[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Can't get OSSEC to fire active response for custom proftpd rule

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Can't get OSSEC to fire active response for custom proftpd rule
From: Steve West <stevewest15@xxxxxxxxx>
Date: Thu, 25 Oct 2007 00:04:56 -0400
Authentication-results: mx.google.com; spf=pass (google.com: domain of stevewest15@xxxxxxxxx designates 66.249.82.224 as permitted sender) smtp.mail=stevewest15@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:user-agent:mime-version:to:subject:references:in-reply-to:content-type; bh=0oZH7VdkkuqnW9PrweZsNnxSeSteJaErqbJ10YzgPvc=; b=IcOoqddM9oYFXU8IxAGokwxaaWynvfHv0WR2iKx0OeX1vQuW006eAEp+e5MvRwr7rMBI1hqABVZ+mKs99NDA52FPu4aq0mukMMxG94gCI/rYkedVvHEKFY7zJiaXx8zmdlolIdiwnJelE7+KRCIKbm+2Kbx/b/FLuM/xaPC1iz0=

Daniel Cid wrote:

Hi Steve,

Are the alerts being generated based on your rule?

No. I don't see anything in /var/ossec/logs/alerts/alerts.log regarding my attempts. I have ossec monitoring my proftpd logs /var/log/proftpd/current but maybe my log file format is not compatible w/ ossec. Here is a sample of my proftpd log file entries which should have invoked my custom rule:

@40000000471f54bc2f83d75c localhost (70.108.23.105[70.108.23.105]) - FTP session opened.
@40000000471f54bc352c4ff4 localhost (70.108.23.105[70.108.23.105]) - no such user 'anonymous'
@40000000471f54bc352cc13c localhost (70.108.23.105[70.108.23.105]) - USER anonymous: no such user found from 70.108.23.105 [70.108.23.105] to xxx.xxx.xxx.:21
@40000000471f54be1b68039c localhost (70.108.23.105[70.108.23.105]) - FTP session closed.
@40000000471f54be228d6bbc localhost (70.108.23.105[70.108.23.105]) - FTP session opened.
@40000000471f54be251d9834 localhost (70.108.23.105[70.108.23.105]) - mod_delay/0.5: delaying for 26 usecs
@40000000471f54be29cd1a6c localhost (70.108.23.105[70.108.23.105]) - no such user 'anonymous'
@40000000471f54be29cd782c localhost (70.108.23.105[70.108.23.105]) - USER anonymous: no such user found from 70.108.23.105 [70.108.23.105] to xxx.xxx.xxx.:21
@40000000471f54be29ce4f04 localhost (70.108.23.105[70.108.23.105]) - mod_delay/0.5: delaying for 46 usecs
@40000000471f54c62ad67034 localhost (70.108.23.105[70.108.23.105]) - FTP session closed.

Could it be that my multilog file format is responsible?

thx,

SW

Youneed to make sure that the srcip is present
in the alert (meaning that it was decoded properly), otherwise the
active response is not
going to fire.

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On 10/24/07, Steve West <stevewest15@xxxxxxxxx> wrote:

Michael Starks wrote:

Try 21 or 22 invalid logins in 60 seconds.

-Mike

Hi Mike,

Thanks for the suggestion! I try over 25 invalid logins and still ossec
active response doesn't fire. Not really sure why but I think it might
be related to my rule or the underlaying proftpd group rule 11200.

SW

Follow-Ups:
- [ossec-list] Re: Can't get OSSEC to fire active response for custom proftpd rule
  - From: Daniel Cid

References:
- [ossec-list] Can't get OSSEC to fire active response for custom proftpd rule
  - From: Steve West
- [ossec-list] Re: Can't get OSSEC to fire active response for custom proftpd rule
  - From: Michael Starks
- [ossec-list] Re: Can't get OSSEC to fire active response for custom proftpd rule
  - From: Steve West
- [ossec-list] Re: Can't get OSSEC to fire active response for custom proftpd rule
  - From: Daniel Cid

Prev by Date: [ossec-list] Clients don't work when OSSEC server is in High Availability?
Next by Date: [ossec-list] Re: Strange behaviour with some agents...
Previous by thread: [ossec-list] Re: Can't get OSSEC to fire active response for custom proftpd rule
Next by thread: [ossec-list] Re: Can't get OSSEC to fire active response for custom proftpd rule
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.