openvpn</parent>
  <regex offset="after_parent">^(\S+):\d+ </regex>
  <order>srcip</order>
</decoder>

With these, and the rules you provided, I'm able to get 100506 to fire
after a number of 100504s (in ossec-logtest).


> Thank you very much for the help.
>
> -b
>
>
> On Tuesday, September 20, 2016 at 12:59:53 PM UTC-4, bar...@bossanova.com
> wrote:
>>
>> I didn't post the entire ruleset or my decoders
>>
>> Rule 100500 exists. I have a decoder that also extract the src IP
>>
>> I have attached the complete rules and decoders
>>
>> On Tuesday, September 20, 2016 at 12:25:30 PM UTC-4, dan (ddpbsd) wrote:
>>>
>>> On Tue, Sep 20, 2016 at 12:20 PM, dan (ddp) <ddp...@gmail.com> wrote:
>>> > On Tue, Sep 20, 2016 at 11:58 AM,  <bar...@bossanova.com> wrote:
>>> >> Question: I have a custom decoder/rule which I believe should lead to
>>> >> an
>>> >> active response
>>> >>
>>> >>
>>> >> My alert logs show:
>>> >>
>>> >> OSSEC - TS:"1474385165", RID: "100504", RL: "5", RG:
>>> >> "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.",
>>> >> USER:
>>> >> "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0",
>>> >> LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20
>>> >> 15:26:04
>>> >> 2016 us=815044 100.99.88.77:37778 CRL CHECK FAILED: C=US, ST=PA,
>>> >> L=Pittsburgh, O=bossa_nova_robotics, OU=Software,
>>> >> CN=barret_revoke_key,
>>> >> name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]"
>>> >>
>>> >> I have a set of rules like the below snippet shows
>>> >>
>>> >> custom_rules.xml snippet
>>> >>
>>> >> <rule id="100504" level="5">
>>> >>     <if_sid>100500</if_sid>
>>> >
>>> > Rule 100500 is missing.
>>> >
>>> >>     <match>CRL CHECK FAILED</match>
>>> >>     <description>Revoked Certificate Usage.</description>
>>> >>     <group>authentication_failed,</group>
>>> >> </rule>
>>> >>
>>> >> <rule id="100505" level="5">
>>> >>     <if_sid>100500</if_sid>
>>> >>     <match>TLS handshake failed</match>
>>> >>     <description>TLS handshake failed</description>
>>> >>     <group>authentication_failed,</group>
>>> >> </rule>
>>> >>
>>> >>
>>> >> <rule id="100506" level="10" frequency="3" timeframe="120"
>>> >> ignore="90">
>>> >>     <if_matched_sid>100504</if_matched_sid>
>>> >>     <same_source_ip/>
>>> >>     <description>Multiple Revoked CRL OpenVPN authentication
>>> >> failures.</description>
>>> >>     <group>authentication_failures,</group>
>>> >> </rule>
>>> >>
>>> >>
>>> >> <rule id="100507" level="10" frequency="3" timeframe="120"
>>> >> ignore="90">
>>> >>     <if_matched_sid>100505</if_matched_sid>
>>> >>     <same_source_ip/>
>>> >>     <description>Multiple OpenVPN authentication
>>> >> failures.</description>
>>> >>     <group>authentication_failures,</group>
>>> >> </rule>
>>> >>
>>> >> <rule id="100508" level="0">
>>> >>     <if_sid>100500</if_sid>
>>> >>     <match>error trying to bind as user|</match>
>>> >>     <match>PLUGIN_AUTH_USER_PASS_VERIFY failed with status|</match>
>>> >>     <match>Username/Password verification failed for peer|</match>
>>> >>     <match>SIGUSR1[soft,tls-error] received, client-instance
>>> >> restarting</match>
>>> >>     <description>OpenVPN message that is useless, redundant, or
>>> >> lacking
>>> >> context.</description>
>>> >> </rule>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> My expectation is that rule 100507 should match if 100504 matches 3
>>> >> times
>>> >> within 2 minutes
>>> >>
>>> >
>>> > Rule 100507 is setup to fire if 100505 (not 100504) fires 5+ times
>>> > within 90 seconds.
>>> >
>>>
>>> Adding a 100500 and a decoder (to match the IP address so that
>>> <same_ip /> has something to work with), I can get 100506 to fire
>>> after a number of 100504s.
>>> I haven't verified 100507 yet though.
>>>
>>>
>>> >>
>>> >> I have active response enable in my ossec.conf but my
>>> >> active_response.log
>>> >> shows no activity
>>> >>
>>> >
>>> > Do they rely on 100507? If so, that shouldn't be a surprise.
>>> >
>>> >
>>> >> Any advice?
>>> >>
>>> >> Thanks
>>> >>
>>> >> -barrett
>>> >>
>>> >> --
>>> >>
>>> >> ---
>>> >> You received this message because you are subscribed to the Google
>>> >> Groups
>>> >> "ossec-list" group.
>>> >> To unsubscribe from this group and stop receiving emails from it, send
>>> >> an
>>> >> email to ossec-list+...@googlegroups.com.
>>> >> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to