[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: vsftpd rule

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: vsftpd rule
From: Seth <sethsec@xxxxxxxxx>
Date: Sat, 10 Jun 2006 12:16:23 -0400

Joachim/Daniel,

After the upgrade to 0.8.2 my decoder.xml does have:

<!-- vsftpd decoder.
  - Will extract the srcip.
  - Examples:
  - Sun Jun  4 22:08:04 2006 [pid 21612] CONNECT: Client "192.168.2.10"
  - Sun Jun  4 22:08:39 2006 [pid 21611] [dcid] OK LOGIN: Client "192.168.2.10"
  - Sun Jun  4 22:09:22 2006 [pid 21622] CONNECT: Client "192.168.2.10"
  - Sun Jun  4 22:09:24 2006 [pid 21621] [lalal] FAIL LOGIN: Client
"192.168.2.10"
  - Sat Jun  3 07:51:42 2006 [pid 25073] [Administrator] FAIL LOGIN: Client
  "211.100.27.101"
  -->
<decoder name="vsftpd">
  <prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+]</prematch>
  <regex>Client "(\d+.\d+.\d+.\d+)"</regex>
  <order>srcip</order>
</decoder>

Is there anything else I have to add manually?


> have you configred vsftp for dual log ?
>    dual_log_enable=YES

I had NOT enabled dual_log_enable.   This appears to have been my
problem.   I have tested and now the connections are being logged in
both places and the alerts are firing.  Thanks for letting me know
about that option.

Here is an excerpt:

Sat Jun 10 16:03:22 2006 [pid 499] CONNECT: Client "172.16.40.5"
Sat Jun 10 16:06:04 2006 [pid 498] [test] FAIL LOGIN: Client "172.16.40.5"

The alerts:

** Alert 1149955565.19982:
2006 Jun 10 12:06:05 /var/log/vsftpd.log
Rule: 3403 (level 5) -> 'Login failed accessing the FTP server'
Src IP: 172.16.40.5
User: (none)
Sat Jun 10 16:06:04 2006 [pid 498] [test] FAIL LOGIN: Client "172.16.40.5"


Thanks for your help,

Seth Art



On 6/10/06, Joachim Vorrath <joachim.vorrath@xxxxxxxxxxxxxx> wrote:
>
> Hey Seth,
>
> sorry, yo've added it also to "decoder.xml" ?
>
>
> regards
>
> Jochen
>
>
>
> Am 10.06.2006 um 06:24 schrieb Seth Art:
>
> >
> > Hey Daniel and everyone,
> >
> > First of all I think this is a great project and want to thank you for
> > your work.   Secondly, I was just in the process of trying to write
> > some vsftpd rules of my own when I figured I would search the mailing
> > list.  I was pleasantly surprised to see that it was an extremely
> > recent topic.
> >
> > I have downloaded the new package, added vsftpd_rules.xml and
> > /var/logs/vsftpd.log to my ossec.conf file, but I still am not getting
> > any hits on the vsftpd ruleset.
> >
> > Here is a sample of the logs in my /var/log/messages:
> >
> > Jun  9 20:23:51 fedora vsftpd(pam_unix)[26533]: authentication
> > failure; logname= uid=0 euid=0 tty= ruser= rhost=72.21.57.90
> > Jun  9 20:23:54 fedora vsftpd(pam_unix)[26533]: authentication
> > failure; logname= uid=0 euid=0 tty= ruser= rhost=72.21.57.90
> >
> > Here is a sample of the logs in
> > /var/ossec/logs/alerts/2006/Jun/ossec-alerts-09.log:
> >
> > ** Alert 1149898913.68998:
> > 2006 Jun 09 20:21:53 /var/log/messages
> > Rule: 401 (level 5) -> 'User authentication failure.'
> > Src IP: (none)
> > User: (none)
> > vsftpd(pam_unix)[26533]: authentication failure; logname= uid=0 euid=0
> > tty= ruser= rhost=72.21.57.90
> >
> > ** Alert 1149898991.69249:
> > 2006 Jun 09 20:23:11 /var/log/messages
> > Rule: 401 (level 5) -> 'User authentication failure.'
> > Src IP: (none)
> > User: (none)
> > vsftpd(pam_unix)[26533]: authentication failure; logname= uid=0 euid=0
> > tty= ruser= rhost=72.21.57.90
> >
> >
> > As you can see, the interesting thing is that the traffic gets picked
> > up by rule 401.  Not the new vsftpd rules.  Once a rule is matched,
> > does the line get evaluated by all of the other rules?
> >
> > For reference, in case I mistakenly edited my ossec.conf file, I will
> > all rel event excerpts below.  I would be happy to provide any other
> > information and would also be willing to help out in any way I can.
> >
> > Thanks again,
> >
> > Seth Art
> >
> >
> > ossec.conf:
> >
> >  <!-- Files to monitor (localfiles) -->
> >
> >   <localfile>
> >     <log_format>syslog</log_format>
> >     <location>/var/log/messages</location>
> >   </localfile>
> > ..
> > ..
> > ..
> >   <localfile>
> >     <log_format>syslog</log_format>
> >     <location>/var/log/vsftpd.log</location>
> >   </localfile>
> > </ossec_config>
> >
> >
> >
> > <ossec_config>  <!-- rules global entry -->
> >   <rules>
> >     <include>rules_config.xml</include>
> >     <include>pam_rules.xml</include>
> >     <include>sshd_rules.xml</include>
> >     <include>telnetd_rules.xml</include>
> >     <include>syslog_rules.xml</include>
> >     <include>pix_rules.xml</include>
> >     <include>named_rules.xml</include>
> >     <include>smbd_rules.xml</include>
> >     <include>pure-ftpd_rules.xml</include>
> >     <include>proftpd_rules.xml</include>
> >     <include>web_rules.xml</include>
> >     <include>apache_rules.xml</include>
> >     <include>ids_rules.xml</include>
> >     <include>squid_rules.xml</include>
> >     <include>firewall_rules.xml</include>
> >     <include>postfix_rules.xml</include>
> >     <include>sendmail_rules.xml</include>
> >     <include>imapd_rules.xml</include>
> >     <include>spamd_rules.xml</include>
> >     <include>msauth_rules.xml</include>
> >     <include>attack_rules.xml</include>
> >     <include>vsftpd_rules.xml</include>
> >   </rules>
> > </ossec_config>  <!-- rules global entry -->
> >
> >
> >
> >
> >
> > On 6/6/06, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
> >>
> >> Hi Jorge and Joachim,
> >>
> >> Based on the logs you provided, I created some rules for vsftpd.
> >> They were working correctly on my testing environment...
> >>
> >> They are on the following package:
> >> http://www.ossec.net/files/ossec-hids-0.8-2.tar.gz
> >>
> >> Basically, the vsftpd rules will be handled by the
> >> vsftpd_rules.xml and
> >> the ones from pam_unix, by the file pam_rules_xml... Can you let
> >> me know if it is working or not? Also, make sure to add
> >> "<include>vsftpd_rules.xml</include>" to your ossec.conf
> >> (and also to configure ossec to read /var/logs/vsftpd.log).
> >>
> >> Thanks,
> >>
> >> --
> >> Daniel B. Cid
> >> dcid @ ( at ) ossec.net
> >>
> >> On 6/3/06, Jorge Augusto Senger <jorge@xxxxxxxxxxx> wrote:
> >>> Daniel,
> >>>
> >>> I need also a vsftpd rule. I've try to do it by myself, but the
> >>> rules
> >>> doesn't work.
> >>> Here follows my part of my conf files. Can you tell, please, what
> >>> did I
> >>> miss?
> >>>
> >>> Thanks,
> >>> Jorge
> >>
> >>>
> >>
> >
> >
>
> ______________________________________
> XamimeLT - installed on mailserver for domain at vorrath-net.de
> Queries to: postmaster at vorrath-net.de
>
> >
>

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

References:
- [ossec-list] Re: vsftpd rule
  - From: Daniel Cid
- [ossec-list] Re: vsftpd rule
  - From: Seth Art
- [ossec-list] Re: vsftpd rule
  - From: Joachim Vorrath

Prev by Date: [ossec-list] Re: vsftpd rule
Next by Date: [ossec-list] feature request: whitelist
Previous by thread: [ossec-list] Re: vsftpd rule
Next by thread: [ossec-list] Re: vsftpd rule
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.