Giorgio Biondi
2018-11-12 18:37:05 UTC
Hi at all,
I have new issue with dovecot.. I have another mail server (Iredmail) with
ossec agent install on it..
I have many record from ossec server like this: (cacirro.it It's a
fictional domain ... I apologize for the real cacirri in the world)
** Alert 1542045111.8818974: mail - syslog,errors, 2018 Nov 12 18:51:51 (
mailserver.tech2.it) 10.12.14.11->/var/log/messages Rule: 1002 (level 2) ->
'Unknown problem somewhere in the system.' Nov 12 18:51:51 mailserver
dovecot Nov 12 18:51:49 imap-login: Info: Disconnected (auth failed, 1
attempts in 6 secs): user=<***@cacirro.it>, method=PLAIN, rip=154.64.218.77,
lip=10.12.14.11, TLS, session=<mYSbWnt6E9aaQNpN>
I have try to put log in ossec-logtest.. here the result..
[***@serverossec ~]# /var/ossec/bin/ossec-logtest
2018/11/12 19:26:14 ossec-testrule: INFO: Reading local decoder file.
2018/11/12 19:26:15 ossec-testrule: INFO: Started (pid: 29461).
ossec-testrule: Type one log per line.
Nov 12 18:51:51 mailserver dovecot Nov 12 18:51:49 imap-login: Info:
Disconnected (auth failed, 1 attempts in 6 secs): user=<***@cacirro.it>,
method=PLAIN, rip=154.64.218.77, lip=10.12.14.11, TLS,
session=<mYSbWnt6E9aaQNpN>
**Phase 1: Completed pre-decoding.
full event: 'Nov 12 18:51:51 mailserver dovecot Nov 12 18:51:49
imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs):
user=<***@cacirro.it>, method=PLAIN, rip=154.64.218.77, lip=10.12.14.11,
TLS, session=<mYSbWnt6E9aaQNpN>'
hostname: 'mailserver'
program_name: '(null)'
log: 'dovecot Nov 12 18:51:49 imap-login: Info: Disconnected (auth
failed, 1 attempts in 6 secs): user=<***@cacirro.it>, method=PLAIN,
rip=154.64.218.77, lip=10.12.14.11, TLS, session=<mYSbWnt6E9aaQNpN>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
I would like it to trigger an 'auth failed' rule so I can trigger active
response.
All the best.
I have new issue with dovecot.. I have another mail server (Iredmail) with
ossec agent install on it..
I have many record from ossec server like this: (cacirro.it It's a
fictional domain ... I apologize for the real cacirri in the world)
** Alert 1542045111.8818974: mail - syslog,errors, 2018 Nov 12 18:51:51 (
mailserver.tech2.it) 10.12.14.11->/var/log/messages Rule: 1002 (level 2) ->
'Unknown problem somewhere in the system.' Nov 12 18:51:51 mailserver
dovecot Nov 12 18:51:49 imap-login: Info: Disconnected (auth failed, 1
attempts in 6 secs): user=<***@cacirro.it>, method=PLAIN, rip=154.64.218.77,
lip=10.12.14.11, TLS, session=<mYSbWnt6E9aaQNpN>
I have try to put log in ossec-logtest.. here the result..
[***@serverossec ~]# /var/ossec/bin/ossec-logtest
2018/11/12 19:26:14 ossec-testrule: INFO: Reading local decoder file.
2018/11/12 19:26:15 ossec-testrule: INFO: Started (pid: 29461).
ossec-testrule: Type one log per line.
Nov 12 18:51:51 mailserver dovecot Nov 12 18:51:49 imap-login: Info:
Disconnected (auth failed, 1 attempts in 6 secs): user=<***@cacirro.it>,
method=PLAIN, rip=154.64.218.77, lip=10.12.14.11, TLS,
session=<mYSbWnt6E9aaQNpN>
**Phase 1: Completed pre-decoding.
full event: 'Nov 12 18:51:51 mailserver dovecot Nov 12 18:51:49
imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs):
user=<***@cacirro.it>, method=PLAIN, rip=154.64.218.77, lip=10.12.14.11,
TLS, session=<mYSbWnt6E9aaQNpN>'
hostname: 'mailserver'
program_name: '(null)'
log: 'dovecot Nov 12 18:51:49 imap-login: Info: Disconnected (auth
failed, 1 attempts in 6 secs): user=<***@cacirro.it>, method=PLAIN,
rip=154.64.218.77, lip=10.12.14.11, TLS, session=<mYSbWnt6E9aaQNpN>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
I would like it to trigger an 'auth failed' rule so I can trigger active
response.
All the best.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.