[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: vsftpd rule

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: vsftpd rule
From: Joachim Vorrath <joachim.vorrath@xxxxxxxxxxxxxx>
Date: Sat, 10 Jun 2006 14:58:26 +0200

Hey Seth,

it works very well, rules 340x fired.

 > ** Alert 1149636151.1707:
 > 2006 Jun 07 01:22:31 /var/log/vsftpd.log
 > Rule: 3403 (level 5) -> 'Login failed accessing the FTP server'
 > Src IP: 218.188.12.18
 > User: (none)
 > Wed Jun  7 01:22:30 2006 [pid 23197] [Administrator] FAIL LOGIN:  
Client "218.188.12.18"


have you configred vsftp for dual log ?

    dual_log_enable=YES


regards

Jochen





Am 10.06.2006 um 06:24 schrieb Seth Art:

>
> Hey Daniel and everyone,
>
> First of all I think this is a great project and want to thank you for
> your work.   Secondly, I was just in the process of trying to write
> some vsftpd rules of my own when I figured I would search the mailing
> list.  I was pleasantly surprised to see that it was an extremely
> recent topic.
>
> I have downloaded the new package, added vsftpd_rules.xml and
> /var/logs/vsftpd.log to my ossec.conf file, but I still am not getting
> any hits on the vsftpd ruleset.
>
> Here is a sample of the logs in my /var/log/messages:
>
> Jun  9 20:23:51 fedora vsftpd(pam_unix)[26533]: authentication
> failure; logname= uid=0 euid=0 tty= ruser= rhost=72.21.57.90
> Jun  9 20:23:54 fedora vsftpd(pam_unix)[26533]: authentication
> failure; logname= uid=0 euid=0 tty= ruser= rhost=72.21.57.90
>
> Here is a sample of the logs in
> /var/ossec/logs/alerts/2006/Jun/ossec-alerts-09.log:
>
> ** Alert 1149898913.68998:
> 2006 Jun 09 20:21:53 /var/log/messages
> Rule: 401 (level 5) -> 'User authentication failure.'
> Src IP: (none)
> User: (none)
> vsftpd(pam_unix)[26533]: authentication failure; logname= uid=0 euid=0
> tty= ruser= rhost=72.21.57.90
>
> ** Alert 1149898991.69249:
> 2006 Jun 09 20:23:11 /var/log/messages
> Rule: 401 (level 5) -> 'User authentication failure.'
> Src IP: (none)
> User: (none)
> vsftpd(pam_unix)[26533]: authentication failure; logname= uid=0 euid=0
> tty= ruser= rhost=72.21.57.90
>
>
> As you can see, the interesting thing is that the traffic gets picked
> up by rule 401.  Not the new vsftpd rules.  Once a rule is matched,
> does the line get evaluated by all of the other rules?
>
> For reference, in case I mistakenly edited my ossec.conf file, I will
> all rel event excerpts below.  I would be happy to provide any other
> information and would also be willing to help out in any way I can.
>
> Thanks again,
>
> Seth Art
>
>
> ossec.conf:
>
>  <!-- Files to monitor (localfiles) -->
>
>   <localfile>
>     <log_format>syslog</log_format>
>     <location>/var/log/messages</location>
>   </localfile>
> ..
> ..
> ..
>   <localfile>
>     <log_format>syslog</log_format>
>     <location>/var/log/vsftpd.log</location>
>   </localfile>
> </ossec_config>
>
>
>
> <ossec_config>  <!-- rules global entry -->
>   <rules>
>     <include>rules_config.xml</include>
>     <include>pam_rules.xml</include>
>     <include>sshd_rules.xml</include>
>     <include>telnetd_rules.xml</include>
>     <include>syslog_rules.xml</include>
>     <include>pix_rules.xml</include>
>     <include>named_rules.xml</include>
>     <include>smbd_rules.xml</include>
>     <include>pure-ftpd_rules.xml</include>
>     <include>proftpd_rules.xml</include>
>     <include>web_rules.xml</include>
>     <include>apache_rules.xml</include>
>     <include>ids_rules.xml</include>
>     <include>squid_rules.xml</include>
>     <include>firewall_rules.xml</include>
>     <include>postfix_rules.xml</include>
>     <include>sendmail_rules.xml</include>
>     <include>imapd_rules.xml</include>
>     <include>spamd_rules.xml</include>
>     <include>msauth_rules.xml</include>
>     <include>attack_rules.xml</include>
>     <include>vsftpd_rules.xml</include>
>   </rules>
> </ossec_config>  <!-- rules global entry -->
>
>
>
>
>
> On 6/6/06, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
>>
>> Hi Jorge and Joachim,
>>
>> Based on the logs you provided, I created some rules for vsftpd.
>> They were working correctly on my testing environment...
>>
>> They are on the following package:
>> http://www.ossec.net/files/ossec-hids-0.8-2.tar.gz
>>
>> Basically, the vsftpd rules will be handled by the  
>> vsftpd_rules.xml and
>> the ones from pam_unix, by the file pam_rules_xml... Can you let
>> me know if it is working or not? Also, make sure to add
>> "<include>vsftpd_rules.xml</include>" to your ossec.conf
>> (and also to configure ossec to read /var/logs/vsftpd.log).
>>
>> Thanks,
>>
>> --
>> Daniel B. Cid
>> dcid @ ( at ) ossec.net
>>
>> On 6/3/06, Jorge Augusto Senger <jorge@xxxxxxxxxxx> wrote:
>>> Daniel,
>>>
>>> I need also a vsftpd rule. I've try to do it by myself, but the  
>>> rules
>>> doesn't work.
>>> Here follows my part of my conf files. Can you tell, please, what  
>>> did I
>>> miss?
>>>
>>> Thanks,
>>> Jorge
>>
>>>
>>
>
> 

______________________________________
XamimeLT - installed on mailserver for domain at vorrath-net.de
Queries to: postmaster at vorrath-net.de

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

References:
- [ossec-list] Re: vsftpd rule
  - From: Daniel Cid
- [ossec-list] Re: vsftpd rule
  - From: Seth Art

Prev by Date: [ossec-list] Re: vsftpd rule
Next by Date: [ossec-list] Re: vsftpd rule
Previous by thread: [ossec-list] Re: vsftpd rule
Next by thread: [ossec-list] Re: vsftpd rule
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.