[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] Fw: Active response

Subject: [Ossec-list] Fw: Active response
From: daniel.cid at gmail.com (Daniel Cid)
Date: Thu, 9 Mar 2006 17:15:00 -0400

Hi Peter,

Can you try with the version I just sent out to be used by the
translators (0.7-DEV)? It has some fixes and It will probably pick up
the IP from your ssh invalid messages.
The entry I sent to you in the previous e-mail wasn't test, so it was
my fault (it is probably a small error in the rule causing it not to
work).

Regarding the pure-ftp logs, can you send them to me (plus the decoder
entry you tried to add)? I would love to see pure-ftp support working
for the next version. We basically just need two or three entries of
the logs to figure out how to decode it..

To activate debug, you can compile with the -DDEBUG flag (just edit
Config.Make inside src and add -DDEBUG to the CFLAGS variable).
However, it will spill out a lot of stuff...

Thanks,

Daniel

On 3/9/06, Peter Ahlert <peter at ifup.de> wrote:
> Hi Daniel,
>
> On Wed, 8 Mar 2006 16:52:06 -0400
> "Daniel Cid" <daniel.cid at gmail.com> wrote:
>
> > If you try with the following log:
> >
> > echo  "Mar  2 07:13:30 enigma sshd[4264]: Failed password for invalid
> > user test from 64.106.134.170 port 58354 ssh2" >> /var/log/messages
> >
> > It will block the ip: "64.106.134.170" (can you just verify that?)
>
> working as intended (ip blocked and removed after timeout)
>
>
> > To fix this, you can do two things (it will be fixed in the next version):
> >
> > -edit /var/ossec/etc/decoders.xml and add the following just after the
> > "ssh-failed" part (hope the e-mail client will not delete the xml):
> >
> > <decoder name="ssh-invalid">
> >   <parent>sshd</parent>
> >   <prematch>^sshd[\d+]: Illegal </prematch>
> >   <regex>^sshd[\d+]: Illegal user (\S+) from (\S+)$</regex>
> >   <order>user,srcip</order>
> > </decoder>
>
> I added the block to decoders.xml but the active response isnt fired. I tried to add some
> pure-ftp rules too but wasn't successful ;) Is it possible to activate some debug output to
> see if ip or user are recognised?
>
> I guess i'm going to wait for the next version :)
>
> Peter
>
> --
> =========================================================================
>         Peter Ahlert                             peter at ifup.de
> ==== We are Microsoft. You will be assimilated. Resistance is futile ====
> _______________________________________________
> ossec-list mailing list
> ossec-list at ossec.net
> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
>

References:
- [Ossec-list] Fw: Active response
  - From: Peter Ahlert
- [Ossec-list] Fw: Active response
  - From: Daniel Cid
- [Ossec-list] Fw: Active response
  - From: Peter Ahlert

Prev by Date: [Ossec-list] Project looking for translators
Next by Date: [Ossec-list] 0.6-1 and Mac OS X
Previous by thread: [Ossec-list] Fw: Active response
Next by thread: [Ossec-list] Interesting information about SSH scans
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.