LogAnalysis
[logs] How to send an email using pipe method ? Sep 30 2007 09:55PM
Florent Gilain (florent gilain direct-energie com) (2 replies)
Re: [logs] How to send an email using pipe method ? Oct 01 2007 03:52AM
Kerry Thompson (kerry crypt gen nz)
Re: [logs] How to send an email using pipe method ? Oct 01 2007 02:00AM
Daniel Cid (dcid ossec net)
Hi Florent,

The first thing I want to say is be careful with what you are doing.
Logs are untrusted by
default and executing commands based on user commands is a bad idea (unless you
are properly filtering the input). Take a look at a paper I wrote
about log injection for some
examples:

http://www.ossec.net/en/attacking-loganalysis.html

Regarding e-mailing alerts based on logs, I can't help with Logsurfer,
but I would recommend you to try out OSSEC*. It is free (and open
source) and comes with a simple
configuration to allows you to e-mail (and execute active responses)
based on any kind of logs that you want. You can also generate alerts
based on correlations (multiple failed
passwords from the same source IP or for the same user). In addition
to that, it supports FTS (First time seen -- same as NBS), where it
gives you the option to alert only on the first time a user is seeing
logging in to a system or similar patterns. If you are interested, the
link is: http://www.ossec.net

*I am the developer of it, so my opinion is just a little bit biased :)

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On 9/30/07, Florent Gilain <florent.gilain (at) direct-energie (dot) com [email concealed]> wrote:
>
>
> Hello all,
>
>
>
> I have a little problem to setup my config file ; here are informations i
> can give you about my setup, I try to monitor failed PROFTPD login attempts
> :
>
>
>
> /etc/logsurrfer/logsurfer.conf :
>
>
>
> '^([a-zA-Z]{3} [0-9]{2}) ([0-9]{2}:[0-9]{2}:[0-9]{2}) (.*)
> proftpd\[([0-9]+)\]: (.*) \(([0-9.]+)\[[0-9.]+\]\).*USER (.*) \(Login
> failed\): (.*)$' - - - 0
>
> exec "/bin/echo \"Session de PID $5 depuis l IP $7 - Login
> utilise $8 le $2 a $3 - Details : $9\" | /bin/mail -s \"\[$4\] Alerte de
> securite PROFTPD\" me (at) mycompany (dot) com [email concealed]"
>
>
>
> tail /var/log/secure :
>
>
>
> Sep 30 23:43:58 mx1 proftpd[13081]: mx1.de.lan
> (192.168.123.4[192.168.123.4]) - USER fgilain (Login failed): Incorrect
> password.
>
>
>
> cat /etc/logsurfer/logsurfer.log
>
>
>
> warning: logsurfer started as root
>
> Session de PID 13081 depuis l IP 192.168.123.4 - Login utilise fgilain le
> Sep 30 a 23:43:58 - Details : Incorrect password.
>
>
>
> PS : i run Logusfer like that :
>
> [root@supervision root]# ps -edf | grep logsurf
>
> root 25717 1 0 23:43 pts/0 00:00:00 /usr/local/bin/logsurfer -l
> 1855 -c /etc/logsurfer/logsurfer.conf -d /etc/logsurfer/logsurfer.dump -f -p
> /etc/logsurfer/logsurfer.pid /var/log/secure
>
>
>
> But i never receive the email?.did i missed something?
>
>
>
> Thanks a lot
>
>
>
> Florent
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus