Hi Dan, I try to understand where put new decoder and update you ASAP..
Il giorno mercoledì 31 ottobre 2018 14:21:01 UTC+1, dan (ddpbsd) ha scritto: > > On Wed, Oct 31, 2018 at 9:17 AM Giorgio Biondi <[email protected] > <javascript:>> wrote: > > > > Hi Dan, > > > > I have too small skill for adjust a decoder.. you can make this for me? > I don't known where starting for make it... > > > > This works for the 1 example you provided: > <decoder name="dovecot-authfailed"> > <parent>dovecot</parent> > <prematch offset="after_parent">^pop3-login: </prematch> > <regex offset="after_prematch">^Disconnected \(auth failed, \d+ > attempts\): user=\<(\S+)>, \S+, rip=(\S+), lip=(\S+)$</regex> > <order>user,srcip,dstip</order> > </decoder> > > > > Thanks for your time.. > > > > Il giorno mercoledì 31 ottobre 2018 13:56:37 UTC+1, dan (ddpbsd) ha > scritto: > >> > >> On Wed, Oct 31, 2018 at 7:46 AM Giorgio Biondi <[email protected]> > wrote: > >> > > >> > Hi at all, > >> > > >> > I have some entry in log on the my mailserver (with installed ossec > agent) like this: > >> > > >> > Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth > failed, 1 attempts): user=<[email protected]>, method=PLAIN, > rip=222.252.6.70, lip=10.12.14.36 > >> > > >> > and my ossec server in the alert.log say: > >> > > >> > Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth > failed, 1 attempts): user=<[email protected]>, method=PLAIN, > rip=222.252.6.70, lip=10.12.14.36 > >> > > >> > ** Alert 1540983795.5645464: mail - > dovecot,invalid_login,authentication_failed, > >> > 2018 Oct 31 12:03:15 (mailscanner04.tech2.it) > 10.12.14.36->/var/log/messages > >> > Rule: 9705 (level 7) -> 'Dovecot Invalid User Login Attempt.' > >> > Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth > failed, 1 attempts): user=<[email protected]>, method=PLAIN, > rip=222.252.6.70, lip=10.12.14.36 > >> > > >> > The problem is: rules 9705 in the dovecot rules have level 7 and in > my ossec.conf all rules over level 6 trigger a active response.. but not > for 'dovecot'.. I don't understand why.. > >> > All AR working fine for ALL other rule.. http and smtp.. only for > dovecot don't trigger a active response.. > >> > > >> > Any suggest are appreciate. > >> > > >> > Giorgio Biondi > >> > > >> > >> The log message you provided does not decode the IP address. > >> root@buildtest:/home/ddp/src/ossec-hids# /var/ossec/bin/ossec-logtest > >> 2018/10/31 12:48:38 ossec-testrule: INFO: Reading local decoder file. > >> 2018/10/31 12:48:38 ossec-testrule: INFO: Started (pid: 17409). > >> ossec-testrule: Type one log per line. > >> > >> Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth > >> failed, 1 attempts): user=<[email protected]>, method=PLAIN, > >> rip=222.252.6.70, lip=10.12.14.36 > >> > >> > >> **Phase 1: Completed pre-decoding. > >> full event: 'Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: > >> Disconnected (auth failed, 1 attempts): > >> user=<[email protected]>, method=PLAIN, rip=222.252.6.70, > >> lip=10.12.14.36' > >> hostname: 'mailscanner04' > >> program_name: 'dovecot' > >> log: 'pop3-login: Disconnected (auth failed, 1 attempts): > >> user=<[email protected]>, method=PLAIN, rip=222.252.6.70, > >> lip=10.12.14.36' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'dovecot' > >> > >> **Phase 3: Completed filtering (rules). > >> Rule id: '9705' > >> Level: '5' > >> Description: 'Dovecot Invalid User Login Attempt.' > >> **Alert to be generated. > >> > >> The decoders will have to be adjusted for that the IP to get pulled > >> out and be useful for active response. > >> You might be able to adjust the <decoder name="dovecot-authfailed"> > >> decoder to fit. > >> > >> > > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
