LogAnalysis
[logs] How to send an email using pipe method ? Sep 30 2007 09:55PM
Florent Gilain (florent gilain direct-energie com) (2 replies)
Re: [logs] How to send an email using pipe method ? Oct 01 2007 03:52AM
Kerry Thompson (kerry crypt gen nz)
Logsurfer's exec command literally runs /bin/echo with the rest of the
command line passed as arguments, it doesn't invoke a shell to interpret
the '|' pipe command. So in your case below the following string is
literally echo'd to logsurfer's stdout:

Session de PID $5 depuis l IP $7 - Login utilise $8 le $2 a $3 - Details :
$9\" | /bin/mail -s \"\[$4\] Alerte de securite PROFTPD\" me (at) mycompany (dot) com [email concealed]

.. and you'll probably see that string coming out in logsurfer's own log
file. For this sort of complex action you should call a script to format
the strings (and remove any bad characters that a clever attacker could
have injected) before invoking mail.

I think simplifying that regex pattern would help too.

Kerry

Florent Gilain said:
> Hello all,
>
>
>
> I have a little problem to setup my config file ; here are informations i
> can give you about my setup, I try to monitor failed PROFTPD login
> attempts
> :
>
>
>
> /etc/logsurrfer/logsurfer.conf :
>
>
>
> '^([a-zA-Z]{3} [0-9]{2}) ([0-9]{2}:[0-9]{2}:[0-9]{2}) (.*)
> proftpd\[([0-9]+)\]: (.*) \(([0-9.]+)\[[0-9.]+\]\).*USER (.*) \(Login
> failed\): (.*)$' - - - 0
>
> exec "/bin/echo \"Session de PID $5 depuis l IP $7 - Login
> utilise $8 le $2 a $3 - Details : $9\" | /bin/mail -s \"\[$4\] Alerte de
> securite PROFTPD\" me (at) mycompany (dot) com [email concealed]"
>
>
>
> tail /var/log/secure :
>
>
>
> Sep 30 23:43:58 mx1 proftpd[13081]: mx1.de.lan
> (192.168.123.4[192.168.123.4]) - USER fgilain (Login failed): Incorrect
> password.
>
>
>
> cat /etc/logsurfer/logsurfer.log
>
>
>
> warning: logsurfer started as root
>
> Session de PID 13081 depuis l IP 192.168.123.4 - Login utilise fgilain le
> Sep 30 a 23:43:58 - Details : Incorrect password.
>
>
>
> PS : i run Logusfer like that :
>
> [root@supervision root]# ps -edf | grep logsurf
>
> root 25717 1 0 23:43 pts/0 00:00:00 /usr/local/bin/logsurfer
> -l
> 1855 -c /etc/logsurfer/logsurfer.conf -d /etc/logsurfer/logsurfer.dump -f
> -p
> /etc/logsurfer/logsurfer.pid /var/log/secure
>
>
>
> But i never receive the email..did i missed something?
>
>
>
> Thanks a lot
>
>
>
> Florent
>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> http://www.loganalysis.org/mailman/listinfo/loganalysis

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] How to send an email using pipe method ? Oct 01 2007 02:00AM
Daniel Cid (dcid ossec net)


 

Privacy Statement
Copyright 2010, SecurityFocus