For anybody who is interested I have started to put together a collection of
OSSEC rules for Zimbra; and will hopefully find there way onto the
Zimbra :: Wiki in the not too distance future.
Once OSSEC has been installed one needs to update the decoder rules, on the OSSEC hub, located <ossec_path>/etc/local_decoder.xml
Code:
<!--
Zimbra OSSEC
-->
<decoder name="zimbra">
<prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d+ WARN|INFO</prematch>
</decoder>
<decoder name="zimbra-preauth-failed">
<parent>zimbra</parent>
<prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+; error=authentication failed for \S+, preauth mismatch;$</prematch>
<regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex>
<order>user, srcip</order>
</decoder>
<decoder name="zimbra-preauth-passed">
<parent>zimbra</parent>
<prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+;$</prematch>
<regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex>
<order>user, srcip</order>
</decoder>
<decoder name="zimbra-unknown-account">
<parent>zimbra</parent>
<prematch offset="after_parent">account not found$</prematch>
<regex>[oip=(\d+.\d+.\d+.\d+);\S+] SoapEngine - handler exception: authentication failed for (\S+),</regex>
<order>srcip, user</order>
</decoder>
<decoder name="zimbra-invalid-password">
<parent>zimbra</parent>
<prematch offset="after_parent">invalid password$</prematch>
<regex>[name=(\S+);oip=(\d+.\d+.\d+.\d+);\S+]</regex>
<order>user, srcip</order>
</decoder>
now we have to tell OSSEC about the rules we wish to generate so one would update <ossec_path>/rules/local_rules.xml
Code:
<!-- Zimbra Rules -->
<group name="zimbra,">
<rule id="100100" level="0">
<decoded_as>zimbra</decoded_as>
<description>Zimbra Messages Grouped</description>
</rule>
<rule id="100101" level="3">
<if_sid>100100</if_sid>
<match>account not found$</match>
<description>Account Unknown</description>
<group>account_unknown,zimbra_failures,</group>
</rule>
<rule id="100102" level="3">
<if_sid>100100</if_sid>
<match>invalid password$</match>
<description>Invalid Password</description>
<group>invalid_password,</group>
</rule>
<rule id="100103" level="5">
<if_sid>100100</if_sid>
<match>preauth mismatch;$</match>
<description>Preauth Mismatch</description>
<group>preauth_mismatch,zimbra_failures,</group>
</rule>
<rule id="100104" level="5">
<if_sid>100100</if_sid>
<match>cmd=PreAuth</match>
<description>Preauth Passed</description>
<group>preauth_passed,zimbra_passed,</group>
</rule>
<!-- Correlated rules -->
<rule id="100110" level="8" frequency="5" timeframe="60">
<if_matched_group>zimbra_failures</if_matched_group>
<same_source_ip />
<description>Zimbra Potential Brute Force Attack</description>
</rule>
<rule id="100111" level="8" frequency="5" timeframe="60">
<if_matched_group>zimbra_passed</if_matched_group>
<same_source_ip />
<description>Zimbra Excessive Pre-Authentication Passes</description>
</rule>
</group> One must also inform OSSEC to monitor the necessary Zimbra files which is actioned by updating, on the OSSEC hub, the file <ossec_path>/etc/shared/agent.conf
Code:
<agent_config name = "whatever_you_called_your_zimbra_server">
<localfile>
<location>/opt/zimbra/log/mailbox.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/zimbra/log/audit.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/log/zimbra.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
One will then need to restart OSSEC on the hub
Code:
service ossec restart
and on the remote Zimbra node using
Code:
<ossec_path>/bin/agent_control -l
which will list the installed agents; and then using the ID allocated to the Zimbra server
Code:
<ossec_path>/bin/agent_control -R <ID>
Bugzilla
Wiki
Source
OSSEC Rules 
Linear Mode
