On Thu, Sep 20, 2018 at 7:43 AM Khoa Phạm Anh <[email protected]> wrote:
>
> Hi Everybody, after I use log-test with these log but no result, please
> anyone help me decode this!!!
>
> POP3:
> 2018-08-26T00:00:03.269Z,00000000000EE085,2,xxx.xxx.xxx.4:995,xxx.xxx.xxx.234:50956,ngapt,2,10,56,pass,*****,"R=""-ERR
> Logon failure: unknown user name or bad
> password."";Msg=LogonFailed:LogonDenied;ErrMsg=LogonFailed:LogonDenied"
>
I think this install is fairly standard, so there shouldn't be
anything too wierd.
First ossec-logtest:
**Phase 1: Completed pre-decoding.
full event:
'2018-08-26T00:00:03.269Z,00000000000EE085,2,xxx.xxx.xxx.4:995,xxx.xxx.xxx.234:50956,ngapt,2,10,56,pass,*****,"R=""-ERR
Logon failure: unknown user name or bad
password."";Msg=LogonFailed:LogonDenied;ErrMsg=LogonFailed:LogonDenied"'
hostname: 'rossak'
program_name: '(null)'
log:
'2018-08-26T00:00:03.269Z,00000000000EE085,2,xxx.xxx.xxx.4:995,xxx.xxx.xxx.234:50956,ngapt,2,10,56,pass,*****,"R=""-ERR
Logon failure: unknown user name or bad
password."";Msg=LogonFailed:LogonDenied;ErrMsg=LogonFailed:LogonDenied"'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
As we can see from the "log:" and "program_name:" entries, nothing gets decoded.
I'm not sure what all you want to pull out into fields, and I'm not
sure what daemon makes these entries.
So here is a fairly basic decoder I added to my local_decoders.xml:
<decoder name="pop3-new">
<prematch>^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d.\d+\S,</prematch>
<regex
offset="after_prematch">^\S+,\d+,(\S+):(\d+),(\S+):(\d+)\.*Msg=(\S+):</regex>
<order>dstip,dstport,srcip,srcport,extra_data</order>
</decoder>
Here's the ossec-logtest:
**Phase 1: Completed pre-decoding.
full event:
'2018-08-26T00:00:03.269Z,00000000000EE085,2,xxx.xxx.xxx.4:995,xxx.xxx.xxx.234:50956,ngapt,2,10,56,pass,*****,"R=""-ERR
Logon failure: unknown user name or bad
password."";Msg=LogonFailed:LogonDenied;ErrMsg=LogonFailed:LogonDenied"'
hostname: 'rossak'
program_name: '(null)'
log:
'2018-08-26T00:00:03.269Z,00000000000EE085,2,xxx.xxx.xxx.4:995,xxx.xxx.xxx.234:50956,ngapt,2,10,56,pass,*****,"R=""-ERR
Logon failure: unknown user name or bad
password."";Msg=LogonFailed:LogonDenied;ErrMsg=LogonFailed:LogonDenied"'
**Phase 2: Completed decoding.
decoder: 'pop3-new'
dstip: 'xxx.xxx.xxx.4'
dstport: '995'
srcip: 'xxx.xxx.xxx.234'
srcport: '50956'
extra_data: 'LogonFailed'
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
A rule would have to be made for this to stop the 1002 alerts.
> Imap4:
> 2018-08-25T00:01:41.052Z,00000000000187EB,2,xxx.xxx.xxx.4:993,xxx.xxx.xxx.5:52332,trunghq,706,26,26,login,trunghq
>
> *****,"R=ok;Msg=""Proxy:DOMAIN.NAME:9933:SSL;ProxySuccess"";ActivityContextData=acf5cf60-96e0-4d4e-a6b6-1ff897e8148a"
>
The above decoder almost works for this one as well:
**Phase 1: Completed pre-decoding.
full event:
'2018-08-25T00:01:41.052Z,00000000000187EB,2,xxx.xxx.xxx.4:993,xxx.xxx.xxx.5:52332,trunghq,706,26,26,login,trunghq
*****,"R=ok;Msg=""Proxy:DOMAIN.NAME:9933:SSL;ProxySuccess"";ActivityContextData=acf5cf60-96e0-4d4e-a6b6-1ff897e8148a"'
hostname: 'rossak'
program_name: '(null)'
log:
'2018-08-25T00:01:41.052Z,00000000000187EB,2,xxx.xxx.xxx.4:993,xxx.xxx.xxx.5:52332,trunghq,706,26,26,login,trunghq
*****,"R=ok;Msg=""Proxy:DOMAIN.NAME:9933:SSL;ProxySuccess"";ActivityContextData=acf5cf60-96e0-4d4e-a6b6-1ff897e8148a"'
**Phase 2: Completed decoding.
decoder: 'pop3-new'
dstip: 'xxx.xxx.xxx.4'
dstport: '993'
srcip: 'xxx.xxx.xxx.5'
srcport: '5'
extra_data: '""Proxy'
We'd have to play with the extra_data part.
Something like this gives us a bit more to work with:
<decoder name="pop3-new">
<prematch>^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d.\d+\S,\S+,\d+</prematch>
</decoder>
<decoder name="pop3-new2">
<parent>pop3-new</parent>
<regex offset="after_parent">^(\S+):(\d+),(\S+):(\d+)</regex>
<order>dstip,dstport,srcip,srcport</order>
</decoder>
<decoder name="pop3-new2">
<parent>pop3-new</parent>
<regex>Msg=(\S+);</regex>
<order>extra_data</order>
</decoder>
And the logtest:
**Phase 1: Completed pre-decoding.
full event:
'2018-08-26T00:00:03.269Z,00000000000EE085,2,xxx.xxx.xxx.4:995,xxx.xxx.xxx.234:50956,ngapt,2,10,56,pass,*****,"R=""-ERR
Logon failure: unknown user name or bad
password."";Msg=LogonFailed:LogonDenied;ErrMsg=LogonFailed:LogonDenied"'
hostname: 'rossak'
program_name: '(null)'
log:
'2018-08-26T00:00:03.269Z,00000000000EE085,2,xxx.xxx.xxx.4:995,xxx.xxx.xxx.234:50956,ngapt,2,10,56,pass,*****,"R=""-ERR
Logon failure: unknown user name or bad
password."";Msg=LogonFailed:LogonDenied;ErrMsg=LogonFailed:LogonDenied"'
**Phase 2: Completed decoding.
decoder: 'pop3-new'
dstip: 'xxx.xxx.xxx.4'
dstport: '995'
srcip: 'xxx.xxx.xxx.234'
srcport: '50956'
extra_data: 'LogonFailed:LogonDenied'
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
And
**Phase 1: Completed pre-decoding.
full event:
'2018-08-25T00:01:41.052Z,00000000000187EB,2,xxx.xxx.xxx.4:993,xxx.xxx.xxx.5:52332,trunghq,706,26,26,login,trunghq
*****,"R=ok;Msg=""Proxy:DOMAIN.NAME:9933:SSL;ProxySuccess"";ActivityContextData=acf5cf60-96e0-4d4e-a6b6-1ff897e8148a"'
hostname: 'rossak'
program_name: '(null)'
log:
'2018-08-25T00:01:41.052Z,00000000000187EB,2,xxx.xxx.xxx.4:993,xxx.xxx.xxx.5:52332,trunghq,706,26,26,login,trunghq
*****,"R=ok;Msg=""Proxy:DOMAIN.NAME:9933:SSL;ProxySuccess"";ActivityContextData=acf5cf60-96e0-4d4e-a6b6-1ff897e8148a"'
**Phase 2: Completed decoding.
decoder: 'pop3-new'
dstip: 'xxx.xxx.xxx.4'
dstport: '993'
srcip: 'xxx.xxx.xxx.5'
srcport: '52332'
extra_data: '""Proxy:DOMAIN.NAME:9933:SSL'
>
> Thanks,
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
