[imp] Log analysis of horde imp logs.
Daniel Cid
danielcid at yahoo.com.br
Wed Jul 5 15:44:01 PDT 2006
Hi list,
I just want to let everyone know that ossec
(an open source project for log analysis) now
supports Horde IMP logs.
It can basically alert on failed logins, multiple
failed logins, internal errors, etc. It can also
correlate this data with imap logs, pop3d logs,
sshd logs, etc.
I would really appreciate any feedback from anyone
that may try to use it.
Example of alerts (sent to my e-mail based on horde
logs -- IPs/usernames changed for privacy):
OSSEC HIDS Notification.
2006 Jul 05 16:41:29
Received From: HORDE->/var/log/horde.log
Rule: 3851 fired (level 10) -> "Horde brute force
(multiple failed logins).'"
Portion of the log(s):
[error] [imp] FAILED LOGIN a.b.c.d to
x.y.z.z:143[imap/notls] as john2 [on line 258 of
"/home/underlinux/horde/imp/lib/Auth/imp.php"]
[error] [imp] FAILED LOGIN a.b.c.d to
x.y.z.z[imap/notls] as dude [on line 258 of
"/home/underlinux/horde/imp/lib/Auth/imp.php"]
[error] [imp] FAILED LOGIN a.b.c.d to
x.y.z.z:143[imap/notls] as haxore [on line 258 of
"/home/underlinux/horde/imp/lib/Auth/imp.php"]
Or you can get alerts based on single failed logins:
** Alert 1151984288.685281:
2006 Jul 04 00:38:08 (zzz) aaa->/tmp/horde2.log
Rule: 3806 (level 5) -> 'Horde IMP Failed login.'
Src IP: a.b.c.d
User: hilli
[error] [imp] FAILED LOGIN a.b.c.d to
x.y.z.z:443[imap] as hilli [on line 287 of
"/home/webmail/horde/imp/lib/IMP.php"]
To download:
http://www.ossec.net/files/ossec-hids-0.8-6.tar.gz
More information:
http://www.ossec.net
*Any question, please send off-list.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
_______________________________________________________
Novidade no Yahoo! Mail: receba alertas de novas mensagens no seu celular. Registre seu aparelho agora!
http://br.mobile.yahoo.com/mailalertas/
More information about the imp
mailing list