On Mon, Nov 12, 2018 at 1:37 PM Giorgio Biondi <[email protected]> wrote: > > Hi at all, > > I have new issue with dovecot.. I have another mail server (Iredmail) with > ossec agent install on it.. > I have many record from ossec server like this: (cacirro.it It's a fictional > domain ... I apologize for the real cacirri in the world) > > ** Alert 1542045111.8818974: mail - syslog,errors, 2018 Nov 12 18:51:51 > (mailserver.tech2.it) 10.12.14.11->/var/log/messages Rule: 1002 (level 2) -> > 'Unknown problem somewhere in the system.' Nov 12 18:51:51 mailserver dovecot > Nov 12 18:51:49 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 > secs): user=<[email protected]>, method=PLAIN, rip=154.64.218.77, > lip=10.12.14.11, TLS, session=<mYSbWnt6E9aaQNpN> >
Is this log message being received from "mailserver" via syslog? There are 2 timestamps in it (Nov 12 18:51:51 and Nov 12 18:51:49). That will confuse things a bit. These decoders seem to pick everything up, but there aren't any rules associated with them. <decoder name="dovecot2"> <prematch>^dovecot </prematch> </decoder> <decoder name="imap-login2"> <parent>dovecot2</parent> <prematch>imap-login: </prematch> <regex offset="after_prematch">\(auth (\S+), \d+ attempts in \d+ secs\): user=\<(\S+)>, method=PLAIN, rip=(\S+), lip=(\S+),</regex> <order>status,user,srcip, dstip</order> </decoder> > > I have try to put log in ossec-logtest.. here the result.. > > [root@serverossec ~]# /var/ossec/bin/ossec-logtest > 2018/11/12 19:26:14 ossec-testrule: INFO: Reading local decoder file. > 2018/11/12 19:26:15 ossec-testrule: INFO: Started (pid: 29461). > ossec-testrule: Type one log per line. > > Nov 12 18:51:51 mailserver dovecot Nov 12 18:51:49 imap-login: Info: > Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, > method=PLAIN, rip=154.64.218.77, lip=10.12.14.11, TLS, > session=<mYSbWnt6E9aaQNpN> > > > **Phase 1: Completed pre-decoding. > full event: 'Nov 12 18:51:51 mailserver dovecot Nov 12 18:51:49 > imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): > user=<[email protected]>, method=PLAIN, rip=154.64.218.77, lip=10.12.14.11, > TLS, session=<mYSbWnt6E9aaQNpN>' > hostname: 'mailserver' > program_name: '(null)' > log: 'dovecot Nov 12 18:51:49 imap-login: Info: Disconnected (auth > failed, 1 attempts in 6 secs): user=<[email protected]>, method=PLAIN, > rip=154.64.218.77, lip=10.12.14.11, TLS, session=<mYSbWnt6E9aaQNpN>' > > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > > > I would like it to trigger an 'auth failed' rule so I can trigger active > response. > > All the best. > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
