hi,
Thanks for the quick answer.
This is the content of my compiled_rules.h:
/* This file is auto generated by ./register_rule.sh. Do not touch it. */
/* Adding the function definitions. */
void *check_id_size(Eventinfo *lf);
void *comp_mswin_targetuser_calleruser_diff(Eventinfo *lf);
void *comp_srcuser_dstuser(Eventinfo *lf);
void *if_bad_useragent(Eventinfo *lf);
void *is_simple_http_request(Eventinfo *lf);
void *is_valid_crawler(Eventinfo *lf);
void *myosrule_check_url_size1024(Eventinfo *lf);
/* Adding the rules list. */
void *(compiled_rules_list[]) =
{
check_id_size,
comp_mswin_targetuser_calleruser_diff,
comp_srcuser_dstuser,
if_bad_useragent,
is_simple_http_request,
is_valid_crawler,
myosrule_check_url_size1024,
NULL
};
/* Adding the rules list names. */
char *(compiled_rules_name[]) =
{
"check_id_size",
"comp_mswin_targetuser_calleruser_diff",
"comp_srcuser_dstuser",
"if_bad_useragent",
"is_simple_http_request",
"is_valid_crawler",
"myosrule_check_url_size1024",
NULL
};
/* EOF */
Yes, I did the make but I forget to copy the ossec-analysisd. I now copied
it, but it doesn't work neither.
Additionally, I tried to set up the sample-compiled_rule
"myosrule_check_url_size1024 with the same result. It appears in the
compiled_rules.h and when I run ./register_rule.sh save it saves my files
to /var/ossec/compiled_rules.
Even with the ossec-analysisd copied to /var/ossec/bin I always get the
"Compiled rule not found" error.
*Thanks for the hint ;) I'll change that!!
Stephane
Am Montag, 2. April 2012 15:21:29 UTC+2 schrieb Daniel Cid:
>
> Can you take a look at the file
> src/analysisd/compiled_rules/compiled_rules.h to see if your new
> function
> is there?
>
> Also, did you re-run make and copied the new analysisd binary to
> /var/ossec/bin?
>
> *Btw, your current function is actually slower than using the <match>
> from OSSEC. It is doing
> a open+read+regex_compile on every single HTTP event and that can slow
> things down. It is
> better to pre-compile and keep in memory than having to do it every
> time. Besides that, it
> is a very good start :)
>
> Thanks,
>
> --
> Daniel B. Cid
> http://dcid.me
>
> On Mon, Apr 2, 2012 at 7:36 AM, Stephane <ewerlin...@gmail.com> wrote:
> > Hi all,
> >
> >
> > I need a rule for Apache to check if a "bad useragent" like Nikto, Zeus,
> > WebReaper etc is crawling a webserver. Additionally I need a file where
> all
> > my forbidden useragents are listed. My first thought was to use the
> <list>
> > tag in a rule like this:
> >
> > <rule id="109005" level="14">
> > <if_sid>31100</if_sid>
> > <list field="url" lookup="match_key">rules/bad_useragents</list>
> > <description>APACHE: A BAD USERAGENT IS CRAWLING...</description>
> > </rule>
> >
> > But my problem in this solution is, that the useragent-informations in
> the
> > logs are really heavy to extract using regex with a decoder.
> > A sample-log looks like this one:
> >
> > Mar 30 13:32:00 ossec-server apache[26757]: 192.168.0.28 - -
> > [30/Mar/2012:13:32:00 +0200] "GET /Elv8O72e.cwr HTTP/1.1" 404 272 "-"
> > "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"
> >
> > and the useragent in this case is: Mozilla/4.75 (Nikto/2.1.4)
> > (Evasions:None) (Test:map_codes)
> > but with other agents it might look different. so I can't use the
> list-tag
> > because I can't extract the useragent itself
> > That's why I thought to use a compiled rule:
> >
> > #include "shared.h"
> > #include "eventinfo.h"
> > #include "config.h"
> > #include "regex.h"
> >
> > void *if_bad_useragent(Eventinfo *lf)
> > {
> > FILE *useragents;
> > useragents = fopen("/var/ossec/rules/bad_useragents","r");
> > char line[256];
> >
> >
> > if(useragents != NULL){
> > while (fgets(line,256,useragents)){
> >
> > regex_t regex;
> > int reti;
> > /*DEFINE REGEX*/
> > reti = regcomp(®ex,".*",0); // OF COURSE THIS IS NOT
> THE
> > CORRECT REGEX, BUT I USED .* TO TEST THE RULE TO BE SURE IT WILL WORK
> > if( reti ) { fprintf(stderr,"OSSEC-HIDS:
> > ~/ossec/ossec-hids-2.6/src/analysisd/compiled_rules/if_bad_useragent.c:
> > Could not compile regex\n"); exit(1);}
> > /*EXECUTE REGEX*/
> > reti = regexec(®ex,"abc",0,NULL,0);
> > if(!reti){
> > fclose(useragents);
> > return(lf);
> > }
> > regfree(®ex);
> >
> > }
> > }
> > return(NULL);
> > }
> >
> > I created this the file if_bad_useragent.c in
> src/analysisd/compiled_rules
> > with the content above. After that I executed the 3 following commands:
> > ./register_rule.sh build
> > *Build completed.
> > ./register_rule.sh save
> > *Save completed at /var/ossec/compiled_rules/
> > ./register_rule.sh list
> > *Available functions:
> > check_id_size
> > comp_mswin_targetuser_calleruser_diff
> > comp_srcuser_dstuser
> > if_bad_useragent
> > is_simple_http_request
> > is_valid_crawler
> >
> > But when I want to test my rule using ossec-logtest I always get the
> > following error:
> > 2012/04/02 10:36:44 ossec-analysisd: ERROR: Compiled rule not found:
> > 'if_bad_useragent'
> > 2012/04/02 10:36:44 ossec-analysisd(1274): ERROR: Invalid configuration.
> > Element 'compiled_rule': if_bad_useragent.
> > 2012/04/02 10:36:44 ossec-testrule(1220): ERROR: Error loading the rules:
> > 'local_rules.xml'.
> >
> > My installed OSSEC-Version is:
> > bin/ossec-analysisd -V
> >
> > OSSEC HIDS v2.6 - Trend Micro Inc.
> >
> > This program is free software; you can redistribute it and/or modify
> > it under the terms of the GNU General Public License (version 2) as
> > published by the Free Software Foundation. For more details, go to
> > http://www.ossec.net/main/license/
> >
> > Does anyone has an idea what I must change?
> >
> >
> > THX in advance
> >
> > P.S at the moment I'm using the following rule, which I think is quite
> slow
> > etc:
> > <rule id="109005" level="14">
> > <if_sid>31100</if_sid>
> > <match>BlackWidow|ChinaClaw|Custo|DISCo|Download
> > Demon|EirGrabber|EmailSiphon|EmailWolf|Express
> >
> WebPictures|ExtractorPro|EyeNetIE|FlashGet|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|GrabNet|Grafula|HMView|HTTrack|HTTrack|Image
> > Stripper|Image Sucker|Indy Library|Indy Library|InterGET|Internet
> Ninja|JOC
> > Web Spider|JetCar|LeechFTP|MIDown tool|Mass Downloader|Mister
> > PiX|Navroad|NearSite|NetAnts|NetSpider|NetZIP|Net Vampire|Octopus|Offline
> > Explorer|Offline Navigator|PageGrabber|Papa
> >
> Foto|ReGet|RealDownload|SiteSnagger|SmartDownload|SuperBot|SuperHTTP|Surfbot|Teleport
> > Pro|TurnitinBot|VoidEYE|WWWOFFLE|WebAuto|WebCopier|WebFetch|WebGo
> > IS|WebLeacher|WebReaper|WebSauger|WebStripper|WebWhacker|WebZIP|Web Image
> > Collector|Web Sucker|Website Quester|Website eXtractor|Widow|Xaldon
> >
> WebSpider|Zeus|archiverloader|casper|clshttp|cmsworldmap|curl|diavol|dotbot|eCatch|email|extract|flicky|grab|harvest|jakarta|java|kmccrew|larbin|libwww|miner|nikto|pavuk|pcBrowser|planetwork|pycurl|python|scan|skygrid|tAkeOut|wget|winhttp</match>
> > <description>APACHE: A BAD USERAGENT IS CRAWLING...</description>
> > </rule>
> >
>
>
