On Thu, Nov 1, 2018 at 4:31 AM Giorgio Biondi <[email protected]> wrote: > > Hi Dan, > I Have installed on my server Ossec V3.1 downloaded from github, not the > official release.. about 20 day ago.. all my 10 agent are installed with this > version. > Anyway.. now.. working with your decoder.. I have see log today, and I have > for first one trigger with rule 97XX - WORK!!!! > Look my log: > > Server Ossec : alert.log: > [root@serverossec ~]# grep "Nov 1 03:52:58" /var/ossec/logs/alerts/alerts.log > Nov 1 03:52:58 mailscanner04 dovecot: pop3-login: Disconnected (auth failed, > 1 attempts): user=<[email protected]>, method=PLAIN, rip=196.219.91.169, > lip=10.12.14.36 > > Agent Ossec : active-response.log > [root@mailscanner04 ~]# grep "196.219.91.169" > /var/ossec/logs/active-responses.log > gio 1 nov 2018, 03.52.59, CET /var/ossec/active-response/bin/host-deny.sh > add - 196.219.91.169 1541040779.741935 9705 > gio 1 nov 2018, 03.52.59, CET > /var/ossec/active-response/bin/firewall-drop.sh add - 196.219.91.169 > 1541040779.741935 9705 > > I do not know how to thank you .. it should be pointed out to the developers > of ossec that you need to change the decoder to mitigate attacks on dovecot. >
The problem is that these log formats change, sometimes just on a per distro basis. I don't run any dovecot instances myself, so I haven't kept up with the changes in the log formats. Sometimes (like in this instance), the only way we find out is someone mentioning it on the mailing list. More participation from the community would be great. Even if users don't want to submit decoders and rules, up to date log samples would help a lot. > I do not know how to thank you .. it should be pointed out to the developers > of ossec that you need to change the decoder to mitigate attacks on dovecot. > Before today I had never seen the 97XX rule in the log .. so without your > modification the ossec decoder does not detect attacks on dovecot > > Again, I repeat but it's right: thank you for your time. > > Giorgio Biondi > > > > > > > > > > > Il giorno mer 31 ott 2018 alle ore 17:00 dan (ddp) <[email protected]> ha > scritto: >> >> On Wed, Oct 31, 2018 at 11:34 AM Giorgio Biondi >> <[email protected]> wrote: >> > >> > Dan, >> > >> > in front of all, thank for your time. >> > >> > I think the problem is more treacherous .. it's not that the decoder does >> > not work or that the rule does not work .. it works all in fact I see in >> > the alert.log that the server understands that there is a failed login .. >> > the problem is that, although the rule has level 7 and I have in >> > ossec.conf that rules above level 6 trigger active response this does NOT >> > happen. As if dovecot rules could not generate an active response. >> > Honestly I do not know what 'log to watch .. I spent the last 48 hours >> > watching but there seems to be nothing wrong .. >> > >> >> You did not include the version of OSSEC you're using, so I can't do >> specific testing. >> You'll need to put a bit more effort into this to get the problem solved. >> I'm short on time (real life always seems to intrude on my hobbies), >> so here's a command to run on the OSSEC server: >> >> `echo 'Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected >> (auth failed, 1 attempts): user=<[email protected]>, >> method=PLAIN, rip=222.252.6.70, lip=10.12.14.36' | >> /var/ossec/bin/ossec-logtest` >> >> In order for OSSEC to initiate the active response (I assume anyway, >> you did not include that configuration either) a source ip has to be >> decoded. >> Your initial alerts.log entry does not mention a source IP, so I had >> to assume it was not being decoded properly (which I verified for the >> version of OSSEC I have installed). >> >> So first, we need to determine if the proper data is being parsed so >> that active response has a chance of working. >> If it is, we need to make sure the ossec processes were restarted at >> some point, and watch for alerts after that moment. >> >> > >> > Il giorno mercoledì 31 ottobre 2018 15:37:10 UTC+1, dan (ddpbsd) ha >> > scritto: >> >> >> >> On Wed, Oct 31, 2018 at 10:12 AM Giorgio Biondi >> >> <[email protected]> wrote: >> >> > >> >> > Hi Dan, >> >> > >> >> > I have remove in decoder.xml old dovecot-authfailed and have copied >> >> > your code.. and I have restart ossec server.. behaviur is the same.. >> >> > in the alert.log i see level 7 rule 9705 but active response don't >> >> > trigger.. >> >> > >> >> >> >> Make sure you restart the ossec processes on the ossec server after >> >> you've updated the decoders. >> >> Use ossec-logtest to test the log message. >> >> >> >> > Il giorno mercoledì 31 ottobre 2018 14:52:09 UTC+1, Giorgio Biondi ha >> >> > scritto: >> >> >> >> >> >> Hi Dan, >> >> >> >> >> >> I try to understand where put new decoder and update you ASAP.. >> >> >> >> >> >> Il giorno mercoledì 31 ottobre 2018 14:21:01 UTC+1, dan (ddpbsd) ha >> >> >> scritto: >> >> >>> >> >> >>> On Wed, Oct 31, 2018 at 9:17 AM Giorgio Biondi <[email protected]> >> >> >>> wrote: >> >> >>> > >> >> >>> > Hi Dan, >> >> >>> > >> >> >>> > I have too small skill for adjust a decoder.. you can make this for >> >> >>> > me? I don't known where starting for make it... >> >> >>> > >> >> >>> >> >> >>> This works for the 1 example you provided: >> >> >>> <decoder name="dovecot-authfailed"> >> >> >>> <parent>dovecot</parent> >> >> >>> <prematch offset="after_parent">^pop3-login: </prematch> >> >> >>> <regex offset="after_prematch">^Disconnected \(auth failed, \d+ >> >> >>> attempts\): user=\<(\S+)>, \S+, rip=(\S+), lip=(\S+)$</regex> >> >> >>> <order>user,srcip,dstip</order> >> >> >>> </decoder> >> >> >>> >> >> >>> >> >> >>> > Thanks for your time.. >> >> >>> > >> >> >>> > Il giorno mercoledì 31 ottobre 2018 13:56:37 UTC+1, dan (ddpbsd) ha >> >> >>> > scritto: >> >> >>> >> >> >> >>> >> On Wed, Oct 31, 2018 at 7:46 AM Giorgio Biondi >> >> >>> >> <[email protected]> wrote: >> >> >>> >> > >> >> >>> >> > Hi at all, >> >> >>> >> > >> >> >>> >> > I have some entry in log on the my mailserver (with installed >> >> >>> >> > ossec agent) like this: >> >> >>> >> > >> >> >>> >> > Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected >> >> >>> >> > (auth failed, 1 attempts): user=<[email protected]>, >> >> >>> >> > method=PLAIN, rip=222.252.6.70, lip=10.12.14.36 >> >> >>> >> > >> >> >>> >> > and my ossec server in the alert.log say: >> >> >>> >> > >> >> >>> >> > Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected >> >> >>> >> > (auth failed, 1 attempts): user=<[email protected]>, >> >> >>> >> > method=PLAIN, rip=222.252.6.70, lip=10.12.14.36 >> >> >>> >> > >> >> >>> >> > ** Alert 1540983795.5645464: mail - >> >> >>> >> > dovecot,invalid_login,authentication_failed, >> >> >>> >> > 2018 Oct 31 12:03:15 (mailscanner04.tech2.it) >> >> >>> >> > 10.12.14.36->/var/log/messages >> >> >>> >> > Rule: 9705 (level 7) -> 'Dovecot Invalid User Login Attempt.' >> >> >>> >> > Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected >> >> >>> >> > (auth failed, 1 attempts): user=<[email protected]>, >> >> >>> >> > method=PLAIN, rip=222.252.6.70, lip=10.12.14.36 >> >> >>> >> > >> >> >>> >> > The problem is: rules 9705 in the dovecot rules have level 7 and >> >> >>> >> > in my ossec.conf all rules over level 6 trigger a active >> >> >>> >> > response.. but not for 'dovecot'.. I don't understand why.. >> >> >>> >> > All AR working fine for ALL other rule.. http and smtp.. only >> >> >>> >> > for dovecot don't trigger a active response.. >> >> >>> >> > >> >> >>> >> > Any suggest are appreciate. >> >> >>> >> > >> >> >>> >> > Giorgio Biondi >> >> >>> >> > >> >> >>> >> >> >> >>> >> The log message you provided does not decode the IP address. >> >> >>> >> root@buildtest:/home/ddp/src/ossec-hids# >> >> >>> >> /var/ossec/bin/ossec-logtest >> >> >>> >> 2018/10/31 12:48:38 ossec-testrule: INFO: Reading local decoder >> >> >>> >> file. >> >> >>> >> 2018/10/31 12:48:38 ossec-testrule: INFO: Started (pid: 17409). >> >> >>> >> ossec-testrule: Type one log per line. >> >> >>> >> >> >> >>> >> Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected >> >> >>> >> (auth >> >> >>> >> failed, 1 attempts): user=<[email protected]>, method=PLAIN, >> >> >>> >> rip=222.252.6.70, lip=10.12.14.36 >> >> >>> >> >> >> >>> >> >> >> >>> >> **Phase 1: Completed pre-decoding. >> >> >>> >> full event: 'Oct 31 12:03:15 mailscanner04 dovecot: >> >> >>> >> pop3-login: >> >> >>> >> Disconnected (auth failed, 1 attempts): >> >> >>> >> user=<[email protected]>, method=PLAIN, rip=222.252.6.70, >> >> >>> >> lip=10.12.14.36' >> >> >>> >> hostname: 'mailscanner04' >> >> >>> >> program_name: 'dovecot' >> >> >>> >> log: 'pop3-login: Disconnected (auth failed, 1 attempts): >> >> >>> >> user=<[email protected]>, method=PLAIN, rip=222.252.6.70, >> >> >>> >> lip=10.12.14.36' >> >> >>> >> >> >> >>> >> **Phase 2: Completed decoding. >> >> >>> >> decoder: 'dovecot' >> >> >>> >> >> >> >>> >> **Phase 3: Completed filtering (rules). >> >> >>> >> Rule id: '9705' >> >> >>> >> Level: '5' >> >> >>> >> Description: 'Dovecot Invalid User Login Attempt.' >> >> >>> >> **Alert to be generated. >> >> >>> >> >> >> >>> >> The decoders will have to be adjusted for that the IP to get pulled >> >> >>> >> out and be useful for active response. >> >> >>> >> You might be able to adjust the <decoder name="dovecot-authfailed"> >> >> >>> >> decoder to fit. >> >> >>> >> >> >> >>> >> > >> >> >>> >> > >> >> >>> >> > -- >> >> >>> >> > >> >> >>> >> > --- >> >> >>> >> > You received this message because you are subscribed to the >> >> >>> >> > Google Groups "ossec-list" group. >> >> >>> >> > To unsubscribe from this group and stop receiving emails from >> >> >>> >> > it, send an email to [email protected]. >> >> >>> >> > For more options, visit https://groups.google.com/d/optout. >> >> >>> > >> >> >>> > -- >> >> >>> > >> >> >>> > --- >> >> >>> > You received this message because you are subscribed to the Google >> >> >>> > Groups "ossec-list" group. >> >> >>> > To unsubscribe from this group and stop receiving emails from it, >> >> >>> > send an email to [email protected]. >> >> >>> > For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, send >> >> > an email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/YQjYGUAFq_w/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
