Hi Dan,
I Have installed on my server Ossec V3.1 downloaded from github, not the
official release.. about 20 day ago.. all my 10 agent are installed with
this version.
Anyway.. now.. working with your decoder.. I have see log today, and I have
for first one trigger with rule 97XX - WORK!!!!
Look my log:
Server Ossec : alert.log:
[***@serverossec ~]# grep "Nov 1 03:52:58"
/var/ossec/logs/alerts/alerts.log
Nov 1 03:52:58 mailscanner04 dovecot: pop3-login: Disconnected (auth
failed, 1 attempts): user=<***@caccabee.it>, method=PLAIN,
rip=196.219.91.169, lip=10.12.14.36
Agent Ossec : active-response.log
[***@mailscanner04 ~]# grep "196.219.91.169"
/var/ossec/logs/active-responses.log
gio 1 nov 2018, 03.52.59, CET /var/ossec/active-response/bin/host-deny.sh
add - 196.219.91.169 1541040779.741935 9705
gio 1 nov 2018, 03.52.59, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 196.219.91.169
1541040779.741935 9705
I do not know how to thank you .. it should be pointed out to the
developers of ossec that you need to change the decoder to mitigate attacks
on dovecot.
I do not know how to thank you .. it should be pointed out to the
developers of ossec that you need to change the decoder to mitigate attacks
on dovecot.
Before today I had never seen the 97XX rule in the log .. so without your
modification the ossec decoder does not detect attacks on dovecot
Again, I repeat but it's right: thank you for your time.
Giorgio Biondi
Post by dan (ddp)On Wed, Oct 31, 2018 at 11:34 AM Giorgio Biondi
Post by Giorgio BiondiDan,
in front of all, thank for your time.
I think the problem is more treacherous .. it's not that the decoder
does not work or that the rule does not work .. it works all in fact I see
in the alert.log that the server understands that there is a failed login
.. the problem is that, although the rule has level 7 and I have in
ossec.conf that rules above level 6 trigger active response this does NOT
happen. As if dovecot rules could not generate an active response. Honestly
I do not know what 'log to watch .. I spent the last 48 hours watching but
there seems to be nothing wrong ..
You did not include the version of OSSEC you're using, so I can't do
specific testing.
You'll need to put a bit more effort into this to get the problem solved.
I'm short on time (real life always seems to intrude on my hobbies),
`echo 'Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected
method=PLAIN, rip=222.252.6.70, lip=10.12.14.36' |
/var/ossec/bin/ossec-logtest`
In order for OSSEC to initiate the active response (I assume anyway,
you did not include that configuration either) a source ip has to be
decoded.
Your initial alerts.log entry does not mention a source IP, so I had
to assume it was not being decoded properly (which I verified for the
version of OSSEC I have installed).
So first, we need to determine if the proper data is being parsed so
that active response has a chance of working.
If it is, we need to make sure the ossec processes were restarted at
some point, and watch for alerts after that moment.
Post by Giorgio BiondiIl giorno mercoledì 31 ottobre 2018 15:37:10 UTC+1, dan (ddpbsd) ha
Post by dan (ddp)On Wed, Oct 31, 2018 at 10:12 AM Giorgio Biondi
Post by Giorgio BiondiHi Dan,
I have remove in decoder.xml old dovecot-authfailed and have copied
your code.. and I have restart ossec server.. behaviur is the same..
Post by Giorgio BiondiPost by dan (ddp)Post by Giorgio Biondiin the alert.log i see level 7 rule 9705 but active response don't
trigger..
Post by Giorgio BiondiPost by dan (ddp)Make sure you restart the ossec processes on the ossec server after
you've updated the decoders.
Use ossec-logtest to test the log message.
Post by Giorgio BiondiIl giorno mercoledì 31 ottobre 2018 14:52:09 UTC+1, Giorgio Biondi ha
Post by Giorgio BiondiHi Dan,
I try to understand where put new decoder and update you ASAP..
Il giorno mercoledì 31 ottobre 2018 14:21:01 UTC+1, dan (ddpbsd) ha
On Wed, Oct 31, 2018 at 9:17 AM Giorgio Biondi <
Post by Giorgio BiondiHi Dan,
I have too small skill for adjust a decoder.. you can make this
for me? I don't known where starting for make it...
Post by Giorgio BiondiPost by dan (ddp)Post by Giorgio BiondiPost by Giorgio Biondi<decoder name="dovecot-authfailed">
<parent>dovecot</parent>
<prematch offset="after_parent">^pop3-login: </prematch>
<regex offset="after_prematch">^Disconnected \(auth failed, \d+
attempts\): user=\<(\S+)>, \S+, rip=(\S+), lip=(\S+)$</regex>
<order>user,srcip,dstip</order>
</decoder>
Post by Giorgio BiondiThanks for your time..
Il giorno mercoledì 31 ottobre 2018 13:56:37 UTC+1, dan (ddpbsd)
On Wed, Oct 31, 2018 at 7:46 AM Giorgio Biondi <
Post by Giorgio BiondiHi at all,
I have some entry in log on the my mailserver (with installed
method=PLAIN, rip=222.252.6.70, lip=10.12.14.36
method=PLAIN, rip=222.252.6.70, lip=10.12.14.36
dovecot,invalid_login,authentication_failed,
10.12.14.36->/var/log/messages
method=PLAIN, rip=222.252.6.70, lip=10.12.14.36
and in my ossec.conf all rules over level 6 trigger a active response.. but
not for 'dovecot'.. I don't understand why..
for dovecot don't trigger a active response..
/var/ossec/bin/ossec-logtest
file.
Post by Giorgio BiondiPost by dan (ddp)Post by Giorgio BiondiPost by Giorgio BiondiPost by Giorgio Biondi2018/10/31 12:48:38 ossec-testrule: INFO: Started (pid: 17409).
ossec-testrule: Type one log per line.
Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected
(auth
Post by Giorgio BiondiPost by dan (ddp)Post by Giorgio BiondiPost by Giorgio BiondiPost by Giorgio Biondirip=222.252.6.70, lip=10.12.14.36
**Phase 1: Completed pre-decoding.
lip=10.12.14.36'
hostname: 'mailscanner04'
program_name: 'dovecot'
lip=10.12.14.36'
**Phase 2: Completed decoding.
decoder: 'dovecot'
**Phase 3: Completed filtering (rules).
Rule id: '9705'
Level: '5'
Description: 'Dovecot Invalid User Login Attempt.'
**Alert to be generated.
The decoders will have to be adjusted for that the IP to get
pulled
name="dovecot-authfailed">
Google Groups "ossec-list" group.
Post by Giorgio BiondiPost by dan (ddp)Post by Giorgio BiondiPost by Giorgio BiondiPost by Giorgio BiondiPost by Giorgio BiondiTo unsubscribe from this group and stop receiving emails from
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the
Google Groups "ossec-list" group.
Post by Giorgio BiondiPost by dan (ddp)Post by Giorgio BiondiPost by Giorgio BiondiPost by Giorgio BiondiTo unsubscribe from this group and stop receiving emails from it,
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google
Groups "ossec-list" group.
Post by Giorgio BiondiPost by dan (ddp)Post by Giorgio BiondiTo unsubscribe from this group and stop receiving emails from it,
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google
Groups "ossec-list" group.
Post by Giorgio BiondiTo unsubscribe from this group and stop receiving emails from it, send
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to a topic in the
Google Groups "ossec-list" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/ossec-list/YQjYGUAFq_w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.