[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: vsftpd rule

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: vsftpd rule
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Sat, 10 Jun 2006 12:04:08 -0300

Hi Seth,

There is nothing wrong with your rules. The thing is that any pam
message is going to be parsed by the pam decoder. We do that
because no matter if it is vsftpd(pam_unix) or sshd(pam_unix)
or telnetd(pam_unix), the format of the message is going to
be the same. If you have messages specific to vsftpd (like the
ones on vsftpd.log) it is going to be parsed by the vsftpd decoder.

Hope it helps.

--
Daniel B. Cid
dcid @ ( at ) ossec.net



On 6/10/06, Seth Art <sethsec@xxxxxxxxx> wrote:
>
> Hey Daniel and everyone,
>
> First of all I think this is a great project and want to thank you for
> your work.   Secondly, I was just in the process of trying to write
> some vsftpd rules of my own when I figured I would search the mailing
> list.  I was pleasantly surprised to see that it was an extremely
> recent topic.
>
> I have downloaded the new package, added vsftpd_rules.xml and
> /var/logs/vsftpd.log to my ossec.conf file, but I still am not getting
> any hits on the vsftpd ruleset.
>
> Here is a sample of the logs in my /var/log/messages:
>
> Jun  9 20:23:51 fedora vsftpd(pam_unix)[26533]: authentication
> failure; logname= uid=0 euid=0 tty= ruser= rhost=72.21.57.90
> Jun  9 20:23:54 fedora vsftpd(pam_unix)[26533]: authentication
> failure; logname= uid=0 euid=0 tty= ruser= rhost=72.21.57.90
>
> Here is a sample of the logs in
> /var/ossec/logs/alerts/2006/Jun/ossec-alerts-09.log:
>
> ** Alert 1149898913.68998:
> 2006 Jun 09 20:21:53 /var/log/messages
> Rule: 401 (level 5) -> 'User authentication failure.'
> Src IP: (none)
> User: (none)
> vsftpd(pam_unix)[26533]: authentication failure; logname= uid=0 euid=0
> tty= ruser= rhost=72.21.57.90
>
> ** Alert 1149898991.69249:
> 2006 Jun 09 20:23:11 /var/log/messages
> Rule: 401 (level 5) -> 'User authentication failure.'
> Src IP: (none)
> User: (none)
> vsftpd(pam_unix)[26533]: authentication failure; logname= uid=0 euid=0
> tty= ruser= rhost=72.21.57.90
>
>
> As you can see, the interesting thing is that the traffic gets picked
> up by rule 401.  Not the new vsftpd rules.  Once a rule is matched,
> does the line get evaluated by all of the other rules?
>
> For reference, in case I mistakenly edited my ossec.conf file, I will
> all rel event excerpts below.  I would be happy to provide any other
> information and would also be willing to help out in any way I can.
>
> Thanks again,
>
> Seth Art
>
>
> ossec.conf:
>
>  <!-- Files to monitor (localfiles) -->
>
>   <localfile>
>     <log_format>syslog</log_format>
>     <location>/var/log/messages</location>
>   </localfile>
> .
> .
> .
>   <localfile>
>     <log_format>syslog</log_format>
>     <location>/var/log/vsftpd.log</location>
>   </localfile>
> </ossec_config>
>
>
>
> <ossec_config>  <!-- rules global entry -->
>   <rules>
>     <include>rules_config.xml</include>
>     <include>pam_rules.xml</include>
>     <include>sshd_rules.xml</include>
>     <include>telnetd_rules.xml</include>
>     <include>syslog_rules.xml</include>
>     <include>pix_rules.xml</include>
>     <include>named_rules.xml</include>
>     <include>smbd_rules.xml</include>
>     <include>pure-ftpd_rules.xml</include>
>     <include>proftpd_rules.xml</include>
>     <include>web_rules.xml</include>
>     <include>apache_rules.xml</include>
>     <include>ids_rules.xml</include>
>     <include>squid_rules.xml</include>
>     <include>firewall_rules.xml</include>
>     <include>postfix_rules.xml</include>
>     <include>sendmail_rules.xml</include>
>     <include>imapd_rules.xml</include>
>     <include>spamd_rules.xml</include>
>     <include>msauth_rules.xml</include>
>     <include>attack_rules.xml</include>
>     <include>vsftpd_rules.xml</include>
>   </rules>
> </ossec_config>  <!-- rules global entry -->
>
>
>
>
>
> On 6/6/06, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
> >
> > Hi Jorge and Joachim,
> >
> > Based on the logs you provided, I created some rules for vsftpd.
> > They were working correctly on my testing environment...
> >
> > They are on the following package:
> > http://www.ossec.net/files/ossec-hids-0.8-2.tar.gz
> >
> > Basically, the vsftpd rules will be handled by the vsftpd_rules.xml and
> > the ones from pam_unix, by the file pam_rules_xml... Can you let
> > me know if it is working or not? Also, make sure to add
> > "<include>vsftpd_rules.xml</include>" to your ossec.conf
> > (and also to configure ossec to read /var/logs/vsftpd.log).
> >
> > Thanks,
> >
> > --
> > Daniel B. Cid
> > dcid @ ( at ) ossec.net
> >
> > On 6/3/06, Jorge Augusto Senger <jorge@xxxxxxxxxxx> wrote:
> > > Daniel,
> > >
> > > I need also a vsftpd rule. I've try to do it by myself, but the rules
> > > doesn't work.
> > > Here follows my part of my conf files. Can you tell, please, what did I
> > > miss?
> > >
> > > Thanks,
> > > Jorge
> >
> > >
> >
>
> >
>

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

Follow-Ups:
- [ossec-list] Re: vsftpd rule
  - From: Jorge Augusto Senger

References:
- [ossec-list] Re: vsftpd rule
  - From: Daniel Cid
- [ossec-list] Re: vsftpd rule
  - From: Seth Art

Prev by Date: [ossec-list] Re: vsftpd rule
Next by Date: [ossec-list] Re: vsftpd rule
Previous by thread: [ossec-list] Re: vsftpd rule
Next by thread: [ossec-list] Re: vsftpd rule
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.