Discussion:
[ossec-list] Ossec and dovecot - never ending story
Giorgio Biondi
2018-11-12 18:37:05 UTC
Permalink
Hi at all,

I have new issue with dovecot.. I have another mail server (Iredmail) with
ossec agent install on it..
I have many record from ossec server like this: (cacirro.it It's a
fictional domain ... I apologize for the real cacirri in the world)

** Alert 1542045111.8818974: mail - syslog,errors, 2018 Nov 12 18:51:51 (
mailserver.tech2.it) 10.12.14.11->/var/log/messages Rule: 1002 (level 2) ->
'Unknown problem somewhere in the system.' Nov 12 18:51:51 mailserver
dovecot Nov 12 18:51:49 imap-login: Info: Disconnected (auth failed, 1
attempts in 6 secs): user=<***@cacirro.it>, method=PLAIN, rip=154.64.218.77,
lip=10.12.14.11, TLS, session=<mYSbWnt6E9aaQNpN>


I have try to put log in ossec-logtest.. here the result..

[***@serverossec ~]# /var/ossec/bin/ossec-logtest
2018/11/12 19:26:14 ossec-testrule: INFO: Reading local decoder file.
2018/11/12 19:26:15 ossec-testrule: INFO: Started (pid: 29461).
ossec-testrule: Type one log per line.

Nov 12 18:51:51 mailserver dovecot Nov 12 18:51:49 imap-login: Info:
Disconnected (auth failed, 1 attempts in 6 secs): user=<***@cacirro.it>,
method=PLAIN, rip=154.64.218.77, lip=10.12.14.11, TLS,
session=<mYSbWnt6E9aaQNpN>


**Phase 1: Completed pre-decoding.
full event: 'Nov 12 18:51:51 mailserver dovecot Nov 12 18:51:49
imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs):
user=<***@cacirro.it>, method=PLAIN, rip=154.64.218.77, lip=10.12.14.11,
TLS, session=<mYSbWnt6E9aaQNpN>'
hostname: 'mailserver'
program_name: '(null)'
log: 'dovecot Nov 12 18:51:49 imap-login: Info: Disconnected (auth
failed, 1 attempts in 6 secs): user=<***@cacirro.it>, method=PLAIN,
rip=154.64.218.77, lip=10.12.14.11, TLS, session=<mYSbWnt6E9aaQNpN>'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.


I would like it to trigger an 'auth failed' rule so I can trigger active
response.

All the best.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
dan (ddp)
2018-11-13 11:33:15 UTC
Permalink
Post by Giorgio Biondi
Hi at all,
I have new issue with dovecot.. I have another mail server (Iredmail) with ossec agent install on it..
I have many record from ossec server like this: (cacirro.it It's a fictional domain ... I apologize for the real cacirri in the world)
Is this log message being received from "mailserver" via syslog?
There are 2 timestamps in it (Nov 12 18:51:51 and Nov 12 18:51:49).
That will confuse things a bit.

These decoders seem to pick everything up, but there aren't any rules
associated with them.

<decoder name="dovecot2">
<prematch>^dovecot </prematch>
</decoder>

<decoder name="imap-login2">
<parent>dovecot2</parent>
<prematch>imap-login: </prematch>
<regex offset="after_prematch">\(auth (\S+), \d+ attempts in \d+
secs\): user=\<(\S+)>, method=PLAIN, rip=(\S+), lip=(\S+),</regex>
<order>status,user,srcip, dstip</order>
</decoder>
Post by Giorgio Biondi
I have try to put log in ossec-logtest.. here the result..
2018/11/12 19:26:14 ossec-testrule: INFO: Reading local decoder file.
2018/11/12 19:26:15 ossec-testrule: INFO: Started (pid: 29461).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
hostname: 'mailserver'
program_name: '(null)'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
I would like it to trigger an 'auth failed' rule so I can trigger active response.
All the best.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Giorgio Biondi
2018-11-13 22:01:05 UTC
Permalink
*Hi *


*I find many of this entry im my dovecot.log in my mailserver (iredmail):*

Nov 13 22:42:42 imap-login: Info: Disconnected (auth failed, 1 attempts in
5 secs): user=<***@cacirro.it>, method=PLAIN, rip=114.99.51.25,
lip=10.12.14.11, TLS, session=</10zspJ6euJyYzMZ>

*I see this in the Splunk interface installed on my ossec server:*

** Alert 1542145364.10111054: mail - syslog,errors,
2018 Nov 13 22:42:44 (mailserver.cacirro.it) 10.12.14.11->/var/log/messages
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
Nov 13 22:42:43 mailserver dovecot Nov 13 22:42:42 imap-login: Info:
Disconnected (auth failed, 1 attempts in 5 secs):
user=<***@cacirro.it>, method=PLAIN, rip=114.99.51.25,
lip=10.12.14.11, TLS, session=</10zspJ6euJyYzMZ>

*If I test this on my ossec server I get this result:*

[***@serverossec bin]# ./ossec-logtest
2018/11/13 22:56:24 ossec-testrule: INFO: Reading local decoder file.
2018/11/13 22:56:24 ossec-testrule: INFO: Started (pid: 2055).
ossec-testrule: Type one log per line.

Nov 13 22:42:42 imap-login: Info: Disconnected (auth failed, 1 attempts in
5 secs): user=<***@cacirro.it>, method=PLAIN, rip=114.99.51.25,
lip=10.12.14.11, TLS, session=</10zspJ6euJyYzMZ>


**Phase 1: Completed pre-decoding.
full event: 'Nov 13 22:42:42 imap-login: Info: Disconnected (auth
failed, 1 attempts in 5 secs): user=<***@cacirro.it>,
method=PLAIN, rip=114.99.51.25, lip=10.12.14.11, TLS,
session=</10zspJ6euJyYzMZ>'
hostname: 'serverossec'
program_name: 'imap-login'
log: 'Info: Disconnected (auth failed, 1 attempts in 5 secs):
user=<***@cacirro.it>, method=PLAIN, rip=114.99.51.25,
lip=10.12.14.11, TLS, session=</10zspJ6euJyYzMZ>'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.


I want trigger a 'active response' for this IP...

Thanks for your time Dan..

gb
Post by Giorgio Biondi
Hi at all,
I have new issue with dovecot.. I have another mail server (Iredmail) with
ossec agent install on it..
I have many record from ossec server like this: (cacirro.it It's a
fictional domain ... I apologize for the real cacirri in the world)
** Alert 1542045111.8818974: mail - syslog,errors, 2018 Nov 12 18:51:51 (
mailserver.tech2.it) 10.12.14.11->/var/log/messages Rule: 1002 (level 2) ->
'Unknown problem somewhere in the system.' Nov 12 18:51:51 mailserver
dovecot Nov 12 18:51:49 imap-login: Info: Disconnected (auth failed, 1
77, lip=10.12.14.11, TLS, session=<mYSbWnt6E9aaQNpN>
I have try to put log in ossec-logtest.. here the result..
2018/11/12 19:26:14 ossec-testrule: INFO: Reading local decoder file.
2018/11/12 19:26:15 ossec-testrule: INFO: Started (pid: 29461).
ossec-testrule: Type one log per line.
method=PLAIN, rip=154.64.218.77, lip=10.12.14.11, TLS,
session=<mYSbWnt6E9aaQNpN>
**Phase 1: Completed pre-decoding.
full event: 'Nov 12 18:51:51 mailserver dovecot Nov 12 18:51:49
imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<
session=<mYSbWnt6E9aaQNpN>'
hostname: 'mailserver'
program_name: '(null)'
log: 'dovecot Nov 12 18:51:49 imap-login: Info: Disconnected (auth
rip=154.64.218.77, lip=10.12.14.11, TLS, session=<mYSbWnt6E9aaQNpN>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
I would like it to trigger an 'auth failed' rule so I can trigger active
response.
All the best.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
dan (ddp)
2018-11-13 22:18:20 UTC
Permalink
Post by Giorgio Biondi
*Hi *
*I find many of this entry im my dovecot.log in my mailserver (iredmail):*
Nov 13 22:42:42 imap-login: Info: Disconnected (auth failed, 1 attempts in
lip=10.12.14.11, TLS, session=</10zspJ6euJyYzMZ>
*I see this in the Splunk interface installed on my ossec server:*
** Alert 1542145364.10111054: mail - syslog,errors,
2018 Nov 13 22:42:44 (mailserver.cacirro.it)
10.12.14.11->/var/log/messages
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
Disconnected (auth failed, 1 attempts in 5 secs): user=<
lip=10.12.14.11, TLS, session=</10zspJ6euJyYzMZ>
*If I test this on my ossec server I get this result:*
2018/11/13 22:56:24 ossec-testrule: INFO: Reading local decoder file.
2018/11/13 22:56:24 ossec-testrule: INFO: Started (pid: 2055).
ossec-testrule: Type one log per line.
Nov 13 22:42:42 imap-login: Info: Disconnected (auth failed, 1 attempts in
lip=10.12.14.11, TLS, session=</10zspJ6euJyYzMZ>
**Phase 1: Completed pre-decoding.
full event: 'Nov 13 22:42:42 imap-login: Info: Disconnected (auth
method=PLAIN, rip=114.99.51.25, lip=10.12.14.11, TLS,
session=</10zspJ6euJyYzMZ>'
hostname: 'serverossec'
program_name: 'imap-login'
log: 'Info: Disconnected (auth failed, 1 attempts in 5 secs): user=<
lip=10.12.14.11, TLS, session=</10zspJ6euJyYzMZ>'
**Phase 2: Completed decoding.
No decoder matched.
The decoders I provided were for this log message, bot the one you tested
here:

Nov 13 22:42:43 mailserver dovecot Nov 13 22:42:42 imap-login: Info:
Disconnected (auth failed, 1 attempts in 5 secs): user=<
***@cacirro.it>, method=PLAIN, rip=114.99.51.25, lip=10.12.14.11,
TLS, session=</10zspJ6euJyYzMZ>
Post by Giorgio Biondi
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
I want trigger a 'active response' for this IP...
Thanks for your time Dan..
gb
Post by Giorgio Biondi
Hi at all,
I have new issue with dovecot.. I have another mail server (Iredmail)
with ossec agent install on it..
I have many record from ossec server like this: (cacirro.it It's a
fictional domain ... I apologize for the real cacirri in the world)
** Alert 1542045111.8818974: mail - syslog,errors, 2018 Nov 12 18:51:51 (
mailserver.tech2.it) 10.12.14.11->/var/log/messages Rule: 1002 (level 2)
-> 'Unknown problem somewhere in the system.' Nov 12 18:51:51 mailserver
dovecot Nov 12 18:51:49 imap-login: Info: Disconnected (auth failed, 1
.77, lip=10.12.14.11, TLS, session=<mYSbWnt6E9aaQNpN>
I have try to put log in ossec-logtest.. here the result..
2018/11/12 19:26:14 ossec-testrule: INFO: Reading local decoder file.
2018/11/12 19:26:15 ossec-testrule: INFO: Started (pid: 29461).
ossec-testrule: Type one log per line.
method=PLAIN, rip=154.64.218.77, lip=10.12.14.11, TLS,
session=<mYSbWnt6E9aaQNpN>
**Phase 1: Completed pre-decoding.
full event: 'Nov 12 18:51:51 mailserver dovecot Nov 12 18:51:49
imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<
session=<mYSbWnt6E9aaQNpN>'
hostname: 'mailserver'
program_name: '(null)'
log: 'dovecot Nov 12 18:51:49 imap-login: Info: Disconnected (auth
rip=154.64.218.77, lip=10.12.14.11, TLS, session=<mYSbWnt6E9aaQNpN>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
I would like it to trigger an 'auth failed' rule so I can trigger active
response.
All the best.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Giorgio Biondi
2018-11-14 14:58:29 UTC
Permalink
Hi Dan,
now the new decoder work

[***@serverossec etc]# ../bin/ossec-logtest
2018/11/14 15:51:13 ossec-testrule: INFO: Reading local decoder file.
2018/11/14 15:51:13 ossec-testrule: INFO: Started (pid: 64288).
ossec-testrule: Type one log per line.

Nov 12 18:51:51 mailserver dovecot Nov 12 18:51:49 imap-login: Info:
Disconnected (auth failed, 1 attempts in 6 secs): user=<***@cacirro.it>,
method=PLAIN, rip=154.64.218.77, lip=10.12.14.11, TLS,
session=<mYSbWnt6E9aaQNpN>


**Phase 1: Completed pre-decoding.
full event: 'Nov 12 18:51:51 mailserver dovecot Nov 12 18:51:49
imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs):
user=<***@cacirro.it>, method=PLAIN, rip=154.64.218.77, lip=10.12.14.11,
TLS, session=<mYSbWnt6E9aaQNpN>'
hostname: 'mailserver'
program_name: '(null)'
log: 'dovecot Nov 12 18:51:49 imap-login: Info: Disconnected (auth
failed, 1 attempts in 6 secs): user=<***@cacirro.it>, method=PLAIN,
rip=154.64.218.77, lip=10.12.14.11, TLS, session=<mYSbWnt6E9aaQNpN>'

**Phase 2: Completed decoding.
decoder: 'dovecot2'

**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Giorgio Biondi
2018-11-14 16:40:04 UTC
Permalink
Hi Dan,

NOW work fine:

[***@serverossec etc]# ../bin/ossec-logtest
2018/11/14 17:38:53 ossec-testrule: INFO: Reading local decoder file.
2018/11/14 17:38:53 ossec-testrule: INFO: Started (pid: 6990).
ossec-testrule: Type one log per line.

Nov 12 18:51:51 mailserver dovecot Nov 12 18:51:49 imap-login: Info:
Disconnected (auth failed, 1 attempts in 6 secs): user=<***@cacirro.it>,
method=PLAIN, rip=154.64.218.77, lip=10.12.14.11, TLS,
session=<mYSbWnt6E9aaQNpN>


**Phase 1: Completed pre-decoding.
full event: 'Nov 12 18:51:51 mailserver dovecot Nov 12 18:51:49
imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs):
user=<***@cacirro.it>, method=PLAIN, rip=154.64.218.77, lip=10.12.14.11,
TLS, session=<mYSbWnt6E9aaQNpN>'
hostname: 'mailserver'
program_name: '(null)'
log: 'dovecot Nov 12 18:51:49 imap-login: Info: Disconnected (auth
failed, 1 attempts in 6 secs): user=<***@cacirro.it>, method=PLAIN,
rip=154.64.218.77, lip=10.12.14.11, TLS, session=<mYSbWnt6E9aaQNpN>'

**Phase 2: Completed decoding.
decoder: 'dovecot2'
status: 'failed'
dstuser: '***@cacirro.it'
srcip: '154.64.218.77'
dstip: '10.12.14.11'

**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...