OSSEC Rules

[uxbod]

For anybody who is interested I have started to put together a collection of OSSEC rules for Zimbra; and will hopefully find there way onto the Zimbra :: Wiki in the not too distance future.

Once OSSEC has been installed one needs to update the decoder rules, on the OSSEC hub, located <ossec_path>/etc/local_decoder.xml

Code:

<!--
  Zimbra OSSEC
-->

<decoder name="zimbra">
  <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d+ WARN|INFO</prematch>
</decoder>

<decoder name="zimbra-preauth-failed">
  <parent>zimbra</parent>
  <prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+; error=authentication failed for \S+, preauth mismatch;$</prematch>
  <regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex>
  <order>user, srcip</order>
</decoder>

<decoder name="zimbra-preauth-passed">
  <parent>zimbra</parent>
  <prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+;$</prematch>
  <regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex>
  <order>user, srcip</order>
</decoder>

<decoder name="zimbra-unknown-account">
  <parent>zimbra</parent>
  <prematch offset="after_parent">account not found$</prematch>
  <regex>[oip=(\d+.\d+.\d+.\d+);\S+] SoapEngine - handler exception: authentication failed for (\S+),</regex>
  <order>srcip, user</order>
</decoder>

<decoder name="zimbra-invalid-password">
  <parent>zimbra</parent>
  <prematch offset="after_parent">invalid password$</prematch>
  <regex>[name=(\S+);oip=(\d+.\d+.\d+.\d+);\S+]</regex>
  <order>user, srcip</order>
</decoder>

now we have to tell OSSEC about the rules we wish to generate so one would update <ossec_path>/rules/local_rules.xml

Code:

<!-- Zimbra Rules -->

<group name="zimbra,">

  <rule id="100100" level="0">
    <decoded_as>zimbra</decoded_as>
    <description>Zimbra Messages Grouped</description>
  </rule>

  <rule id="100101" level="3">
    <if_sid>100100</if_sid>
    <match>account not found$</match>
    <description>Account Unknown</description>
    <group>account_unknown,zimbra_failures,</group>
  </rule>

  <rule id="100102" level="3">
    <if_sid>100100</if_sid>
    <match>invalid password$</match>
    <description>Invalid Password</description>
    <group>invalid_password,</group>
  </rule>

  <rule id="100103" level="5">
    <if_sid>100100</if_sid>
    <match>preauth mismatch;$</match>
    <description>Preauth Mismatch</description>
    <group>preauth_mismatch,zimbra_failures,</group>
  </rule>

  <rule id="100104" level="5">
    <if_sid>100100</if_sid>
    <match>cmd=PreAuth</match>
    <description>Preauth Passed</description>
    <group>preauth_passed,zimbra_passed,</group>
  </rule>

<!-- Correlated rules -->

  <rule id="100110" level="8" frequency="5" timeframe="60">
    <if_matched_group>zimbra_failures</if_matched_group>
    <same_source_ip />
    <description>Zimbra Potential Brute Force Attack</description>
  </rule>

 <rule id="100111" level="8" frequency="5" timeframe="60">
    <if_matched_group>zimbra_passed</if_matched_group>
    <same_source_ip />
    <description>Zimbra Excessive Pre-Authentication Passes</description>
  </rule>

</group>

One must also inform OSSEC to monitor the necessary Zimbra files which is actioned by updating, on the OSSEC hub, the file <ossec_path>/etc/shared/agent.conf

Code:

<agent_config name = "whatever_you_called_your_zimbra_server">
<localfile>
<location>/opt/zimbra/log/mailbox.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/zimbra/log/audit.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/log/zimbra.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>

One will then need to restart OSSEC on the hub

Code:

service ossec restart

and on the remote Zimbra node using

Code:

<ossec_path>/bin/agent_control -l

which will list the installed agents; and then using the ID allocated to the Zimbra server

Code:

<ossec_path>/bin/agent_control -R <ID>

[mek]

Do you know of any way to get this working using Zimbra's SMTP server for e-mail notifications. By my understanding OSSEC only works with SMTP servers that have no authentication. Since I will be running this on a 1 box solution that means I am unable to make OSSEC use e-mail notifications.

Is there any kind of workaround or are you forced to use another SMTP server?

Thanks a lot for putting the time into this, I am looking forward to getting it up and running.

[phoenix]

Since I will be running this on a 1 box solution that means I am unable to make OSSEC use e-mail notifications.

Why is that a problem for send notifications?

[mek]

As I mentioned OSSEC does not have the ability to put in a username and password on the SMTP. It just gives you an address field and assumes use of a non authenticated SMTP.

[uxbod]

Why would it be a issue ? If OSSEC is installed on the same server then due to the Postfix restrictions it will allow the email to be delivered. Just set the SMTP host in Postfix to 127.0.0.1.

[phoenix]

As I mentioned OSSEC does not have the ability to put in a username and password on the SMTP. It just gives you an address field and assumes use of a non authenticated SMTP.

You shouldn't need to authenticate if you're on the same subnet.

[mek]

Ah great thanks a lot

I will let you know how it goes!

[pixelplumber]

Hi uxbod, thanks for starting these!

I've just discovered ossec and would like to implement it. We've recently had quite a few attempts to brute force some accounts using direct soap requests rather than going throught the web interface as far as I can tell.

This method seems to bypass the web ui lockout rules, in that this particular IP tried about 1/sec for 9 hours.

Seems to be similar to this thread: honey auth failed: authentication failed for honey

And this one: Account Lockout: How to find IP address of soap - AuthRequest

Do these ossec rules cover this scenario? I'd love to be able to get the active response feature I've read about configured to automatically block this annoyance.