Page 3 of 5
Re: Help with custom regex rules
Posted: 11 Jun 2015, 20:21
by firewallman
I just made them so it is too early to tell yet.
The YLMF-PC change you gave me yesterday works!
Re: Help with custom regex rules
Posted: 11 Jun 2015, 20:26
by Sergio
Good to know.
Let me know if the recent changes worked for you.
Re: Help with custom regex rules
Posted: 15 Jun 2015, 19:53
by firewallman
Sergio, everything works fine! The modified rules worked for courier, and yesterday I converted to dovecot and they work for dovecot also!
Thank you very much for your help.
Re: Help with custom regex rules
Posted: 15 Jun 2015, 20:38
by Sergio
no problem.
Re: Help with custom regex rules
Posted: 17 Jun 2015, 12:59
by firewallman
Sergio I may have spoke too soon. It seems that dovecot logs slightly different for the set_id failures than courier did on my server.
Would you take a look at these two log lines from failed set_id logins and see if you can adapt your SETID custom rule to it?
2015-06-16 16:01:56 [31120] dovecot_login authenticator failed for 173.192.176.184-static.reverse.softlayer.com ([10.100.1.6]) [173.192.176.184]:57853 I=[69.xxx.xxx.xxx]:587: 535 Incorrect authentication data (set_id=
test@domainname.com)
2015-06-16 14:41:40 [18074] dovecot_login authenticator failed for (USER) [134.19.215.226]:52876 I=[69.xxx.xxx.xxx]:25: 535 Incorrect authentication data (set_id=
test@anotherdomain.com)
Your custom rule I am trying to use:
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /\S+\s+\S+\s+dovecot_login authenticator failed for \(\[?\S+\]?\) \[(\S+)\]:\d+: \d+ Incorrect authentication data \(set_id=(a|aaaaaa|aamaro|aaron|abc1?2?3?|abel?|access|accounti?n?g?s?|acer?|b?e?s?admi?n?|administracion1|advent|advertising|agency|antigua|apple|asus|avahi|bank|ba?c?kupe?p?p?c?x?e?c?|bbuser|benq|biblioteca|bill|business|bux|carlos|charles|ciclobasico|clamav|clevo|clients?|comenta?|compaq|confirm|confixx|consult|contactu?s?|controller|copier|customer|cvsadmin|cvsroot|cyrus|daemon|data|david|dbadmin|demo|dell|dialer|director|dnscache|doctor|doel|download|drweb|edi|edition|edu|esalguero|estudioazurdia|everest|expe?o?rt|falcon|fax|finance|franciscos|ftp|ftpuser|fujitsu|games|gigabyte|gonzalo.mejia|guest|helpdesk|holding|home|hp|ibm|ice|iloveyou|imac|info|install|internet|iphone|jabber|jc|jefaturaventas|jeremy|jgarcia|job|john|jorge|jude|kattytoc|kim|laboratorio|ldap|lenovo|lsarmiento|lschoenstedt|manager|margarita|marketing|monkey|mpalma|municipal|multimedia|news|newsletter|nobody|office|pastores|pos|postmaster|princess|printer|PXF.info|reception|sales|samsung|scann?e?r?|security|shadow|shop|spam|student|sunshine|support|sys|tech|temp|test1?u?s?e?r?|toshiba|training|user1?s?|wzarate|xerox)\)/)) {
return ("smtp_auth attack",$1,"SecmasSETID","1","1");
}
Re: Help with custom regex rules
Posted: 17 Jun 2015, 14:58
by Sergio
As I said before, you have to modify the regex for this to work, replace this:
/\S+\s+\S+\s+dovecot_login authenticator failed for \(\[?\S+\]?\) \[(\S+)\]:\d+: \d+ Incorrect authentication data \(set_id=
by this:
/\S+\s+\S+\s+.*_login authenticator failed for.*\(\[?\S+\]?\) \[(\S+)\]:\d+.*Incorrect authentication data \(set_id=
You already made the modification, continue using the rules with the changes I suggested.
Sergio
Re: Help with custom regex rules
Posted: 17 Jun 2015, 16:50
by firewallman
Sergio wrote:As I said before, you have to modify the regex for this to work, replace this:
/\S+\s+\S+\s+dovecot_login authenticator failed for \(\[?\S+\]?\) \[(\S+)\]:\d+: \d+ Incorrect authentication data \(set_id=
by this:
/\S+\s+\S+\s+.*_login authenticator failed for.*\(\[?\S+\]?\) \[(\S+)\]:\d+.*Incorrect authentication data \(set_id=
You already made the modification, continue using the rules with the changes I suggested.
Sergio
Hmmm, I already had it that way and the two log lines from yesterday that I just posted got by it.
I only re-posted your original SETID rule so you would know which one I was referring to. I had already made the previous changes you suggested.
Below is what I have now and have had since you gave me the modification last week and it appears to be identical to what you just posted:
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /\S+\s+\S+\s+.*_login authenticator failed for.*\(\[?\S+\]?\) \[(\S+)\]:\d+.*Incorrect authentication data \(set_id=(a|aaaaaa|aamaro|aaron|abc1?2?3?|abel?|access|accounti?n?g?s?|acer?|b?e?s?admi?n?|administracion1|advent|advertising|agency|antigua|apple|asus|avahi|bank|ba?c?kupe?p?p?c?x?e?c?|bbuser|benq|biblioteca|bill|business|bux|carlos|charles|ciclobasico|clamav|clevo|clients?|comenta?|compaq|confirm|confixx|consult|contactu?s?|controller|copier|customer|cvsadmin|cvsroot|cyrus|daemon|data|david|dbadmin|demo|dell|dialer|director|dnscache|doctor|doel|download|drweb|edi|edition|edu|esalguero|estudioazurdia|everest|expe?o?rt|falcon|fax|finance|franciscos|ftp|ftpuser|fujitsu|games|gigabyte|gonzalo.mejia|guest|helpdesk|holding|home|hp|ibm|ice|iloveyou|imac|info|install|internet|iphone|jabber|jc|jefaturaventas|jeremy|jgarcia|job|john|jorge|jude|kattytoc|kim|laboratorio|ldap|lenovo|lsarmiento|lschoenstedt|manager|margarita|marketing|monkey|mpalma|municipal|multimedia|news|newsletter|nobody|office|pastores|pos|postmaster|princess|printer|PXF.info|reception|sales|samsung|scann?e?r?|security|shadow|shop|spam|student|sunshine|support|sys|tech|temp|test|test1?u?s?e?r?|toshiba|training|user1?s?|wzarate|xerox)\)/)) {
return ("smtp_auth attack",$1,"SecmasSETID","1","1");
}
Here are the two log lines that the above didn't catch:
2015-06-16 16:01:56 [31120] dovecot_login authenticator failed for 173.192.176.184-static.reverse.softlayer.com ([10.100.1.6]) [173.192.176.184]:57853 I=[69.xxx.xxx.xxx]:587: 535 Incorrect authentication data (set_id=
test@domainname.com)
2015-06-16 14:41:40 [18074] dovecot_login authenticator failed for (USER) [134.19.215.226]:52876 I=[69.xxx.xxx.xxx]:25: 535 Incorrect authentication data (set_id=
test@anotherdomain.com)
Re: Help with custom regex rules
Posted: 17 Jun 2015, 19:06
by Sergio
Ok,if you see the sample logs in my regex it shows:
2014-02-18 14:53:52 dovecot_login authenticator failed for (127.0.0.1) [67.222.134.114]:51435: 535 Incorrect authentication data (set_id=admin)
2014-02-20 11:45:27 dovecot_login authenticator failed for (127.0.0.1) [67.222.134.215]:64421: 535 Incorrect authentication data (set_id=admin)
So, this rule will only catch "(set_id=test)" without an "@.....", and your log lines shows:
2015-06-16 16:01:56 [31120] dovecot_login authenticator failed for 173.192.176.184-static.reverse.softlayer.com ([10.100.1.6]) [173.192.176.184]:57853 I=[69.xxx.xxx.xxx]:587: 535 Incorrect authentication data (set_id=
test@domainname.com)
2015-06-16 14:41:40 [18074] dovecot_login authenticator failed for (USER) [134.19.215.226]:52876 I=[69.xxx.xxx.xxx]:25: 535 Incorrect authentication data (set_id=
test@anotherdomain.com)
If you want the rule to block your logs, change this:
|xerox)\)/)) to |xerox)\@/))
you have to be careful as this could give a lot of FP.
Sergio
Re: Help with custom regex rules
Posted: 17 Jun 2015, 19:20
by firewallman
So changing |xerox)\)/)) to |xerox)\@/)) will match any domain name after the @ that has one of the setids listed in the array?
Re: Help with custom regex rules
Posted: 17 Jun 2015, 22:52
by Sergio
yes, right.