Skip to content

Add cpanel decoders and rules. #1036

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
alex-front wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Add cpanel decoders and rules. #1036

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
bf0c989
Add cpanel decoders and rules.
Jan 27, 2017
8d6a66b
Fix broken cpanel-access-failed decoder failing tests
Jan 30, 2017
e5f636e
Merge branch 'master' into cpanel
alex-front Jan 30, 2017
fc5939d
Add support for cpanel rules to other setup types: agent, local, hybrid.
Jan 30, 2017
205b643
Merge branch 'cpanel' of github.com:alex-front/ossec-hids into cpanel
Jan 30, 2017
fbf75a8
Fix cpanel rules and decoders.
Feb 3, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 62 additions & 1 deletion etc/decoder.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2907,7 +2907,6 @@ Jul 26 13:57:56 mx1.example.org outbound/smtp: 127.0.0.1 1406297159-06f4a35b4df2
<order>srcip,url</order>
</decoder>


<!-- Exim
- Examples:
- 2017-01-23 03:44:14 dovecot_login authenticator failed for (hydra) [10.101.1.18]:35686: 535 Incorrect authentication data (set_id=user)
Expand Down Expand Up @@ -2943,6 +2942,68 @@ Jul 26 13:57:56 mx1.example.org outbound/smtp: 127.0.0.1 1406297159-06f4a35b4df2
<prematch offset="after_parent">^SMTP call from </prematch>
<regex offset="after_prematch">[(\S+)]:\d+ dropped: too many syntax or protocol errors</regex>
<order>srcip</order>

Copy link
Member

@ddpbsd ddpbsd Feb 2, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You lost the </decoder> from the exim decoder here.

Copy link
Author

@alex-front alex-front Feb 3, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, fixed.


<!-- cPanel decoder.
- Examples:
- [2016-11-18 09:32:19 +0000] info [cpsrvd] 10.1.5.19 - admin "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password hash is missing from system (user probably does not exist)
- [2016-04-18 13:07:02 +0400] info [cpsrvd] 10.1.5.19 - root - SUCCESS LOGIN whostmgrd
-->
<decoder name="cpanel-login">
<prematch>^[\S+ \S+ \S+] info [cpsrvd] \S+ -</prematch>
<regex>info [cpsrvd] (\S+) - (\S+)</regex>
<order>srcip,user</order>
</decoder>

<!-- cPanel decoder.
Because of default postgresql decoder overwrites cpanel-login-log rule in case time offset with minus (-0500). This rule is necessary to cover all cases of logs
- Examples:
- [2016-11-21 04:14:58 -0500] info [cpsrvd] 10.1.5.19 - admin "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password hash is missing from system (user probably does not exist)
- [2017-01-25 03:16:27 -0500] info [cpsrvd] 10.1.5.19 - root "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
- [2017-01-25 05:37:47 -0500] info [cpsrvd] 10.1.5.19 - root "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: root login is not permitted to cpaneld
- [2017-01-25 06:01:10 -0500] info [cpsrvd] 10.1.5.19 - test "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user test (loadcpdata failed)
- [2017-01-25 06:08:58 -0500] info [cpsrvd] 10.1.5.19 - test@domain.com "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: login attempt to whm by a non-reseller/root
- [2016-04-18 13:07:02 -0400] info [cpsrvd] 10.1.5.19 - root - SUCCESS LOGIN whostmgrd
- [2016-04-18 13:07:13 -0400] info [cpsrvd] 10.1.5.19 - root - SUCCESS LOGIN cpaneld
- [2016-04-18 13:07:15 -0400] info [cpsrvd] 10.1.5.19 - reseller (possessor: root) - SUCCESS LOGIN cpaneld
- [2016-04-18 13:08:24 -0400] info [cpsrvd] 10.1.5.19 - reseller - SUCCESS LOGIN webmaild
- [2016-04-18 13:08:27 -0400] info [cpsrvd] 10.1.5.19 - emailaccount@reseller.com (possessor: reseller) - SUCCESS LOGIN webmaild
-->

<decoder name="cpanel-login2">
<parent>postgresql_log</parent>
<prematch offset="after_parent">^info [cpsrvd] \S+ -</prematch>
<regex>info [cpsrvd] (\S+) - (\S+)</regex>
<order>srcip,user</order>
</decoder>

<!-- cPanel decoder.
- Examples:
- 10.1.5.19 - paul [11/18/2016:09:35:43 -0000] "GET" FAILED LOGIN cpdavd: Could not fetch system home directory for paul
-->

<decoder name="cpanel-access-failed">
Copy link
Member

@ddpbsd ddpbsd Jan 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this decoder is causing the failures, but I'm not sure why yet.

Copy link
Member

@ddpbsd ddpbsd Jan 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The log message associated with this didn't seem to match a decoder (at least on my setup), so using this decoder things seem to work so far:

<decoder name="cpanel-access-failed">
  <!--<parent>web-accesslog</parent>
  <prematch offset="after_parent">^FAILED LOGIN</prematch>-->
  <prematch>^\S+ \S+ \S+ [\d\d/\d\d/\d\d\d\d:\d\d:\d\d:\d\d \S*\d+] "\S+" FAILED LOGIN</prematch>-->
  <regex>^(\S+) \S+ (\S+)</regex>
  <order>srcip,user</order>
</decoder>

Copy link
Author

@alex-front alex-front Jan 30, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have tested your proposed decoder and I am confirming it is working as expected and CI tests are passing. I have added the fix to pull request. Please merge.

Copy link
Author

@alex-front alex-front Feb 2, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the postgresql_log log decoder should be fixed to avoid clashes with and duplication of the cpanel decoders and rules like I proposed.

Copy link
Member

@ddpbsd ddpbsd Feb 2, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's wrong with the postgresql_log decoder exactly?

Copy link
Author

@alex-front alex-front Feb 3, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem with postgresql_log decoder is that it will decode messages like:
'[2017-02-03 01:21:31 -0500]' and not like '[2017-02-03 01:21:31 +0500]' (note the '+' sign). So to handle both cases I had to duplicate all rules and decoders for cpanel. One way to avoid this is to fix the postgresql_log decoder to be more specific to avoid it clashing with cpanel decoders altogether but I don't have much knowledge of their log format so can't propose how to do it.

<prematch>^\S+ \S+ \S+ [\d\d/\d\d/\d\d\d\d:\d\d:\d\d:\d\d \S*\d+] "\S+" FAILED LOGIN</prematch>
<regex>^(\S+) \S+ (\S+)</regex>
<order>srcip,user</order>
</decoder>

<!-- cPanel decoder.
- Examples:
- [2017-01-25 06:15:38 -0500] info [cpsrvd] 10.1.5.19 PURGE root:Nmm4xzhSpA2Sddv3 logout
- [2017-01-25 06:15:38 +0000] info [cpsrvd] 10.1.5.19 PURGE root:Nmm4xzhSpA2Sddv3 logout
-->
<decoder name="cpanel-session">
<prematch>^[\S+ \S+ \S+] info [cpsrvd] \S+ PURGE</prematch>
<regex>info [cpsrvd] (\S+) \S+ (\w+):</regex>
<order>srcip,user</order>
</decoder>

<decoder name="cpanel-session2">
<parent>postgresql_log</parent>
<prematch offset="after_parent">^info [cpsrvd] \S+ PURGE</prematch>
<regex>info [cpsrvd] (\S+) \S+ (\w+):</regex>
<order>srcip,user</order>
</decoder>

<!-- EOF -->
16 changes: 16 additions & 0 deletions etc/ossec-agent.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,4 +65,20 @@
<log_format>apache</log_format>
<location>/var/www/logs/error_log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/usr/local/cpanel/logs/login_log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/usr/local/cpanel/logs/access_log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/usr/local/cpanel/logs/session_log</location>
</localfile>

</ossec_config>
17 changes: 17 additions & 0 deletions etc/ossec-local.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@
<include>sysmon_rules.xml</include>
<include>opensmtpd_rules.xml</include>
<include>local_rules.xml</include>
<include>cpanel_rules.xml</include>
</rules>

<syscheck>
Expand Down Expand Up @@ -197,4 +198,20 @@
<log_format>apache</log_format>
<location>/var/www/logs/error_log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/usr/local/cpanel/logs/login_log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/usr/local/cpanel/logs/access_log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/usr/local/cpanel/logs/session_log</location>
</localfile>

</ossec_config>
16 changes: 16 additions & 0 deletions etc/ossec-server.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@
<include>opensmtpd_rules.xml</include>
<include>local_rules.xml</include>
<include>exim_rules.xml</include>
<include>cpanel_rules.xml</include>
</rules>


Expand Down Expand Up @@ -208,4 +209,19 @@
<location>/var/log/exim_mainlog</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/usr/local/cpanel/logs/login_log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/usr/local/cpanel/logs/access_log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/usr/local/cpanel/logs/session_log</location>
</localfile>

</ossec_config>
19 changes: 18 additions & 1 deletion etc/ossec.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,8 @@
<include>dropbear_rules.xml</include>
<include>sysmon_rules.xml</include>
<include>opensmtpd_rules.xml</include>
</rules>
<include>cpanel_rules.xml</include>
</rules>

<syscheck>
<!-- Frequency that syscheck is executed -- default every 2 hours -->
Expand Down Expand Up @@ -160,4 +161,20 @@
<log_format>apache</log_format>
<location>/var/www/logs/error_log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/usr/local/cpanel/logs/login_log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/usr/local/cpanel/logs/access_log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/usr/local/cpanel/logs/session_log</location>
</localfile>

</ossec_config>
78 changes: 78 additions & 0 deletions etc/rules/cpanel_rules.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
<!-- Authors: Alexandr Garaga, Paul Klymenko
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- License (version 2) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
-->

<!-- cPanel messages -->
<group name="syslog,">

<!-- Two same rules but with different decoders because logs have different format -->
<rule id="11000" level="5">
<if_sid>2501</if_sid>
<decoded_as>cpanel-login</decoded_as>
<regex>FAILED LOGIN</regex>
<description>Possible attack on the cpanel services</description>
</rule>

<rule id="11001" level="5">
<if_sid>50500</if_sid>
<decoded_as>postgresql_log</decoded_as>
<regex>FAILED LOGIN</regex>
<description>Possible attack on the cpanel services</description>
</rule>

<rule id="11002" level="5">
<if_sid>2501</if_sid>
<decoded_as>cpanel-access-failed</decoded_as>
<regex>FAILED LOGIN</regex>
<description>Possible attack on the cpanel services</description>
</rule>

<!-- We raise level to send alert considering frequency (6 see doc why) and timeframe (6 minutes) -->
<rule id="11003" level="10" frequency="4" timeframe="360">
<if_matched_sid>11001</if_matched_sid>
<description>Possible breakin attempt</description>
</rule>

<rule id="11004" level="10" frequency="4" timeframe="360">
<if_matched_sid>11000</if_matched_sid>
<description>Possible breakin attempt</description>
</rule>

<rule id="11005" level="10" frequency="4" timeframe="360">
<if_matched_sid>11002</if_matched_sid>
<description>Possible breakin attempt</description>
</rule>

<rule id="11006" level="3">
<decoded_as>cpanel-login</decoded_as>
<match>SUCCESS LOGIN</match>
<description>Cpanel login success</description>
</rule>

<rule id="11007" level="3">
<if_sid>50500</if_sid>
<decoded_as>postgresql_log</decoded_as>
<match>SUCCESS LOGIN</match>
<description>Cpanel login success</description>
</rule>

<rule id="11008" level="3">
<decoded_as>cpanel-session</decoded_as>
<match>PURGE</match>
<description>Cpanel session purge</description>
</rule>

<rule id="11009" level="3">
<if_sid>50500</if_sid>
<decoded_as>postgresql_log</decoded_as>
<match>PURGE</match>
<description>Cpanel session purge</description>
</rule>

</group> <!-- SYSLOG -->