Hi Dan, I have remove in decoder.xml old dovecot-authfailed and have copied your code.. and I have restart ossec server.. behaviur is the same.. in the alert.log i see level 7 rule 9705 but active response don't trigger..
Il giorno mercoledì 31 ottobre 2018 14:52:09 UTC+1, Giorgio Biondi ha scritto: > > Hi Dan, > > I try to understand where put new decoder and update you ASAP.. > > Il giorno mercoledì 31 ottobre 2018 14:21:01 UTC+1, dan (ddpbsd) ha > scritto: >> >> On Wed, Oct 31, 2018 at 9:17 AM Giorgio Biondi <[email protected]> >> wrote: >> > >> > Hi Dan, >> > >> > I have too small skill for adjust a decoder.. you can make this for me? >> I don't known where starting for make it... >> > >> >> This works for the 1 example you provided: >> <decoder name="dovecot-authfailed"> >> <parent>dovecot</parent> >> <prematch offset="after_parent">^pop3-login: </prematch> >> <regex offset="after_prematch">^Disconnected \(auth failed, \d+ >> attempts\): user=\<(\S+)>, \S+, rip=(\S+), lip=(\S+)$</regex> >> <order>user,srcip,dstip</order> >> </decoder> >> >> >> > Thanks for your time.. >> > >> > Il giorno mercoledì 31 ottobre 2018 13:56:37 UTC+1, dan (ddpbsd) ha >> scritto: >> >> >> >> On Wed, Oct 31, 2018 at 7:46 AM Giorgio Biondi <[email protected]> >> wrote: >> >> > >> >> > Hi at all, >> >> > >> >> > I have some entry in log on the my mailserver (with installed ossec >> agent) like this: >> >> > >> >> > Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected >> (auth failed, 1 attempts): user=<[email protected]>, method=PLAIN, >> rip=222.252.6.70, lip=10.12.14.36 >> >> > >> >> > and my ossec server in the alert.log say: >> >> > >> >> > Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected >> (auth failed, 1 attempts): user=<[email protected]>, method=PLAIN, >> rip=222.252.6.70, lip=10.12.14.36 >> >> > >> >> > ** Alert 1540983795.5645464: mail - >> dovecot,invalid_login,authentication_failed, >> >> > 2018 Oct 31 12:03:15 (mailscanner04.tech2.it) >> 10.12.14.36->/var/log/messages >> >> > Rule: 9705 (level 7) -> 'Dovecot Invalid User Login Attempt.' >> >> > Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected >> (auth failed, 1 attempts): user=<[email protected]>, method=PLAIN, >> rip=222.252.6.70, lip=10.12.14.36 >> >> > >> >> > The problem is: rules 9705 in the dovecot rules have level 7 and in >> my ossec.conf all rules over level 6 trigger a active response.. but not >> for 'dovecot'.. I don't understand why.. >> >> > All AR working fine for ALL other rule.. http and smtp.. only for >> dovecot don't trigger a active response.. >> >> > >> >> > Any suggest are appreciate. >> >> > >> >> > Giorgio Biondi >> >> > >> >> >> >> The log message you provided does not decode the IP address. >> >> root@buildtest:/home/ddp/src/ossec-hids# /var/ossec/bin/ossec-logtest >> >> 2018/10/31 12:48:38 ossec-testrule: INFO: Reading local decoder file. >> >> 2018/10/31 12:48:38 ossec-testrule: INFO: Started (pid: 17409). >> >> ossec-testrule: Type one log per line. >> >> >> >> Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth >> >> failed, 1 attempts): user=<[email protected]>, method=PLAIN, >> >> rip=222.252.6.70, lip=10.12.14.36 >> >> >> >> >> >> **Phase 1: Completed pre-decoding. >> >> full event: 'Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: >> >> Disconnected (auth failed, 1 attempts): >> >> user=<[email protected]>, method=PLAIN, rip=222.252.6.70, >> >> lip=10.12.14.36' >> >> hostname: 'mailscanner04' >> >> program_name: 'dovecot' >> >> log: 'pop3-login: Disconnected (auth failed, 1 attempts): >> >> user=<[email protected]>, method=PLAIN, rip=222.252.6.70, >> >> lip=10.12.14.36' >> >> >> >> **Phase 2: Completed decoding. >> >> decoder: 'dovecot' >> >> >> >> **Phase 3: Completed filtering (rules). >> >> Rule id: '9705' >> >> Level: '5' >> >> Description: 'Dovecot Invalid User Login Attempt.' >> >> **Alert to be generated. >> >> >> >> The decoders will have to be adjusted for that the IP to get pulled >> >> out and be useful for active response. >> >> You might be able to adjust the <decoder name="dovecot-authfailed"> >> >> decoder to fit. >> >> >> >> > >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
