Hi, no.. sorry for mistake.. this a entry arrived now from my mailserver : Oct 14 22:10:18 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=PLAIN, rip=41.222.58.71, lip=10.12.14.11, TLS, session=<qAl66DV4V8Ip3jpH>
Il giorno dom 14 ott 2018 alle ore 18:07 dan (ddp) <[email protected]> ha scritto: > > > On Sun, Oct 14, 2018 at 12:05 PM Giorgio Biondi <[email protected]> > wrote: > >> Hi, >> >> I have a problem on my mailserver with ossec: I have see some brute force >> attack but ossec don't react at this log. >> I have try with logtest tools.. and 'no decoder match' is returned.. but >> in my ossec installation have rules for dovecot.. >> >> Somebody have hint? >> >> see this: >> >> [root@mailserver bin]# ./ossec-logtest >> 2018/10/14 16:12:27 ossec-testrule: INFO: Reading local decoder file. >> 2018/10/14 16:12:27 ossec-testrule: INFO: Started (pid: 32967). >> ossec-testrule: Type one log per line. >> >> >> Oct 14 15:50:21 mailserver dovecot Oct 14 15:50:17 imap-login: Info: >> Disconnected (auth failed, 1 attempts in 6 secs): user=< >> [email protected]>, me thod=PLAIN, >> rip=84.241.31.7, lip=10.12.14.11, TLS, session=<bwpymTB4VdBU8R8H> >> > > Are there really 2 timestamps in the log message? > > > >> >> **Phase 1: Completed pre-decoding. >> full event: 'Oct 14 15:50:21 mailserver dovecot Oct 14 15:50:17 >> imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=< >> [email protected]>, me thod=PLAIN, >> rip=84.241.31.7, lip=10.12.14.11, TLS, session=<bwpymTB4VdBU8R8H>' >> hostname: 'mailserver' >> program_name: '(null)' >> log: 'dovecot Oct 14 15:50:17 imap-login: Info: Disconnected (auth >> failed, 1 attempts in 6 secs): user=<[email protected]>, me >> thod=PLAIN, rip=84.241.31.7, lip=10.12.14.11, TLS, >> session=<bwpymTB4VdBU8R8H>' >> >> **Phase 2: Completed decoding. >> No decoder matched. >> >> **Phase 3: Completed filtering (rules). >> Rule id: '1002' >> Level: '2' >> Description: 'Unknown problem somewhere in the system.' >> **Alert to be generated. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/q_C3J_I5wc4/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
