[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: sendmail_rules.xml

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: sendmail_rules.xml
From: Forrest Aldrich <forrie@xxxxxxxxxx>
Date: Thu, 07 Sep 2006 16:04:49 -0400
Content-transfer-encoding: 7bit


OSSEC isn't getting these messages at all.

Though I may have made a mistake regarding the Connection throttle..
that probably isn't detected yet.

I'm making my first (lame) attempt at rules on the applicable server:

 <rule id="6000" level="10" frequency="1" ignore="4">
   <match>reject=421 4.3.2 Connection rate limit exceeded</match>
   <same_source_ip />
   <description>SMTP connection throttle; usually BOTNET
activity.</description>
 </rule>

and for RBLs and /etc/mail/access matches:

<rule id="6001" level="10" frequency="4" ignore="5">
   <match>reject=553 5.3.0</match>
   <regex>Message from.*blocked</regex>
   <regex>Rejected due to abuse</regex>
   <same_source_ip />
   <description>Excessive general connections from RBL and access
rejections</description>
 </rule>

Still working on it - constructive criticism/input appreciated ;-)


_F


Daniel Cid wrote:

Hi Forrest,

Ossec is alerting on these events, but not blocking the ips? Is that
what is happening? Or ossec is not even getting these messages
at all?

Daniel


On 9/7/06, Forrest Aldrich <forrie@xxxxxxxxxx> wrote:


 I installed the default OSSEC (server) on my internal mail system.

 Since then, it has not triggered any actions on the sendmail file - and
though I'm still trying to grok how OSSEC is working, the rules in
sendmail_rules.xml seem like they should be triggering several events.

 Namely:

 (annoying botnet flooding)

reject=421 4.3.2 Connection rate limit exceeded.
 (rbl rejections)

Sep 7 13:07:07 mail sm-mta[69281]: ruleset=check_relay,arg1=[60.55.8.6],arg2=127.0.0.7, relay=[60.55.8.6], reject=553 5.3.0 Message from60.55.8.6

blocked - see http://dnsbl.sorbs.net
 I'm using sendmail - but it may be good to account for other MTA's like
Postfix eventually.   The RBL reject message for sendmail can be easily
customized/tagged for identification by OSSEC if needed.

In this case, I want to block these subnets on a permanent basis -it's my

private system, and I really don't care.

 Presently, I do this manually with the help of a couple of messy shell
scripts, but OSSEC could be doing this as an action.

 I'm on FreeBSD_6.1, btw... which really shouldn't matter.


 Thanks.

References:
- [ossec-list] sendmail_rules.xml
  - From: Forrest Aldrich

Prev by Date: [ossec-list] Re: Chatty PIX rules
Next by Date: [ossec-list] Re: Configuring OSSEC for PIX
Previous by thread: [ossec-list] sendmail_rules.xml
Next by thread: [ossec-list] Re: sendmail_rules.xml
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.