RE: [ossec-list] Active response

[Adiel Navarro]

 

I got configured the next rule_id

 

<rules_id>5712</rules_id>

 

And checking ssh_rules.sh, I see the rule 5712:

 

<rule id="5712" level="10" frequency="6" timeframe="120" ignore="60">

    <if_matched_sid>5710</if_matched_sid>

    <description>SSHD brute force trying to get access to </description>

    <description>the system.</description>

    <same_source_ip />

    <group>authentication_failures,</group>

  </rule>

 

<rule id="5710" level="5">

    <if_sid>5700</if_sid>

    <match>illegal user|invalid user</match>

    <description>Attempt to login using a non-existent user</description>

    <group>invalid_login,authentication_failed,</group>

  </rule>

 

 

When I check the logs generated when I try to access with an no existing user, 
I see that:

 

Oct 19 09:56:29 sshd[26260]: [ID 800047 auth.info] Illegal user vpn6006 from 
10.188.62.176

Oct 19 09:56:29 sshd[26260]: [ID 800047 auth.info] input_userauth_request: 
illegal user vpn6006

Oct 19 09:56:29 sshd[26260]: [ID 800047 auth.info] Failed none for <invalid 
username> from 10.188.62.176 port 4431 ssh2

Oct 19 09:56:33 sshd[26260]: [ID 219349 auth.debug] pam_unix_auth: user vpn6006 
not found

Oct 19 09:56:33 sshd[26260]: [ID 800047 auth.info] Keyboard-interactive (PAM) 
userauth failed[13] while authenticating: No account present for user

Oct 19 09:56:33 sshd[26260]: [ID 800047 auth.info] Failed keyboard-interactive 
for <invalid username> from 10.188.62.176 port 4431 ssh2

Oct 19 09:56:35 sshd[26260]: [ID 219349 auth.debug] pam_unix_auth: user vpn6006 
not found

Oct 19 09:56:35 sshd[26260]: [ID 800047 auth.info] Keyboard-interactive (PAM) 
userauth failed[13] while authenticating: No account present for user

Oct 19 09:56:35 sshd[26260]: [ID 800047 auth.info] Failed keyboard-interactive 
for <invalid username> from 10.188.62.176 port 4431 ssh2

Oct 19 09:56:37 sshd[26260]: [ID 219349 auth.debug] pam_unix_auth: user vpn6006 
not found

Oct 19 09:56:37 sshd[26260]: [ID 800047 auth.info] Keyboard-interactive (PAM) 
userauth failed[13] while authenticating: No account present for user

Oct 19 09:56:37 sshd[26260]: [ID 800047 auth.info] Failed keyboard-interactive 
for <invalid username> from 10.188.62.176 port 4431 ssh2

Oct 19 09:56:37 sshd[26260]: [ID 800047 auth.info] Connection closed by 
10.188.62.176

Oct 19 09:56:40 sshd[26304]: [ID 800047 auth.info] Illegal user vpn6006 from 
10.188.62.176

Oct 19 09:56:40 sshd[26304]: [ID 800047 auth.info] input_userauth_request: 
illegal user vpn6006

Oct 19 09:56:40 sshd[26304]: [ID 800047 auth.info] Failed none for <invalid 
username> from 10.188.62.176 port 4480 ssh2

Oct 19 09:56:43 sshd[26304]: [ID 219349 auth.debug] pam_unix_auth: user vpn6006 
not found

Oct 19 09:56:43 sshd[26304]: [ID 800047 auth.info] Keyboard-interactive (PAM) 
userauth failed[13] while authenticating: No account present for user

Oct 19 09:56:43 sshd[26304]: [ID 800047 auth.info] Failed keyboard-interactive 
for <invalid username> from 10.188.62.176 port 4480 ssh2

Oct 19 09:56:45 sshd[26304]: [ID 219349 auth.debug] pam_unix_auth: user vpn6006 
not found

Oct 19 09:56:45 sshd[26304]: [ID 800047 auth.info] Keyboard-interactive (PAM) 
userauth failed[13] while authenticating: No account present for user

Oct 19 09:56:45 sshd[26304]: [ID 800047 auth.info] Failed keyboard-interactive 
for <invalid username> from 10.188.62.176 port 4480 ssh2

Oct 19 09:56:46 sshd[26304]: [ID 219349 auth.debug] pam_unix_auth: user vpn6006 
not found

Oct 19 09:56:46 sshd[26304]: [ID 800047 auth.info] Keyboard-interactive (PAM) 
userauth failed[13] while authenticating: No account present for user

Oct 19 09:56:46 sshd[26304]: [ID 800047 auth.info] Failed keyboard-interactive 
for <invalid username> from 10.188.62.176 port 4480 ssh2

Oct 19 09:56:46 sshd[26304]: [ID 800047 auth.info] Connection closed by 
10.188.62.176

 

So, I need to create a new rule that match with the message and configure the 
active response with that new rule? 

Or What is the log that the rule needs to fire it?

 

 

 

-----Mensaje original-----
De: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] En nombre 
de dan (ddp)
Enviado el: miércoles, 19 de octubre de 2016 12:11 p.m.
Para: ossec-list@googlegroups.com
Asunto: Re: [ossec-list] Active response

 

On Wed, Oct 19, 2016 at 1:02 PM, Adiel Navarro < 
<mailto:adiel.nava...@mail.telcel.com> adiel.nava...@mail.telcel.com> wrote:

> How can I check the active-responses scripts are running?

> 

 

If there are entries in the active-responses.log file, the scripts are running.

If there are not entries in the log, you need to figure out why.

 

> In the agent, I have the next lines inserted in ossec.conf to watch the log 
> files:

> 

>  <localfile>

>     <log_format>syslog</log_format>

>     <location>/var/ossec/logs/active-responses.log</location>

>   </localfile>

> 

> How can I configure the rule?

> 

 

On the OSSEC server add a rule to /var/ossec/rules/local_rules.xml looking for 
the information in the log message.

 

For instance, I have the following logs:

Tue Oct 18 07:04:11 EDT 2016 /var/ossec/active-response/bin/pf.sh add

- 42.112.31.172 1476788651.100797 5718

Wed Oct 19 08:10:26 EDT 2016 /var/ossec/active-response/bin/pf.sh add

- 117.211.159.74 1476879026.110618 5718

 

My rules would be something like:

 

<!-- Identify an active response log message --> <rule id="987654" level="0">

  <match>/var/ossec/active-response/bin</match>

  <description>AR fired</description>

</rule>

 

<!-- Once the log message is identified, check to see if it is adding something 
to ossec_fwtable --> <rule id="987655" level="10">

   <if_sid>987654</if_sid>

   <match>pf.sh add </match>

   <description>pf.sh active response added an ip to the 
blocklist.</description> </rule>

 

After adding the rules the OSSEC processes on the server would have to be 
restarted.

 

I could make it fancier by creating a decoder, but it's probably not necessary.

 

 

> -----Mensaje original-----

> De:  <mailto:ossec-list@googlegroups.com> ossec-list@googlegroups.com [ 
> <mailto:ossec-list@googlegroups.com> mailto:ossec-list@googlegroups.com] 

> En nombre de dan (ddp) Enviado el: miércoles, 19 de octubre de 2016 11:56 a.m.

> Para:  <mailto:ossec-list@googlegroups.com> ossec-list@googlegroups.com

> Asunto: Re: [ossec-list] Active response

> 

> On Wed, Oct 19, 2016 at 12:48 PM, Adiel Navarro < 
> <mailto:adiel.nava...@mail.telcel.com> adiel.nava...@mail.telcel.com> wrote:

>> How can I Configure ossec to watch the active response.log file will fire an 
>> alert?

>> Why active-responses.log is not writing?

>> 

> 

> If active-responses.log is empty, it's probably because no active response 
> scripts are being run.

> 

> Getting alerts when AR scripts are run is pretty simple. Setup a localfile to 
> watch the log file and create a rule to alert when there are new entries.

> 

>> In agent:

>> 

>> <localfile>

>>    <log_format>syslog</log_format>

>>    <location>/var/ossec/logs/active-responses.log</location>

>>   </localfile>

>> 

>> -bash-3.2# ls -l /var/ossec/logs

>> total 86

>> -rw-r--r--      1   root       root               0 Oct 17 14:30 
>> active-responses.log

>> -rw-rw-r--   1 ossec    ossec      44032 Oct 17 14:29 ossec.log

>> 

>> in the server:

>> -bash-3.2# ls -l /var/ossec/logs

>> total 7432

>> -rw-rw---- 1 ossec ossec       0 May 19 10:01 active-responses.log

>> drwxr-x--- 3 ossec ossec    4096 Oct 17 12:56 alerts

>> drwxr-x--- 3 ossec ossec    4096 Oct 17 12:56 archives

>> drwxr-x--- 3 ossec ossec    4096 Oct 17 12:56 firewall

>> -rw-rw---- 1 ossec ossec 7582818 Oct 17 17:09 ossec.log

>> 

>> 

>> 

>> -----Mensaje original-----

>> De:  <mailto:ossec-list@googlegroups.com> ossec-list@googlegroups.com [ 
>> <mailto:ossec-list@googlegroups.com> mailto:ossec-list@googlegroups.com] En 
>> nombre de dan (ddp) Enviado el: miércoles, 19 de octubre de 2016 07:50 a.m.

>> Para:  <mailto:ossec-list@googlegroups.com> ossec-list@googlegroups.com

>> Asunto: Re: [ossec-list] Active response

>> 

>> On Wed, Oct 19, 2016 at 8:43 AM, dan (ddp) < <mailto:ddp...@gmail.com> 
>> ddp...@gmail.com> wrote:

>>> On Tue, Oct 18, 2016 at 6:54 PM, Aj Navarro < 
>>> <mailto:ajnavarro1...@gmail.com> ajnavarro1...@gmail.com> wrote:

>> 

>>>> Only I see the next messages in /var/ossec/logs/alers/alerts.log

>>>> 

>>>> ** Alert 1476724188.107242: mail - syslog,errors,

>>>> 

>>>> 2016 Oct 17 12:09:48 ixtrtc42scf->/var/log/messages

>>>> 

>>>> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'

>>>> 

>>>> Oct 17 12:09:48 ixtrtc42scf kernel: type=1100

>>>> audit(1476724188.016:36149378): user pid=6141 uid=0 auid=4294967295

>>>> ses=4294967295 msg=

>>>> 

>>>> 'op=PAM:authentication acct="root" exe="/usr/sbin/sshd"

>>>> hostname=10.188.62.176 addr=10.188.62.176 terminal=ssh res=failed'

>>>> 

>>> 

>>> These log messages are not triggering 5712. In fact OSSEC isn't sure 

>>> what to do with these log messages.

>>> Is there anything in your auth log?

>>> 

>> 

>> Digging into it further, we get:

>> # cat /tmp/yy | /var/ossec/bin/ossec-logtest -q

>> 2016/10/19 08:44:09 ossec-testrule: INFO: Reading the lists file:

>> 'rules/lists/ossec.block'

>> 2016/10/19 08:44:09 ossec-testrule: INFO: Started (pid: 16098).

>> ossec-testrule: Type one log per line.

>> 

>> **Phase 1: Completed pre-decoding.

>>        full event: 'Oct 17 12:09:48 ixtrtc42scf kernel: type=1100

>> audit(1476724188.016:36149378): user pid=6141 uid=0 auid=4294967295

>> ses=4294967295 msg='op=PAM:authentication acct="root"

>> exe="/usr/sbin/sshd" hostname=10.188.62.176 addr=10.188.62.176 terminal=ssh 
>> res=failed''

>>        hostname: 'ixtrtc42scf'

>>        program_name: 'kernel'

>>        log: 'type=1100 audit(1476724188.016:36149378): user pid=6141

>> uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication 

>> acct="root" exe="/usr/sbin/sshd" hostname=10.188.62.176

>> addr=10.188.62.176 terminal=ssh res=failed''

>> 

>> **Phase 2: Completed decoding.

>>        decoder: 'iptables'

>> 

>> **Phase 3: Completed filtering (rules).

>>        Rule id: '1002'

>>        Level: '2'

>>        Description: 'Unknown problem somewhere in the system.'

>> **Alert to be generated.

>> 

>> So we'll have to create a decoder to deal with these odd log messages.

>> Adding the following decoder to my local decoders file:

>> <decoder name="wtf-iptables">

>>   <parent>iptables</parent>

>>   <prematch> exe="/usr/sbin/sshd" </prematch>

>>   <!--<regex> acct="(\S+)" hostname="(\S+)" addr="(\S+)" </regex>-->

>>   <regex> acct="(\S+)" exe="/\.+/sshd" hostname=(\S+) addr=(\S+) </regex>

>>   <order>user,dstip, srcip</order>

>> </decoder>

>> 

>> I get:

>> **Phase 1: Completed pre-decoding.

>>        full event: 'Oct 17 12:09:48 ixtrtc42scf kernel: type=1100

>> audit(1476724188.016:36149378): user pid=6141 uid=0 auid=4294967295

>> ses=4294967295 msg='op=PAM:authentication acct="root"

>> exe="/usr/sbin/sshd" hostname=10.188.62.176 addr=10.188.62.176 terminal=ssh 
>> res=failed''

>>        hostname: 'ixtrtc42scf'

>>        program_name: 'kernel'

>>        log: 'type=1100 audit(1476724188.016:36149378): user pid=6141

>> uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication 

>> acct="root" exe="/usr/sbin/sshd" hostname=10.188.62.176

>> addr=10.188.62.176 terminal=ssh res=failed''

>> 

>> **Phase 2: Completed decoding.

>>        decoder: 'iptables'

>>        dstuser: 'root'

>>        dstip: '10.188.62.176'

>>        srcip: '10.188.62.176'

>> 

>> **Phase 3: Completed filtering (rules).

>>        Rule id: '1002'

>>        Level: '2'

>>        Description: 'Unknown problem somewhere in the system.'

>> **Alert to be generated.

>> 

>> 

>> I haven't done any testing to see if this will affect anything else though.

>> 

>> --

>> 

>> ---

>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.

>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to  <mailto:ossec-list+unsubscr...@googlegroups.com> 
>> ossec-list+unsubscr...@googlegroups.com.

>> For more options, visit  <https://groups.google.com/d/optout> 
>> https://groups.google.com/d/optout.

>> 

>> --

>> 

>> ---

>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.

>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to  <mailto:ossec-list+unsubscr...@googlegroups.com> 
>> ossec-list+unsubscr...@googlegroups.com.

>> For more options, visit  <https://groups.google.com/d/optout> 
>> https://groups.google.com/d/optout.

> 

> --

> 

> ---

> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.

> To unsubscribe from this group and stop receiving emails from it, send an 
> email to  <mailto:ossec-list+unsubscr...@googlegroups.com> 
> ossec-list+unsubscr...@googlegroups.com.

> For more options, visit  <https://groups.google.com/d/optout> 
> https://groups.google.com/d/optout.

> 

> --

> 

> ---

> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.

> To unsubscribe from this group and stop receiving emails from it, send an 
> email to  <mailto:ossec-list+unsubscr...@googlegroups.com> 
> ossec-list+unsubscr...@googlegroups.com.

> For more options, visit  <https://groups.google.com/d/optout> 
> https://groups.google.com/d/optout.

 

-- 

 

---

You received this message because you are subscribed to the Google Groups 
"ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to  <mailto:ossec-list+unsubscr...@googlegroups.com> 
ossec-list+unsubscr...@googlegroups.com.

For more options, visit  <https://groups.google.com/d/optout> 
https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.