hi, Thanks for the quick answer. This is the content of my compiled_rules.h: /* This file is auto generated by ./register_rule.sh. Do not touch it. */
/* Adding the function definitions. */ void *check_id_size(Eventinfo *lf); void *comp_mswin_targetuser_calleruser_diff(Eventinfo *lf); void *comp_srcuser_dstuser(Eventinfo *lf); void *if_bad_useragent(Eventinfo *lf); void *is_simple_http_request(Eventinfo *lf); void *is_valid_crawler(Eventinfo *lf); void *myosrule_check_url_size1024(Eventinfo *lf); /* Adding the rules list. */ void *(compiled_rules_list[]) = { check_id_size, comp_mswin_targetuser_calleruser_diff, comp_srcuser_dstuser, if_bad_useragent, is_simple_http_request, is_valid_crawler, myosrule_check_url_size1024, NULL }; /* Adding the rules list names. */ char *(compiled_rules_name[]) = { "check_id_size", "comp_mswin_targetuser_calleruser_diff", "comp_srcuser_dstuser", "if_bad_useragent", "is_simple_http_request", "is_valid_crawler", "myosrule_check_url_size1024", NULL }; /* EOF */ Yes, I did the make but I forget to copy the ossec-analysisd. I now copied it, but it doesn't work neither. Additionally, I tried to set up the sample-compiled_rule "myosrule_check_url_size1024 with the same result. It appears in the compiled_rules.h and when I run ./register_rule.sh save it saves my files to /var/ossec/compiled_rules. Even with the ossec-analysisd copied to /var/ossec/bin I always get the "Compiled rule not found" error. *Thanks for the hint ;) I'll change that!! Stephane Am Montag, 2. April 2012 15:21:29 UTC+2 schrieb Daniel Cid: > > Can you take a look at the file > src/analysisd/compiled_rules/compiled_rules.h to see if your new > function > is there? > > Also, did you re-run make and copied the new analysisd binary to > /var/ossec/bin? > > *Btw, your current function is actually slower than using the <match> > from OSSEC. It is doing > a open+read+regex_compile on every single HTTP event and that can slow > things down. It is > better to pre-compile and keep in memory than having to do it every > time. Besides that, it > is a very good start :) > > Thanks, > > -- > Daniel B. Cid > http://dcid.me > > On Mon, Apr 2, 2012 at 7:36 AM, Stephane <ewerlin...@gmail.com> wrote: > > Hi all, > > > > > > I need a rule for Apache to check if a "bad useragent" like Nikto, Zeus, > > WebReaper etc is crawling a webserver. Additionally I need a file where > all > > my forbidden useragents are listed. My first thought was to use the > <list> > > tag in a rule like this: > > > > <rule id="109005" level="14"> > > <if_sid>31100</if_sid> > > <list field="url" lookup="match_key">rules/bad_useragents</list> > > <description>APACHE: A BAD USERAGENT IS CRAWLING...</description> > > </rule> > > > > But my problem in this solution is, that the useragent-informations in > the > > logs are really heavy to extract using regex with a decoder. > > A sample-log looks like this one: > > > > Mar 30 13:32:00 ossec-server apache[26757]: 192.168.0.28 - - > > [30/Mar/2012:13:32:00 +0200] "GET /Elv8O72e.cwr HTTP/1.1" 404 272 "-" > > "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)" > > > > and the useragent in this case is: Mozilla/4.75 (Nikto/2.1.4) > > (Evasions:None) (Test:map_codes) > > but with other agents it might look different. so I can't use the > list-tag > > because I can't extract the useragent itself > > That's why I thought to use a compiled rule: > > > > #include "shared.h" > > #include "eventinfo.h" > > #include "config.h" > > #include "regex.h" > > > > void *if_bad_useragent(Eventinfo *lf) > > { > > FILE *useragents; > > useragents = fopen("/var/ossec/rules/bad_useragents","r"); > > char line[256]; > > > > > > if(useragents != NULL){ > > while (fgets(line,256,useragents)){ > > > > regex_t regex; > > int reti; > > /*DEFINE REGEX*/ > > reti = regcomp(®ex,".*",0); // OF COURSE THIS IS NOT > THE > > CORRECT REGEX, BUT I USED .* TO TEST THE RULE TO BE SURE IT WILL WORK > > if( reti ) { fprintf(stderr,"OSSEC-HIDS: > > ~/ossec/ossec-hids-2.6/src/analysisd/compiled_rules/if_bad_useragent.c: > > Could not compile regex\n"); exit(1);} > > /*EXECUTE REGEX*/ > > reti = regexec(®ex,"abc",0,NULL,0); > > if(!reti){ > > fclose(useragents); > > return(lf); > > } > > regfree(®ex); > > > > } > > } > > return(NULL); > > } > > > > I created this the file if_bad_useragent.c in > src/analysisd/compiled_rules > > with the content above. After that I executed the 3 following commands: > > ./register_rule.sh build > > *Build completed. > > ./register_rule.sh save > > *Save completed at /var/ossec/compiled_rules/ > > ./register_rule.sh list > > *Available functions: > > check_id_size > > comp_mswin_targetuser_calleruser_diff > > comp_srcuser_dstuser > > if_bad_useragent > > is_simple_http_request > > is_valid_crawler > > > > But when I want to test my rule using ossec-logtest I always get the > > following error: > > 2012/04/02 10:36:44 ossec-analysisd: ERROR: Compiled rule not found: > > 'if_bad_useragent' > > 2012/04/02 10:36:44 ossec-analysisd(1274): ERROR: Invalid configuration. > > Element 'compiled_rule': if_bad_useragent. > > 2012/04/02 10:36:44 ossec-testrule(1220): ERROR: Error loading the rules: > > 'local_rules.xml'. > > > > My installed OSSEC-Version is: > > bin/ossec-analysisd -V > > > > OSSEC HIDS v2.6 - Trend Micro Inc. > > > > This program is free software; you can redistribute it and/or modify > > it under the terms of the GNU General Public License (version 2) as > > published by the Free Software Foundation. For more details, go to > > http://www.ossec.net/main/license/ > > > > Does anyone has an idea what I must change? > > > > > > THX in advance > > > > P.S at the moment I'm using the following rule, which I think is quite > slow > > etc: > > <rule id="109005" level="14"> > > <if_sid>31100</if_sid> > > <match>BlackWidow|ChinaClaw|Custo|DISCo|Download > > Demon|EirGrabber|EmailSiphon|EmailWolf|Express > > > WebPictures|ExtractorPro|EyeNetIE|FlashGet|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|GrabNet|Grafula|HMView|HTTrack|HTTrack|Image > > Stripper|Image Sucker|Indy Library|Indy Library|InterGET|Internet > Ninja|JOC > > Web Spider|JetCar|LeechFTP|MIDown tool|Mass Downloader|Mister > > PiX|Navroad|NearSite|NetAnts|NetSpider|NetZIP|Net Vampire|Octopus|Offline > > Explorer|Offline Navigator|PageGrabber|Papa > > > Foto|ReGet|RealDownload|SiteSnagger|SmartDownload|SuperBot|SuperHTTP|Surfbot|Teleport > > Pro|TurnitinBot|VoidEYE|WWWOFFLE|WebAuto|WebCopier|WebFetch|WebGo > > IS|WebLeacher|WebReaper|WebSauger|WebStripper|WebWhacker|WebZIP|Web Image > > Collector|Web Sucker|Website Quester|Website eXtractor|Widow|Xaldon > > > WebSpider|Zeus|archiverloader|casper|clshttp|cmsworldmap|curl|diavol|dotbot|eCatch|email|extract|flicky|grab|harvest|jakarta|java|kmccrew|larbin|libwww|miner|nikto|pavuk|pcBrowser|planetwork|pycurl|python|scan|skygrid|tAkeOut|wget|winhttp</match> > > <description>APACHE: A BAD USERAGENT IS CRAWLING...</description> > > </rule> > > > >