[ossec-list] Re: POP3 brute force rule not firing

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Steve,

Thanks for the suggestion. I committed your improved decoder to CVS already and
it will be included in the next version. As for having custom
decoders, I am thinking
on creating a new "local_decoders.xml", because right now all entries
on decoders.xml
are overwritten during upgrade.

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On 8/15/07, Steve West <stevewest15@xxxxxxxxx> wrote:
>
> Hi Dave,
>
> Thank you so much for all of your help!
>
> Just for clarification, our vpopmail logs do NOT have the http:// stuff
> which I'm seeing being added in your reply.
>
> It seems that the OSSEC decoder might need a new rule or updating to
> catch pop3 brute force attacks where the attacker doesn't send a domain
> name (ie user@:69.3.64.3 ... rather than alan@xxxxxxxxxxxxxx: 69.3.64.3).
>
> Daniel, can the decoder vpopmail rules be edited to catch something like
> the following:
>
> user@:x.x.x.x
> user@somedomain:x.x.x.x
>
> I think this is achievable if the regex is changed to:
>
> (\S+)@\S*:(\d+.\d+.\d+.\d+)$
>
> What do u think? Can anyone else see a problem with this? So, the
> decoder rule would be as follows:
>
> <decoder name="vpopmail-notfound">
>    <parent>vpopmail</parent>
>    <prematch>^vchkpw-pop3: vpopmail user not </prematch>
>    <regex offset="after_prematch">^found
> (\S+)@\S*:(\d+.\d+.\d+.\d+)$</regex>
>    <order>user, srcip</order>
> </decoder>
>
> And lastly, how can I add custom decoder rules that would survive OSSEC
> updates?
>
> thx,