[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: vsftpd rule

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: vsftpd rule
From: "Seth Art" <sethsec@xxxxxxxxx>
Date: Sat, 10 Jun 2006 00:24:43 -0400

Hey Daniel and everyone,

First of all I think this is a great project and want to thank you for
your work.   Secondly, I was just in the process of trying to write
some vsftpd rules of my own when I figured I would search the mailing
list.  I was pleasantly surprised to see that it was an extremely
recent topic.

I have downloaded the new package, added vsftpd_rules.xml and
/var/logs/vsftpd.log to my ossec.conf file, but I still am not getting
any hits on the vsftpd ruleset.

Here is a sample of the logs in my /var/log/messages:

Jun  9 20:23:51 fedora vsftpd(pam_unix)[26533]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost=72.21.57.90
Jun  9 20:23:54 fedora vsftpd(pam_unix)[26533]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost=72.21.57.90

Here is a sample of the logs in
/var/ossec/logs/alerts/2006/Jun/ossec-alerts-09.log:

** Alert 1149898913.68998:
2006 Jun 09 20:21:53 /var/log/messages
Rule: 401 (level 5) -> 'User authentication failure.'
Src IP: (none)
User: (none)
vsftpd(pam_unix)[26533]: authentication failure; logname= uid=0 euid=0
tty= ruser= rhost=72.21.57.90

** Alert 1149898991.69249:
2006 Jun 09 20:23:11 /var/log/messages
Rule: 401 (level 5) -> 'User authentication failure.'
Src IP: (none)
User: (none)
vsftpd(pam_unix)[26533]: authentication failure; logname= uid=0 euid=0
tty= ruser= rhost=72.21.57.90


As you can see, the interesting thing is that the traffic gets picked
up by rule 401.  Not the new vsftpd rules.  Once a rule is matched,
does the line get evaluated by all of the other rules?

For reference, in case I mistakenly edited my ossec.conf file, I will
all rel event excerpts below.  I would be happy to provide any other
information and would also be willing to help out in any way I can.

Thanks again,

Seth Art


ossec.conf:

 <!-- Files to monitor (localfiles) -->

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>
.
.
.
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/vsftpd.log</location>
  </localfile>
</ossec_config>



<ossec_config>  <!-- rules global entry -->
  <rules>
    <include>rules_config.xml</include>
    <include>pam_rules.xml</include>
    <include>sshd_rules.xml</include>
    <include>telnetd_rules.xml</include>
    <include>syslog_rules.xml</include>
    <include>pix_rules.xml</include>
    <include>named_rules.xml</include>
    <include>smbd_rules.xml</include>
    <include>pure-ftpd_rules.xml</include>
    <include>proftpd_rules.xml</include>
    <include>web_rules.xml</include>
    <include>apache_rules.xml</include>
    <include>ids_rules.xml</include>
    <include>squid_rules.xml</include>
    <include>firewall_rules.xml</include>
    <include>postfix_rules.xml</include>
    <include>sendmail_rules.xml</include>
    <include>imapd_rules.xml</include>
    <include>spamd_rules.xml</include>
    <include>msauth_rules.xml</include>
    <include>attack_rules.xml</include>
    <include>vsftpd_rules.xml</include>
  </rules>
</ossec_config>  <!-- rules global entry -->





On 6/6/06, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
>
> Hi Jorge and Joachim,
>
> Based on the logs you provided, I created some rules for vsftpd.
> They were working correctly on my testing environment...
>
> They are on the following package:
> http://www.ossec.net/files/ossec-hids-0.8-2.tar.gz
>
> Basically, the vsftpd rules will be handled by the vsftpd_rules.xml and
> the ones from pam_unix, by the file pam_rules_xml... Can you let
> me know if it is working or not? Also, make sure to add
> "<include>vsftpd_rules.xml</include>" to your ossec.conf
> (and also to configure ossec to read /var/logs/vsftpd.log).
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid @ ( at ) ossec.net
>
> On 6/3/06, Jorge Augusto Senger <jorge@xxxxxxxxxxx> wrote:
> > Daniel,
> >
> > I need also a vsftpd rule. I've try to do it by myself, but the rules
> > doesn't work.
> > Here follows my part of my conf files. Can you tell, please, what did I
> > miss?
> >
> > Thanks,
> > Jorge
>
> >
>

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

Follow-Ups:
- [ossec-list] Re: vsftpd rule
  - From: Joachim Vorrath
- [ossec-list] Re: vsftpd rule
  - From: Joachim Vorrath
- [ossec-list] Re: vsftpd rule
  - From: Daniel Cid

References:
- [ossec-list] Re: vsftpd rule
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: I don't seem to be getting emails about changed binaries
Next by Date: [ossec-list] Re: vsftpd rule
Previous by thread: [ossec-list] Re: vsftpd rule
Next by thread: [ossec-list] Re: vsftpd rule
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.