[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] Re: Seeking help with two Windows FTP rules
From: "Peter M. Abraham" <peter.abraham () dynamicnet ! net>
Date: 2010-02-26 0:23:38
Message-ID: 3489d51c-b763-462e-ae8e-e562dbb9753a () d2g2000yqa ! googlegroups ! com
[Download RAW message or body]
Greetings Daniel:
Head out to dinner, come back, and close to 400 alerts where the
ignore is being ignored.
OSSEC HIDS Notification.
2010 Feb 25 18:57:01
Received From: (Our Windows Server) UNIQUE IP OF WINDOWS SERVER->
\hslogfiles\ftp\MSFTPSVC1\ex100225.log
Rule: 11510 fired (level 13) -> "FTP brute force (multiple failed
logins)."
Portion of the log(s):
2010-02-25 23:56:59 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:56:58 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:56:57 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:56:56 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:56:55 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:56:55 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 31 FTP - - -
2010-02-25 23:56:55 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:56:53 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:56:52 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:56:51 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
--END OF NOTIFICATION
OSSEC HIDS Notification.
2010 Feb 25 18:57:13
Received From: (Our Windows Server) UNIQUE IP OF WINDOWS SERVER->
\hslogfiles\ftp\MSFTPSVC1\ex100225.log
Rule: 11510 fired (level 13) -> "FTP brute force (multiple failed
logins)."
Portion of the log(s):
2010-02-25 23:57:07 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:06 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 16 FTP - - -
2010-02-25 23:57:06 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:05 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 15 FTP - - -
2010-02-25 23:57:05 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:04 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:03 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:03 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:02 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:01 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
--END OF NOTIFICATION
OSSEC HIDS Notification.
2010 Feb 25 18:57:21
Received From: (Our Windows Server) UNIQUE IP OF WINDOWS SERVER->
\hslogfiles\ftp\MSFTPSVC1\ex100225.log
Rule: 11510 fired (level 13) -> "FTP brute force (multiple failed
logins)."
Portion of the log(s):
2010-02-25 23:57:17 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:16 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:15 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:15 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 16 FTP - - -
2010-02-25 23:57:15 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:14 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:13 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:11 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:10 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:10 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
--END OF NOTIFICATION
OSSEC HIDS Notification.
2010 Feb 25 18:57:29
Received From: (Our Windows Server) UNIQUE IP OF WINDOWS SERVER->
\hslogfiles\ftp\MSFTPSVC1\ex100225.log
Rule: 11510 fired (level 13) -> "FTP brute force (multiple failed
logins)."
Portion of the log(s):
2010-02-25 23:57:26 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 79 FTP - - -
2010-02-25 23:57:26 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:25 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:24 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:23 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:23 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:22 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:21 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:20 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:19 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
--END OF NOTIFICATION
OSSEC HIDS Notification.
2010 Feb 25 18:57:41
Received From: (Our Windows Server) UNIQUE IP OF WINDOWS SERVER->
\hslogfiles\ftp\MSFTPSVC1\ex100225.log
Rule: 11510 fired (level 13) -> "FTP brute force (multiple failed
logins)."
Portion of the log(s):
2010-02-25 23:57:37 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:36 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:35 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:35 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:34 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:33 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:32 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:30 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:29 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:28 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
--END OF NOTIFICATION
OSSEC HIDS Notification.
2010 Feb 25 18:57:49
Received From: (Our Windows Server) UNIQUE IP OF WINDOWS SERVER->
\hslogfiles\ftp\MSFTPSVC1\ex100225.log
Rule: 11510 fired (level 13) -> "FTP brute force (multiple failed
logins)."
Portion of the log(s):
2010-02-25 23:57:47 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:46 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:45 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:44 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:43 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:43 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:42 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:41 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:40 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:57:39 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
--END OF NOTIFICATION
And so on...
OSSEC HIDS Notification.
2010 Feb 25 18:59:18
Received From: (Our Windows Server) UNIQUE IP OF WINDOWS SERVER->
\hslogfiles\ftp\MSFTPSVC1\ex100225.log
Rule: 11510 fired (level 13) -> "FTP brute force (multiple failed
logins)."
Portion of the log(s):
2010-02-25 23:59:14 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 15 FTP - - -
2010-02-25 23:59:14 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:59:13 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:59:12 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:59:12 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:59:11 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:59:10 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:59:09 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:59:08 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
2010-02-25 23:59:08 77.243.105.139 - MSFTPSVC1 WIN2 UNIQUE IP OF
WINDOWS SERVER 21 [37]PASS - - 530 1326 0 0 0 FTP - - -
--END OF NOTIFICATION
... and so on
Please let me know if you need anything else to determine if the
ignore feature is broken.
Thank you.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic