[ossec-dev] Re: various minor configuration suggestions

["Daniel Cid" <dcid@xxxxxxxxx>]

Hi Logan,

First of all, thanks for the e-mail and contributions. Rest of reply inline...


On 6/21/07, Logan O'Sullivan Bruns <logan@xxxxxxxxxxxx> wrote:
> First off thanks for the fine product.
>
> For whatever they may be worth here is a list of configuration changes
> to OSSEC 1.2 that I made to support my own environment. I think some
> of them may be worth rolling into a future version of the default
> configuration.
>
> ossec.conf:
>   <syscheck>
>     <ignore>/etc/dumpdates</ignore>
>     <ignore>/etc/svc/volatile</ignore>

Thanks. Just added those to CVS.



> Note I capitalized the first letter of each phrase in the match
> line. The matching appears to be case sensitive and making this change
> made the corresponding events show up in my alerts log when they
> hadn't before.

The matching in ossec is case Insensitive by default, so I don't know
exactly what caused this issue...


> I use a sendmail milter called SMF-SAV:
>
>   http://smfs.sourceforge.net/smf-sav.html
>
> In a nutshell it tries to verify a sender's address before accepting
> the mail they are sending. So yet another tool to cut down on
> spam. Anyway, I took a stab at adding rules so that OSSEC will send
> alerts and active responses based on SMF-SAV syslog messages.
> ..

Very good stuff! I already added your rules/decoders to CVS with just
some small changes (using the sendmail ids and inside the
sendmail_rules file).

Using your rules/decoders we can get alerts like (just tested it):

** Alert xxx.16253: - syslog,sendmail,smf-sav,spam,
2007 Jun 22 19:23:42 mx0->/var/log/messages
Rule: 3191 (level 6) -> 'SMF-SAV sendmail milter unable to verify
address (REJECTED).'
Src IP: 125.133.22.112
User: (none)
Jul 20 16:21:24 mx0 smf-sav[513]: [ID 987462 mail.notice] sender check
failed: <xkyjywqvophshu@xxxxxxxxxxxxxxxxxxx>, 125.133.22.112,
[125.133.22.112], [00:00:01]



> Please forgive me if I've used the levels wrong or failed to respect
> any existing id hierarchy. I didn't see the documentation on either of
> those. Anyway, for your consideration.

It was pretty good. We don't have any documentation on the levels, but
we plan to do one soon. Currently it is used on what "looks" better :)



> One final comment. I don't have a good solution for how to integrate
> this into your turnkey approach but another change I had to make was
> to firewall-drop.sh to add the group number to the end of the dynamic
> ipfilter rule. I suspect that a number of people who are using
> ipfilter will need to do this. So you might put a warning in somewhere
> or perhaps encourage people to verify that their ipfilter rules are
> working. Perhaps suggest that they run something like this to check
> for hits against the dynamic rules:
>
>   # ipfstat -ih | grep "block in quick"
>   0 block in quick from 124.10.89.38/32 to any group 100
>   3 block in quick from 221.202.15.161/32 to any group 100
>   0 block in quick from 72.184.61.130/32 to any group 100

I don't use ipfilter, so I can't really test it. you mean at the end
of the argument:

ARG2="\"@1 block in quick from ${IP} to any\""

Adding "group X"?



> Again thanks for the fine product.
>
>   - logan
>
> p.s. I'm not on the mailing list so please make sure my address is on
> any response.


Can you try the following version with your SMF rules and the new entries to
the syscheck ignore?

http://www.ossec.net/files/snapshots/ossec-hids-070622.tar.gz

I also added your logs to:

http://www.ossec.net/wiki/index.php/Sendmail

*maybe we should contact the guys from SMF to let them know that we added
support for it...

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net