Thanks for the help.

It still isn't working on my end, so I think I have a misunderstanding I 
need to work through.

Appreciate the help

-b

On Tuesday, September 20, 2016 at 1:44:54 PM UTC-4, dan (ddpbsd) wrote:
>
> On Tue, Sep 20, 2016 at 1:04 PM,  <bar...@bossanova.com <javascript:>> 
> wrote: 
> > I misspoke in the original email. I was attempting to fire 100506 based 
> on 
> > 100504. 
> > 
>
>
>
> > A side question: My openvpn install does not log to syslog and does not 
> > contain the program name. I was forced to name all decoders the same in 
> > order to get the rule to match. Is there a more elegant way to handle 
> this. 
> > Or better yet indicate that a certain log file should only have certain 
> > decoders applied? 
> > 
>
> There is no way to bind decoders to log files. 
> Handling bad log sources can be difficult. It's best to abstract as 
> much as possible. 
>
> These decoders get the IP address in the log messages (not tested for 
> conflicts with anything else, and I obviously don't have the log 
> samples you do): 
> <decoder name="openvpn"> 
>   <prematch>^\w\w\w \w\w\w \d\d \d\d:\d\d:\d\d \d\d\d\d us=\d+ </prematch> 
> </decoder> 
>
> <decoder name="openvpn-ip"> 
>   <parent>openvpn</parent> 
>   <regex offset="after_parent">^(\S+):\d+ </regex> 
>   <order>srcip</order> 
> </decoder> 
>
> With these, and the rules you provided, I'm able to get 100506 to fire 
> after a number of 100504s (in ossec-logtest). 
>
>
> > Thank you very much for the help. 
> > 
> > -b 
> > 
> > 
> > On Tuesday, September 20, 2016 at 12:59:53 PM UTC-4, 
> bar...@bossanova.com 
> > wrote: 
> >> 
> >> I didn't post the entire ruleset or my decoders 
> >> 
> >> Rule 100500 exists. I have a decoder that also extract the src IP 
> >> 
> >> I have attached the complete rules and decoders 
> >> 
> >> On Tuesday, September 20, 2016 at 12:25:30 PM UTC-4, dan (ddpbsd) 
> wrote: 
> >>> 
> >>> On Tue, Sep 20, 2016 at 12:20 PM, dan (ddp) <ddp...@gmail.com> wrote: 
> >>> > On Tue, Sep 20, 2016 at 11:58 AM,  <bar...@bossanova.com> wrote: 
> >>> >> Question: I have a custom decoder/rule which I believe should lead 
> to 
> >>> >> an 
> >>> >> active response 
> >>> >> 
> >>> >> 
> >>> >> My alert logs show: 
> >>> >> 
> >>> >> OSSEC - TS:"1474385165", RID: "100504", RL: "5", RG: 
> >>> >> "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", 
> >>> >> USER: 
> >>> >> "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: 
> "hostgateway-0", 
> >>> >> LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 
> >>> >> 15:26:04 
> >>> >> 2016 us=815044 100.99.88.77:37778 CRL CHECK FAILED: C=US, ST=PA, 
> >>> >> L=Pittsburgh, O=bossa_nova_robotics, OU=Software, 
> >>> >> CN=barret_revoke_key, 
> >>> >> name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]" 
> >>> >> 
> >>> >> I have a set of rules like the below snippet shows 
> >>> >> 
> >>> >> custom_rules.xml snippet 
> >>> >> 
> >>> >> <rule id="100504" level="5"> 
> >>> >>     <if_sid>100500</if_sid> 
> >>> > 
> >>> > Rule 100500 is missing. 
> >>> > 
> >>> >>     <match>CRL CHECK FAILED</match> 
> >>> >>     <description>Revoked Certificate Usage.</description> 
> >>> >>     <group>authentication_failed,</group> 
> >>> >> </rule> 
> >>> >> 
> >>> >> <rule id="100505" level="5"> 
> >>> >>     <if_sid>100500</if_sid> 
> >>> >>     <match>TLS handshake failed</match> 
> >>> >>     <description>TLS handshake failed</description> 
> >>> >>     <group>authentication_failed,</group> 
> >>> >> </rule> 
> >>> >> 
> >>> >> 
> >>> >> <rule id="100506" level="10" frequency="3" timeframe="120" 
> >>> >> ignore="90"> 
> >>> >>     <if_matched_sid>100504</if_matched_sid> 
> >>> >>     <same_source_ip/> 
> >>> >>     <description>Multiple Revoked CRL OpenVPN authentication 
> >>> >> failures.</description> 
> >>> >>     <group>authentication_failures,</group> 
> >>> >> </rule> 
> >>> >> 
> >>> >> 
> >>> >> <rule id="100507" level="10" frequency="3" timeframe="120" 
> >>> >> ignore="90"> 
> >>> >>     <if_matched_sid>100505</if_matched_sid> 
> >>> >>     <same_source_ip/> 
> >>> >>     <description>Multiple OpenVPN authentication 
> >>> >> failures.</description> 
> >>> >>     <group>authentication_failures,</group> 
> >>> >> </rule> 
> >>> >> 
> >>> >> <rule id="100508" level="0"> 
> >>> >>     <if_sid>100500</if_sid> 
> >>> >>     <match>error trying to bind as user|</match> 
> >>> >>     <match>PLUGIN_AUTH_USER_PASS_VERIFY failed with status|</match> 
> >>> >>     <match>Username/Password verification failed for peer|</match> 
> >>> >>     <match>SIGUSR1[soft,tls-error] received, client-instance 
> >>> >> restarting</match> 
> >>> >>     <description>OpenVPN message that is useless, redundant, or 
> >>> >> lacking 
> >>> >> context.</description> 
> >>> >> </rule> 
> >>> >> 
> >>> >> 
> >>> >> 
> >>> >> 
> >>> >> My expectation is that rule 100507 should match if 100504 matches 3 
> >>> >> times 
> >>> >> within 2 minutes 
> >>> >> 
> >>> > 
> >>> > Rule 100507 is setup to fire if 100505 (not 100504) fires 5+ times 
> >>> > within 90 seconds. 
> >>> > 
> >>> 
> >>> Adding a 100500 and a decoder (to match the IP address so that 
> >>> <same_ip /> has something to work with), I can get 100506 to fire 
> >>> after a number of 100504s. 
> >>> I haven't verified 100507 yet though. 
> >>> 
> >>> 
> >>> >> 
> >>> >> I have active response enable in my ossec.conf but my 
> >>> >> active_response.log 
> >>> >> shows no activity 
> >>> >> 
> >>> > 
> >>> > Do they rely on 100507? If so, that shouldn't be a surprise. 
> >>> > 
> >>> > 
> >>> >> Any advice? 
> >>> >> 
> >>> >> Thanks 
> >>> >> 
> >>> >> -barrett 
> >>> >> 
> >>> >> -- 
> >>> >> 
> >>> >> --- 
> >>> >> You received this message because you are subscribed to the Google 
> >>> >> Groups 
> >>> >> "ossec-list" group. 
> >>> >> To unsubscribe from this group and stop receiving emails from it, 
> send 
> >>> >> an 
> >>> >> email to ossec-list+...@googlegroups.com. 
> >>> >> For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com <javascript:>. 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to