[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: POP3 brute force rule not firing
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: POP3 brute force rule not firing
- From: Steve West <stevewest15@xxxxxxxxx>
- Date: Wed, 15 Aug 2007 14:42:18 -0400
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=As+kbasSO0YamKRElvEr8hQSOKnP3uI9MmKwVsm0ZN2Rz/DSOFy4UYN1VITgKriZZWbBFNIcuqSzFbvb9AyUOZA/wjiYnUBTzXwTaMeUZHoY34KRDwzI0Znj1UiuJH9LMQ3Oen+3LI0NbG8kq5dsYvoCBvpObsJN3bC/n+4JT94=
Hi Dave,
Thank you so much for all of your help!
Just for clarification, our vpopmail logs do NOT have the http:// stuff
which I'm seeing being added in your reply.
It seems that the OSSEC decoder might need a new rule or updating to
catch pop3 brute force attacks where the attacker doesn't send a domain
name (ie user@:69.3.64.3 ... rather than alan@xxxxxxxxxxxxxx: 69.3.64.3).
Daniel, can the decoder vpopmail rules be edited to catch something like
the following:
user@:x.x.x.x
user@somedomain:x.x.x.x
I think this is achievable if the regex is changed to:
(\S+)@\S*:(\d+.\d+.\d+.\d+)$
What do u think? Can anyone else see a problem with this? So, the
decoder rule would be as follows:
<decoder name="vpopmail-notfound">
<parent>vpopmail</parent>
<prematch>^vchkpw-pop3: vpopmail user not </prematch>
<regex offset="after_prematch">^found
(\S+)@\S*:(\d+.\d+.\d+.\d+)$</regex>
<order>user, srcip</order>
</decoder>
And lastly, how can I add custom decoder rules that would survive OSSEC
updates?
thx,
SW
Dave Lowe wrote:
> Hi Steve
>
> Sorry, I was wrong. I cant get the brute force rule (RuleID 9952) to fire.
> I have tried and tried again. No luck.
> I threw 20-30 of the rule 9902 which alerted fine, but didn't trigger
> rule 9952.
>
> Then I took a look at the decoder and the rule.
> The problem is the <same_source_ip /> check.
>
> It appears your logs do not have a source IP.
> Heres the example log submitted that the decoder was written for:
>
> vpopmail[2100]: vchkpw-pop3: vpopmail user not found abc@xxxxxxx:x.x.x.x
>
> And here is an entry from yours:
> Aug 12 11:53:05 mail vpopmail[4416]: vchkpw-pop3: vpopmail user not
> found alan@: 69.3.64.3 <http://69.3.64.3/> <http://69.3.64.3
> <http://69.3.64.3/>>
>
> So, as you can see, OSSEC is unable to tell from your vpopmail log what
> the source IP address is.
>
> Where do we go from here?
> Well, vpopmail versions. Are you running the latest? If so, we can
> update the decoder for vpopmail to match your log format.
>
> In the meantime, you could try to remove the <same_source_ip /> line
> from the 5592 rule.
>
> Daniel, do you have any suggestions?
>
>
> Gotta run, sorry I couldn't be of more help
>
> Dave Lowe
>
>
>
> On 8/15/07, *Steve West* <stevewest15@xxxxxxxxx
> <mailto:stevewest15@xxxxxxxxx>> wrote:
>
>
> Hi Dave,
>
> Thanks for the reply! I've looked in the /var/ossec/etc/ossec.conf and I
> do have the following entry:
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/maillog</location>
> </localfile>
>
> OSSEC is definitely reading the maillog file as I get other notices sent
> to me via email as this email this morning:
>
> Received From: (Mail_Server77) xxx.xxx.xxx.10->/var/log/maillog
> Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
>
> The unfortunate thing is I get lots of emails about things that are less
> significant but the important stuff like brute force attacks I never
> get
> and I'm at a lost as to why. :-(
>
> Has anyone else ever seen something similar to this? Does OSSEC might
> not be reading the log file fully or skipping parts of the log entirely?
>
> thx,
>
> SW
>
> Dave Lowe wrote:
> > Hi Steve,
> >
> > Can you please check to make sure that the maillog file is being
> > monitored on the agent?
> > The following should be in the /var/ossec/etc/ossec.conf on the
> agent:
> > <localfile>
> > <log_format>vpopmail</log_format>
> > <location>/var/log/maillog</location>
> > </localfile>
> >
> > I just tested this out with your log sample, and it worked well.
> >
> > Thanks
> >
> > Dave Lowe
> >
> >
> >
> > On 8/14/07, *Steve West* < stevewest15@xxxxxxxxx
> <mailto:stevewest15@xxxxxxxxx>
> > <mailto: stevewest15@xxxxxxxxx <mailto:stevewest15@xxxxxxxxx>>>
> wrote:
> >
> >
> > Hi,
> >
> > I'm trying to figure out why the OSSEC Rule ID 9952 didn't
> fire even
> > though I'm seeing a number of email harvesters scanning our mail
> > servers?
> >
> > I've checked the OSSEC vpopmail rule file which contains the
> following
> > rules:
> >
> > <rule id="9902" level="5">
> > <if_sid>9900</if_sid>
> > <match>vchkpw-pop3: vpopmail user not found </match>
> > <group>invalid_login,</group>
> > <description>Attempt to login with invalid
> username.</description>
> > </rule>
> >
> >
> > <rule id="9952" level="10" frequency="8" timeframe="240">
> > <if_matched_sid>9902</if_matched_sid>
> > <same_source_ip />
> > <description>POP3 brute force (email
> harvesting).</description>
> > <group>authentication_failures,</group>
> > </rule>
> >
> >
> > And the /var/log/maillog contains the following entries:
> >
> > # grep "69\.3\.64\.3" /var/log/maillog.1
> >
> > Aug 12 11:52:52 mail vpopmail[4162]: vchkpw-pop3: vpopmail
> user not
> > found support@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:52 mail vpopmail[4165]: vchkpw-pop3: vpopmail
> user not
> > found support@: 69.3.64.3 <http://69.3.64.3>
> <http://69.3.64.3 <http://69.3.64.3>>
> > Aug 12 11:52:52 mail vpopmail[4168]: vchkpw-pop3: vpopmail
> user not
> > found support@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:52 mail vpopmail[4170]: vchkpw-pop3: vpopmail
> user not
> > found support@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:52 mail vpopmail[4171]: vchkpw-pop3: vpopmail
> user not
> > found info@: 69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:52 mail vpopmail[4172]: vchkpw-pop3: vpopmail
> user not
> > found info@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 >
> > Aug 12 11:52:52 mail vpopmail[4173]: vchkpw-pop3: vpopmail
> user not
> > found info@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:53 mail vpopmail[4175]: vchkpw-pop3: vpopmail
> user not
> > found info@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:53 mail vpopmail[4187]: vchkpw-pop3: vpopmail
> user not
> > found help@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3
> <http://69.3.64.3>>
> > Aug 12 11:52:53 mail vpopmail[4190]: vchkpw-pop3: vpopmail
> user not
> > found help@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:53 mail vpopmail[4191]: vchkpw-pop3: vpopmail
> user not
> > found spam@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:53 mail vpopmail[4192]: vchkpw-pop3: vpopmail
> user not
> > found help@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 >
> > Aug 12 11:52:53 mail vpopmail[4193]: vchkpw-pop3: vpopmail
> user not
> > found spam@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:53 mail vpopmail[4195]: vchkpw-pop3: vpopmail
> user not
> > found spam@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:54 mail vpopmail[4196]: vchkpw-pop3: vpopmail
> user not
> > found spam@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3
> <http://69.3.64.3>>
> > Aug 12 11:52:54 mail vpopmail[4197]: vchkpw-pop3: vpopmail
> user not
> > found aaron@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:54 mail vpopmail[4198]: vchkpw-pop3: vpopmail
> user not
> > found aaron@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:54 mail vpopmail[4199]: vchkpw-pop3: vpopmail
> user not
> > found aaron@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 >
> > Aug 12 11:52:54 mail vpopmail[4200]: vchkpw-pop3: vpopmail
> user not
> > found aaron@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:54 mail vpopmail[4202]: vchkpw-pop3: vpopmail
> user not
> > found abby@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:54 mail vpopmail[4203]: vchkpw-pop3: vpopmail
> user not
> > found abby@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3
> <http://69.3.64.3>>
> > Aug 12 11:52:54 mail vpopmail[4204]: vchkpw-pop3: vpopmail
> user not
> > found abby@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:54 mail vpopmail[4205]: vchkpw-pop3: vpopmail
> user not
> > found abby@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:54 mail vpopmail[4207]: vchkpw-pop3: vpopmail
> user not
> > found abigail@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 >
> > Aug 12 11:52:54 mail vpopmail[4208]: vchkpw-pop3: vpopmail
> user not
> > found abigail@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:54 mail vpopmail[4212]: vchkpw-pop3: vpopmail
> user not
> > found abigail@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:55 mail vpopmail[4218]: vchkpw-pop3: vpopmail
> user not
> > found aaron@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3
> <http://69.3.64.3>>
> > Aug 12 11:52:55 mail vpopmail[4219]: vchkpw-pop3: vpopmail
> user not
> > found spam@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:55 mail vpopmail[4221]: vchkpw-pop3: vpopmail
> user not
> > found abigail@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:55 mail vpopmail[4225]: vchkpw-pop3: vpopmail
> user not
> > found abraham@: 69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:55 mail vpopmail[4228]: vchkpw-pop3: vpopmail
> user not
> > found abraham@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 >
> > Aug 12 11:52:55 mail vpopmail[4230]: vchkpw-pop3: vpopmail
> user not
> > found abraham@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:55 mail vpopmail[4231]: vchkpw-pop3: vpopmail
> user not
> > found abuse@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:55 mail vpopmail[4237]: vchkpw-pop3: vpopmail
> user not
> > found info@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3
> <http://69.3.64.3>>
> > Aug 12 11:52:55 mail vpopmail[4241]: vchkpw-pop3: vpopmail
> user not
> > found abuse@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:55 mail vpopmail[4242]: vchkpw-pop3: vpopmail
> user not
> > found abuse@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:55 mail vpopmail[4243]: vchkpw-pop3: vpopmail
> user not
> > found abuse@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 >
> > Aug 12 11:52:55 mail vpopmail[4244]: vchkpw-pop3: vpopmail
> user not
> > found abuse@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:56 mail vpopmail[4249]: vchkpw-pop3: vpopmail
> user not
> > found access@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:56 mail vpopmail[4252]: vchkpw-pop3: vpopmail
> user not
> > found help@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3
> <http://69.3.64.3>>
> > Aug 12 11:52:56 mail vpopmail[4253]: vchkpw-pop3: vpopmail
> user not
> > found help@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:56 mail vpopmail[4255]: vchkpw-pop3: vpopmail
> user not
> > found access@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:56 mail vpopmail[4258]: vchkpw-pop3: vpopmail
> user not
> > found account@: 69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:56 mail vpopmail[4259]: vchkpw-pop3: vpopmail
> user not
> > found access@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 >
> > Aug 12 11:52:56 mail vpopmail[4260]: vchkpw-pop3: vpopmail
> user not
> > found account@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:56 mail vpopmail[4262]: vchkpw-pop3: vpopmail
> user not
> > found account@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:56 mail vpopmail[4264]: vchkpw-pop3: vpopmail
> user not
> > found account@: 69.3.64.3 <http://69.3.64.3>
> <http://69.3.64.3 <http://69.3.64.3>>
> > Aug 12 11:52:56 mail vpopmail[4265]: vchkpw-pop3: vpopmail
> user not
> > found account@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:56 mail vpopmail[4266]: vchkpw-pop3: vpopmail
> user not
> > found accounts@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:57 mail vpopmail[4267]: vchkpw-pop3: vpopmail
> user not
> > found support@: 69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:57 mail vpopmail[4271]: vchkpw-pop3: vpopmail
> user not
> > found accounts@: 69.3.64.3 <http://69.3.64.3>
> <http://69.3.64.3 <http://69.3.64.3>>
> > Aug 12 11:52:57 mail vpopmail[4273]: vchkpw-pop3: vpopmail
> user not
> > found accounts@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:57 mail vpopmail[4275]: vchkpw-pop3: vpopmail
> user not
> > found accounts@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:57 mail vpopmail[4277]: vchkpw-pop3: vpopmail
> user not
> > found abby@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3
> <http://69.3.64.3>>
> > Aug 12 11:52:57 mail vpopmail[4280]: vchkpw-pop3: vpopmail
> user not
> > found adam@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:57 mail vpopmail[4281]: vchkpw-pop3: vpopmail
> user not
> > found adam@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:57 mail vpopmail[4282]: vchkpw-pop3: vpopmail
> user not
> > found adam@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 >
> > Aug 12 11:52:57 mail vpopmail[4283]: vchkpw-pop3: vpopmail
> user not
> > found adam@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:57 mail vpopmail[4285]: vchkpw-pop3: vpopmail
> user not
> > found adam@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:57 mail vpopmail[4286]: vchkpw-pop3: vpopmail
> user not
> > found adm@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3
> <http://69.3.64.3>>
> > Aug 12 11:52:58 mail vpopmail[4289]: vchkpw-pop3: vpopmail
> user not
> > found adm@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:58 mail vpopmail[4291]: vchkpw-pop3: vpopmail
> user not
> > found adm@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:58 mail vpopmail[4292]: vchkpw-pop3: vpopmail
> user not
> > found adm@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:58 mail vpopmail[4293]: vchkpw-pop3: vpopmail
> user not
> > found admin@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:58 mail vpopmail[4295]: vchkpw-pop3: vpopmail
> user not
> > found abigail@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:58 mail vpopmail[4296]: vchkpw-pop3: vpopmail
> user not
> > found abraham@: 69.3.64.3 <http://69.3.64.3>
> <http://69.3.64.3 <http://69.3.64.3>>
> > Aug 12 11:52:58 mail vpopmail[4297]: vchkpw-pop3: vpopmail
> user not
> > found admin@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:58 mail vpopmail[4304]: vchkpw-pop3: vpopmail
> user not
> > found admin@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:58 mail vpopmail[4305]: vchkpw-pop3: vpopmail
> user not
> > found access@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 >
> > Aug 12 11:52:58 mail vpopmail[4306]: vchkpw-pop3: vpopmail
> user not
> > found access@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:59 mail vpopmail[4309]: vchkpw-pop3: vpopmail
> user not
> > found admin@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:59 mail vpopmail[4310]: vchkpw-pop3: vpopmail
> user not
> > found admin@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3
> <http://69.3.64.3>>
> > Aug 12 11:52:59 mail vpopmail[4314]: vchkpw-pop3: vpopmail
> user not
> > found admin2@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:59 mail vpopmail[4315]: vchkpw-pop3: vpopmail
> user not
> > found admin2@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:59 mail vpopmail[4316]: vchkpw-pop3: vpopmail
> user not
> > found admin2@: 69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:52:59 mail vpopmail[4317]: vchkpw-pop3: vpopmail
> user not
> > found admin2@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 >
> > Aug 12 11:52:59 mail vpopmail[4318]: vchkpw-pop3: vpopmail
> user not
> > found admin2@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:52:59 mail vpopmail[4320]: vchkpw-pop3: vpopmail
> user not
> > found adrian@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:53:00 mail vpopmail[4322]: vchkpw-pop3: vpopmail
> user not
> > found adrian@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3
> <http://69.3.64.3>>
> > Aug 12 11:53:00 mail vpopmail[4323]: vchkpw-pop3: vpopmail
> user not
> > found adrian@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:53:00 mail vpopmail[4324]: vchkpw-pop3: vpopmail
> user not
> > found aerial@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:53:00 mail vpopmail[4328]: vchkpw-pop3: vpopmail
> user not
> > found adm@: 69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:53:01 mail vpopmail[4330]: vchkpw-pop3: vpopmail
> user not
> > found aerial@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 >
> > Aug 12 11:53:01 mail vpopmail[4356]: vchkpw-pop3: vpopmail
> user not
> > found accounts@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:53:01 mail vpopmail[4357]: vchkpw-pop3: vpopmail
> user not
> > found aerial@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:53:01 mail vpopmail[4360]: vchkpw-pop3: vpopmail
> user not
> > found aerial@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3
> <http://69.3.64.3>>
> > Aug 12 11:53:02 mail vpopmail[4363]: vchkpw-pop3: vpopmail
> user not
> > found agent@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:53:02 mail vpopmail[4364]: vchkpw-pop3: vpopmail
> user not
> > found aerial@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:53:02 mail vpopmail[4365]: vchkpw-pop3: vpopmail
> user not
> > found agent@: 69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:53:02 mail vpopmail[4366]: vchkpw-pop3: vpopmail
> user not
> > found agent@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 >
> > Aug 12 11:53:02 mail vpopmail[4367]: vchkpw-pop3: vpopmail
> user not
> > found agent@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:53:02 mail vpopmail[4369]: vchkpw-pop3: vpopmail
> user not
> > found adrian@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:53:02 mail vpopmail[4380]: vchkpw-pop3: vpopmail
> user not
> > found alan@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3
> <http://69.3.64.3>>
> > Aug 12 11:53:02 mail vpopmail[4382]: vchkpw-pop3: vpopmail
> user not
> > found alan@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:53:02 mail vpopmail[4387]: vchkpw-pop3: vpopmail
> user not
> > found adrian@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:53:03 mail vpopmail[4389]: vchkpw-pop3: vpopmail
> user not
> > found alan@: 69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:53:03 mail vpopmail[4392]: vchkpw-pop3: vpopmail
> user not
> > found albert@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3 >
> > Aug 12 11:53:03 mail vpopmail[4393]: vchkpw-pop3: vpopmail
> user not
> > found albert@:69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:53:03 mail vpopmail[4394]: vchkpw-pop3: vpopmail
> user not
> > found albert@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:53:03 mail vpopmail[4396]: vchkpw-pop3: vpopmail
> user not
> > found albert@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3
> <http://69.3.64.3>>
> > Aug 12 11:53:04 mail vpopmail[4398]: vchkpw-pop3: vpopmail
> user not
> > found albert@: 69.3.64.3 <http://69.3.64.3> <http://69.3.64.3>
> > Aug 12 11:53:04 mail vpopmail[4404]: vchkpw-pop3: vpopmail
> user not
> > found alberto@:69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> > Aug 12 11:53:05 mail vpopmail[4416]: vchkpw-pop3: vpopmail
> user not
> > found alan@: 69.3.64.3 <http://69.3.64.3> < http://69.3.64.3>
> >
> >
> > [root@mail ~]# grep "69\.3\.64\.3" -c /var/log/maillog.1
> > 103
> >
> >
> >
> >
>
>
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.