[ossec-list] Re: sendmail_rules.xml

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Forrest,

Thanks for the information. To solve your sendmail problem, you need to go to
/var/ossec/rules/sendmail_rules.xml and change the rule "3103".
It is currently looking for "reject=553 5.3.0 Spam blocked", but we may need
to change it to "reject=553 5.3.0", since the "Spam blocked" message
is not always there. Also, you will need to add a few more rules looking
for a specific message after the reject, like "Rejected due to abuse", etc.
An example of rule would be:

<rule id="3120" level="9">
 <if_sid>3103</if_sid>
 <match>Rejected due to abuse</match>
  <description>E-mail blocked due to abuse</description>
</rule>

After that, you would need to go to ossec.conf and add a new active response
to block this ip for a longer time (for example one hour):

 <active-response>
   <command>firewall-drop</command>
   <location>local</location>
   <rules_id>3120</rules_id>
   <timeout>3600</timeout>
 </active-response>

Regarding the firewall, during the install we check if PF is available to use.
You can look under active-response/firewalls/ for more scripts. Just copy
the pf one (pf.sh) to /var/ossec/active-responses/bin/firewall-drop.sh

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net






On 9/7/06, Forrest Aldrich <forrie@xxxxxxxxxx> wrote:
>  I'm using the 0.9.1-a or whatever the latest version was a day or 2 ago.
>
>  I see no mail stuff in /var/ossec/logs/ossec.log, but I see:
>
> 2006/09/07 15:41:04 ossec-remoted(1501): No IP or network allowed in the
> access list for sy
>  slog. No reason for running it. Exiting.
>  2006/09/07 15:41:04 ossec-remoted: Started (pid: 71424).
>  2006/09/07 15:41:04 ossec-remoted: Assigning counter for agent firewall:
> '0:7238'.
>  2006/09/07 15:41:04 ossec-remoted: Assigning sender counter: 0:536
>  2006/09/07 15:41:04 ossec-analysisd: White listing IP: '127.0.0.1'
>  2006/09/07 15:41:04 ossec-analysisd: White listing IP: '192.168.1.1'
>  2006/09/07 15:41:04 ossec-analysisd: White listing IP: '192.168.1.2'
>  2006/09/07 15:41:04 ossec-analysisd: 3 IPs in the white list for active
> response
>  Now:  this is a configuration generated from the install... it "should"
> have included an ACL entry to permit the syslog traffic.  Note I white-list
> the applicable IPs.   At the moment, only 192.168.1.1 should be doing remote
> syslog.  Syslog is properly configured on the internal box to permit this.
>
>  Where in the config can I correct this.  This may also be connected to the
> client.keys problem I described earlier.
>
>  These are being logged to /var/log/maillog.
>
>  A couple of log samples...
>
>  Your standard botnet SMTP flooding:
>
>
> Sep  7 01:20:46 mail sm-mta[62946]: ruleset=check_relay,
> arg1=h188.175.141.67.ip.alltel.net
>  , arg2=67.141.175.188, relay=h188.175.141.67.ip.alltel.net
> [67.141.175.188], reject=421 4.3
>  .2 Connection rate limit exceeded.
>
>  My private ACL from /etc/mail/access:
>
>
> Sep  7 05:40:15 mail sm-mta[64376]: ruleset=check_relay,
> arg1=adsl196-97-91-206-196.adsl196
>  -3.iam.net.ma, arg2=196.206.91.97,
> relay=adsl196-97-91-206-196.adsl196-3.iam.net.ma [196.20
>  6.91.97], reject=553 5.3.0 196.206.91 Rejected due to abuse - see
> http://dnsbl.sorbs.net.10
>  102005
>
>  Spamassassin blocks - maybe need to be handled more carefully:
>
>
> Sep  7 02:43:30 mail sm-mta[63495]: k876hJS0063495: Milter: data, reject=550
> 5.7.1 Blocked
>  by SpamAssassin
>
>  A typical RBL rejection from sendmail.  The latter part is variable,
> depending upon the RBL being used, all configurable in the sendmail.mc file:
>
>
> Sep  7 04:31:10 mail sm-mta[64143]: ruleset=check_relay,
> arg1=60-240-56-231.tpgi.com.au, ar
>  g2=127.0.0.3, relay=60-240-56-231.tpgi.com.au [60.240.56.231], reject=553
> 5.3.0 Message fro
>  m 60.240.56.231 blocked - see http://dynablock.njabl.org/
>  Now: in the alerts.log, I do see:
>
>  Rejection:
>
> ** Alert 1157606440.387:
>  2006 Sep 07 01:20:40 mail->/var/log/messages
>  Rule: 3107 (level 4) -> 'Sendmail rejected message.'
>  Src IP: 67.141.175.188
>  User: (none)
>  sm-mta[62943]: ruleset=check_relay, arg1=h188.175.141.67.ip.alltel.net,
> arg2=127.0.0.10, re
>  lay=h188.175.141.67.ip.alltel.net [67.141.175.188], reject=553 5.3.0
> Message from 67.141.17
>  5.188 blocked - see http://dnsbl.sorbs.net
>
>  Rejection based on /etc/mail/access:
>
> ** Alert 1157606492.1885:
>  2006 Sep 07 01:21:32 mail->/var/log/messages
>  Rule: 3107 (level 4) -> 'Sendmail rejected message.'
>  Src IP: 72.72.77.224
>  User: (none)
>  sm-mta[62992]: k875LOZq062992: ruleset=check_mail,
> arg1=<demultiplex.almond@xxxxxxxxxxxxxxx
>  >, relay=static-72-72-77-224.bstnma.east.verizon.net
> [72.72.77.224], reject=553 5.3.0 <demu
>  ltiplex.almond@xxxxxxxxxxxxxxx>... Rejected due to abuse - see
> http://dnsbl.sorbs.net.
>
>  Rejection based on RBL check:
>
> ** Alert 1157614234.4959:
>  2006 Sep 07 03:30:34 mail->/var/log/messages
>  Rule: 3107 (level 4) -> 'Sendmail rejected message.'
>  Src IP: 67.177.205.115
>  User: (none)
>  sm-mta[63921]: ruleset=check_relay,
> arg1=c-67-177-205-115.hsd1.co.comcast.net, arg2=127.0.0
>  .10, relay=c-67-177-205-115.hsd1.co.comcast.net
> [67.177.205.115], reject=553 5.3.0 Message from 67.177.205.115 blocked - see
> http://dnsbl.sorbs.net
>  It doesn't really yet differentiate between the types of rejections, which
> I will need for this setup.  A general sendmail reject isn't enough - it
> needs to know about it, in order to take the proper action:
>
>  It is not detecting the "Connection rate exceeded" error, which hopefully
> my hacky rule will pick up on - for those, I want an outright firewall
> block.  I already have some tables in PF that I use:
>
> spammers (deny only port 25)
>  abuse (deny all)
>  geoip (deny only port 25)
>  Someone said they had or was working on a proper PF firewall_deny.sh script
> for OSSEC... ?
>
>  Checking the active-response directory, I see the incorrect script is
> installed:
>
> #!/bin/sh
>  # Adds an IP to the iptables drop list (if linux)
>  # Adds an IP to the ipfilter drop list (if solaris, freebsd or netbsd)
>  # Adds an IP to the ipsec drop list (if aix)
>  # Requirements: Linux with iptables, Solaris/FreeBSD/NetBSD with ipfilter
> or AIX with IPSec
>  # Expect: srcip
>  # Author: Ahmet Ozturk (ipfilter and IPSec)
>  # Author: Daniel B. Cid (iptables)
>  # Last modified: Feb 14, 2006
>
>  FreeBSD-6.1 runs "PF" by default (or "IPFW").
>
>  Surely I may have missed a couple of things here as I'm new to OSSEC... mea
> culpa ;-)
>
>
>  Thanks!
>
>  Forrest
>
>
>  Daniel Cid wrote:
> We have rules for sendmail already that should match on them...
>  Where are these messages being logged? Is ossec reading this
>  file? If you look at the sendmail_rules.xml you will see lots of
>  rules for blocking spam, etc...
>
>  Can you show the output of:
>
>  -/var/ossec/logs/ossec.log
>  -The log that is generating these messages (and name of it).
>  -Output of /var/ossec/logs/alerts/alerts.log
>
>  *btw, which version are you using?
>
>  Daniel
>
>  On 9/7/06, Forrest Aldrich <forrie@xxxxxxxxxx> wrote:
>
> OSSEC isn't getting these messages at all.
>
>  Though I may have made a mistake regarding the Connection throttle..
>  that probably isn't detected yet.
>
>  I'm making my first (lame) attempt at rules on the applicable server:
>
>    <rule id="6000" level="10" frequency="1" ignore="4">
>      <match>reject=421 4.3.2 Connection rate limit exceeded</match>
>      <same_source_ip />
>      <description>SMTP connection throttle; usually BOTNET
>  activity.</description>
>    </rule>
>
>  and for RBLs and /etc/mail/access matches:
>
>  <rule id="6001" level="10" frequency="4" ignore="5">
>      <match>reject=553 5.3.0</match>
>      <regex>Message from.*blocked</regex>
>      <regex>Rejected due to abuse</regex>
>      <same_source_ip />
>      <description>Excessive general connections from RBL and access
>  rejections</description>
>    </rule>
>
>  Still working on it - constructive criticism/input appreciated ;-)