[logs] How to send an email using pipe method ?

Daniel Cid dcid at ossec.net
Sun Sep 30 19:00:22 PDT 2007 

Hi Florent,

The first thing I want to say is be careful with what you are doing.
Logs are untrusted by
default and executing commands based on user commands is a bad idea (unless you
are properly filtering the input). Take a look at a paper I wrote
about log injection for some
examples:

http://www.ossec.net/en/attacking-loganalysis.html


Regarding e-mailing alerts based on logs, I can't help with Logsurfer,
but I would recommend you to try out OSSEC*. It is free (and open
source) and comes with a simple
configuration to allows you to e-mail (and execute active responses)
based on any kind of logs that you want. You can also generate alerts
based on correlations (multiple failed
passwords from the same source IP or for the same user).  In addition
to that, it supports FTS (First time seen -- same as NBS), where it
gives you the option to alert only on the first time a user is seeing
logging in to a system or similar patterns. If you are interested, the
link is: http://www.ossec.net

*I am the developer of it, so my opinion is just a little bit biased :)


Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On 9/30/07, Florent Gilain <florent.gilain at direct-energie.com> wrote:
>
>
> Hello all,
>
>
>
> I have a little problem to setup my config file ; here are informations i
> can give you about my setup, I try to monitor failed PROFTPD login attempts
> :
>
>
>
> /etc/logsurrfer/logsurfer.conf :
>
>
>
> '^([a-zA-Z]{3} [0-9]{2}) ([0-9]{2}:[0-9]{2}:[0-9]{2}) (.*)
> proftpd\[([0-9]+)\]: (.*) \(([0-9.]+)\[[0-9.]+\]\).*USER (.*) \(Login
> failed\): (.*)$' - - - 0
>
>             exec "/bin/echo \"Session de PID $5 depuis l IP $7 - Login
> utilise $8 le $2 a $3 - Details : $9\" | /bin/mail -s \"\[$4\] Alerte de
> securite PROFTPD\" me at mycompany.com"
>
>
>
> tail /var/log/secure :
>
>
>
> Sep 30 23:43:58 mx1 proftpd[13081]: mx1.de.lan
> (192.168.123.4[192.168.123.4]) - USER fgilain (Login failed): Incorrect
> password.
>
>
>
> cat /etc/logsurfer/logsurfer.log
>
>
>
> warning: logsurfer started as root
>
> Session de PID 13081 depuis l IP 192.168.123.4 - Login utilise fgilain le
> Sep 30 a 23:43:58 - Details : Incorrect password.
>
>
>
> PS : i run Logusfer like that :
>
> [root at supervision root]# ps -edf | grep logsurf
>
> root     25717     1  0 23:43 pts/0    00:00:00 /usr/local/bin/logsurfer -l
> 1855 -c /etc/logsurfer/logsurfer.conf -d /etc/logsurfer/logsurfer.dump -f -p
> /etc/logsurfer/logsurfer.pid /var/log/secure
>
>
>
> But i never receive the email….did i missed something?
>
>
>
> Thanks a lot
>
>
>
> Florent
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>

More information about the LogAnalysis mailing list