Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: OSSEC Rules

  1. #1
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default OSSEC Rules

    For anybody who is interested I have started to put together a collection of OSSEC rules for Zimbra; and will hopefully find there way onto the Zimbra :: Wiki in the not too distance future.

    Once OSSEC has been installed one needs to update the decoder rules, on the OSSEC hub, located <ossec_path>/etc/local_decoder.xml
    Code:
    <!--
      Zimbra OSSEC
    -->
    
    <decoder name="zimbra">
      <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d+ WARN|INFO</prematch>
    </decoder>
    
    <decoder name="zimbra-preauth-failed">
      <parent>zimbra</parent>
      <prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+; error=authentication failed for \S+, preauth mismatch;$</prematch>
      <regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex>
      <order>user, srcip</order>
    </decoder>
    
    <decoder name="zimbra-preauth-passed">
      <parent>zimbra</parent>
      <prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+;$</prematch>
      <regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex>
      <order>user, srcip</order>
    </decoder>
    
    <decoder name="zimbra-unknown-account">
      <parent>zimbra</parent>
      <prematch offset="after_parent">account not found$</prematch>
      <regex>[oip=(\d+.\d+.\d+.\d+);\S+] SoapEngine - handler exception: authentication failed for (\S+),</regex>
      <order>srcip, user</order>
    </decoder>
    
    <decoder name="zimbra-invalid-password">
      <parent>zimbra</parent>
      <prematch offset="after_parent">invalid password$</prematch>
      <regex>[name=(\S+);oip=(\d+.\d+.\d+.\d+);\S+]</regex>
      <order>user, srcip</order>
    </decoder>
    now we have to tell OSSEC about the rules we wish to generate so one would update <ossec_path>/rules/local_rules.xml
    Code:
    <!-- Zimbra Rules -->
    
    <group name="zimbra,">
    
      <rule id="100100" level="0">
        <decoded_as>zimbra</decoded_as>
        <description>Zimbra Messages Grouped</description>
      </rule>
    
      <rule id="100101" level="3">
        <if_sid>100100</if_sid>
        <match>account not found$</match>
        <description>Account Unknown</description>
        <group>account_unknown,zimbra_failures,</group>
      </rule>
    
      <rule id="100102" level="3">
        <if_sid>100100</if_sid>
        <match>invalid password$</match>
        <description>Invalid Password</description>
        <group>invalid_password,</group>
      </rule>
    
      <rule id="100103" level="5">
        <if_sid>100100</if_sid>
        <match>preauth mismatch;$</match>
        <description>Preauth Mismatch</description>
        <group>preauth_mismatch,zimbra_failures,</group>
      </rule>
    
      <rule id="100104" level="5">
        <if_sid>100100</if_sid>
        <match>cmd=PreAuth</match>
        <description>Preauth Passed</description>
        <group>preauth_passed,zimbra_passed,</group>
      </rule>
    
    <!-- Correlated rules -->
    
      <rule id="100110" level="8" frequency="5" timeframe="60">
        <if_matched_group>zimbra_failures</if_matched_group>
        <same_source_ip />
        <description>Zimbra Potential Brute Force Attack</description>
      </rule>
    
     <rule id="100111" level="8" frequency="5" timeframe="60">
        <if_matched_group>zimbra_passed</if_matched_group>
        <same_source_ip />
        <description>Zimbra Excessive Pre-Authentication Passes</description>
      </rule>
    
    </group>
    One must also inform OSSEC to monitor the necessary Zimbra files which is actioned by updating, on the OSSEC hub, the file <ossec_path>/etc/shared/agent.conf
    Code:
    <agent_config name = "whatever_you_called_your_zimbra_server">
    <localfile>
    <location>/opt/zimbra/log/mailbox.log</location>
    <log_format>syslog</log_format>
    </localfile>
    <localfile>
    <location>/opt/zimbra/log/audit.log</location>
    <log_format>syslog</log_format>
    </localfile>
    <localfile>
    <location>/var/log/zimbra.log</location>
    <log_format>syslog</log_format>
    </localfile>
    </agent_config>
    One will then need to restart OSSEC on the hub
    Code:
    service ossec restart
    and on the remote Zimbra node using
    Code:
    <ossec_path>/bin/agent_control -l
    which will list the installed agents; and then using the ID allocated to the Zimbra server
    Code:
    <ossec_path>/bin/agent_control -R <ID>

  2. #2
    mek
    mek is offline Active Member
    Join Date
    Feb 2010
    Location
    France
    Posts
    45
    Rep Power
    5

    Default

    Do you know of any way to get this working using Zimbra's SMTP server for e-mail notifications. By my understanding OSSEC only works with SMTP servers that have no authentication. Since I will be running this on a 1 box solution that means I am unable to make OSSEC use e-mail notifications.

    Is there any kind of workaround or are you forced to use another SMTP server?

    Thanks a lot for putting the time into this, I am looking forward to getting it up and running.

  3. #3
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,492
    Rep Power
    56

    Default

    Quote Originally Posted by mek View Post
    Since I will be running this on a 1 box solution that means I am unable to make OSSEC use e-mail notifications.
    Why is that a problem for send notifications?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    mek
    mek is offline Active Member
    Join Date
    Feb 2010
    Location
    France
    Posts
    45
    Rep Power
    5

    Default

    As I mentioned OSSEC does not have the ability to put in a username and password on the SMTP. It just gives you an address field and assumes use of a non authenticated SMTP.

  5. #5
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Why would it be a issue ? If OSSEC is installed on the same server then due to the Postfix restrictions it will allow the email to be delivered. Just set the SMTP host in Postfix to 127.0.0.1.

  6. #6
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,492
    Rep Power
    56

    Default

    Quote Originally Posted by mek View Post
    As I mentioned OSSEC does not have the ability to put in a username and password on the SMTP. It just gives you an address field and assumes use of a non authenticated SMTP.
    You shouldn't need to authenticate if you're on the same subnet.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    mek
    mek is offline Active Member
    Join Date
    Feb 2010
    Location
    France
    Posts
    45
    Rep Power
    5

    Default

    Ah great thanks a lot

    I will let you know how it goes!

  8. #8
    pixelplumber is offline Active Member
    Join Date
    Mar 2007
    Posts
    45
    Rep Power
    8

    Default

    Hi uxbod, thanks for starting these!

    I've just discovered ossec and would like to implement it. We've recently had quite a few attempts to brute force some accounts using direct soap requests rather than going throught the web interface as far as I can tell.

    This method seems to bypass the web ui lockout rules, in that this particular IP tried about 1/sec for 9 hours.

    Seems to be similar to this thread: honey auth failed: authentication failed for honey

    And this one: Account Lockout: How to find IP address of soap - AuthRequest

    Do these ossec rules cover this scenario? I'd love to be able to get the active response feature I've read about configured to automatically block this annoyance.

  9. #9
    rotorboy is offline Special Member
    Join Date
    Mar 2008
    Location
    Canada
    Posts
    148
    Rep Power
    7

    Default

    Greetings!

    Are folks still using these example configurations? I've installed OSSEC 2.7.1-Beta on a Zimbra 7.2.5 server to try and help detect events. I'd love to know if the above configurations are up-to-date and in use by anyone with a similar setup.

  10. #10
    ABP13 is offline Junior Member
    Join Date
    Mar 2013
    Location
    Canada
    Posts
    5
    Rep Power
    2

    Default

    Hello,

    I have OSSEC v2.7.1 installed and followed the steps as outlined above. I tested an account for password failure and Zimbra locked the account but I never received any alerts from OSSEC.

    I am receiving other alerts from Zimbra/OSSEC but the password/account lockout didn't trigger an alert.

    Any help would be appreciated. Has anyone updated these configurations?


    Here is a sample of the /opt/zimbra/log/mailbox.log

    2013-12-04 22:56:34,900 INFO [qtp1545357780-13532:http://127.0.0.1:80/service/soap/AuthRequest] [name=XXX@XXXXX.com;oip=10.XX.XX.XX;ua=zclient/8.0.5_GA_5839;] SoapEngine - handler exception: authentication failed for [XXX], invalid password
    2013-12-04 22:56:34,900 INFO [qtp1545357780-13532:http://127.0.0.1:80/service/soap/AuthRequest] [name=XXX@XXXXX.com;oip=10.XX.XX.XX;ua=zclient/8.0.5_GA_5839;] soap - AuthRequest elapsed=4
    2013-12-04 22:56:36,155 INFO [qtp1545357780-13532:http://127.0.0.1:80/service/soap/AuthRequest] [name=XXX@XXXXX.com;oip=10.XX.XX.XX;ua=zclient/8.0.5_GA_5839;] SoapEngine - handler exception: authentication failed for [XXX], account lockout
    2013-12-04 22:56:36,155 INFO [qtp1545357780-13532:http://127.0.0.1:80/service/soap/AuthRequest] [name=XXX@XXXXX.com;oip=10.XX.XX.XX;ua=zclient/8.0.5_GA_5839;] soap - AuthRequest elapsed=3

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Zimbra 6.0.2 with OSSEC
    By Centro in forum Administrators
    Replies: 10
    Last Post: 02-11-2010, 12:41 PM
  2. Zimbra NE Pro server rules not working on Outlook
    By magolon in forum Zimbra Connector for Outlook
    Replies: 15
    Last Post: 11-10-2009, 09:00 AM
  3. Mail delivery is very slow
    By chandu in forum Administrators
    Replies: 23
    Last Post: 09-04-2009, 12:05 AM
  4. speed up the net
    By mcesari in forum Administrators
    Replies: 10
    Last Post: 04-25-2008, 11:24 AM
  5. Rules du Jour - spamassassin
    By sturgis in forum Administrators
    Replies: 10
    Last Post: 11-27-2007, 10:12 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •