Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add decoders to extract the username field from failed login logs of proftpd #740

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

NitroCao
Copy link

@NitroCao NitroCao commented Aug 6, 2020

ossec-logtest

2020/08/05 21:23:21 ossec-testrule: INFO: Started (pid: 30188).
ossec-testrule: Type one log per line.

Aug  5 20:33:46 myhost proftpd[13287]: 10.22.136.85 (10.22.33.14[10.22.33.14]) - USER anonymous: no such user found from 10.22.33.14 [10.22.33.14] to ::ffff:10.22.136.85:21


**Phase 1: Completed pre-decoding.
       full event: 'Aug  5 20:33:46 myhost proftpd[13287]: 10.22.136.85 (10.22.33.14[10.22.33.14]) - USER anonymous: no such user found from 10.22.33.14 [10.22.33.14] to ::ffff:10.22.136.85:21'
       timestamp: 'Aug  5 20:33:46'
       hostname: 'myhost'
       program_name: 'proftpd'
       log: '10.22.136.85 (10.22.33.14[10.22.33.14]) - USER anonymous: no such user found from 10.22.33.14 [10.22.33.14] to ::ffff:10.22.136.85:21'

**Phase 2: Completed decoding.
       decoder: 'proftpd'
       srcip: '10.22.33.14'
       srcuser: 'anonymous'

**Phase 3: Completed filtering (rules).
       Rule id: '11203'
       Level: '5'
       Description: 'proftpd: Attempt to login using a non-existent user.'




Aug  5 20:34:54 myhost proftpd[13378]: 10.22.136.85 (222.186.52.78[222.186.52.78]) - USER root (Login failed): Incorrect password


**Phase 1: Completed pre-decoding.
       full event: 'Aug  5 20:34:54 myhost proftpd[13378]: 10.22.136.85 (222.186.52.78[222.186.52.78]) - USER root (Login failed): Incorrect password'
       timestamp: 'Aug  5 20:34:54'
       hostname: 'myhost'
       program_name: 'proftpd'
       log: '10.22.136.85 (222.186.52.78[222.186.52.78]) - USER root (Login failed): Incorrect password'

**Phase 2: Completed decoding.
       decoder: 'proftpd'
       srcip: '222.186.52.78'
       dstuser: 'root'

**Phase 3: Completed filtering (rules).
       Rule id: '11204'
       Level: '5'
       Description: 'proftpd: Login failed accessing the FTP server'
**Alert to be generated.




Aug  5 21:14:18 myhost proftpd[17655]: 10.22.136.85 (10.22.126.169[10.22.126.169]) - USER cronftp (Login failed): authentication via 'ssh-dss' public key failed


**Phase 1: Completed pre-decoding.
       full event: 'Aug  5 21:14:18 myhost proftpd[17655]: 10.22.136.85 (10.22.126.169[10.22.126.169]) - USER cronftp (Login failed): authentication via 'ssh-dss' public key failed'
       timestamp: 'Aug  5 21:14:18'
       hostname: 'myhost'
       program_name: 'proftpd'
       log: '10.22.136.85 (10.22.126.169[10.22.126.169]) - USER cronftp (Login failed): authentication via 'ssh-dss' public key failed'

**Phase 2: Completed decoding.
       decoder: 'proftpd'
       srcip: '10.22.126.169'
       srcuser: 'cronftp'

**Phase 3: Completed filtering (rules).
       Rule id: '11204'
       Level: '5'
       Description: 'proftpd: Login failed accessing the FTP server'

@vikman90 vikman90 changed the base branch from develop to master September 25, 2020 08:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant