On Tue, Dec 4, 2012 at 11:15 AM, Daniel Requena <requ...@gmail.com> wrote: > Thank you! > I'm pretty sure I already tried the 35005 "interception" approach, but I'll > try again. > Just for the record, is it possible to "match" multiple sites on a single > rule, like this? Or even using a regex? >
The pipe ("|") should work, regex doesn't help. > > <rule id="100102" level="0"> > <if_sid>35005</if_sid> > > <match>facebook.com|facebook.com:443|static.facebook.com|...etc...</match> > > <description>ignore facebook</description> > </rule> > > Regards. > > > 2012/12/4 dan (ddp) <ddp...@gmail.com> > >> On Tue, Dec 4, 2012 at 7:30 AM, Daniel Requena <requ...@gmail.com> wrote: >> > Hi >> > >> > Just extracted from squid access.log >> > >> > 1354623033.296 0 10.0.0.202 TCP_DENIED/403 3789 CONNECT >> > s-static.ak.facebook.com:443 - NONE/- text/html >> > 1354623033.297 1 10.0.0.202 TCP_DENIED/403 3789 CONNECT >> > s-static.ak.facebook.com:443 - NONE/- text/html >> > 1354623033.297 1 10.0.0.202 TCP_DENIED/403 3765 CONNECT >> > www.facebook.com:443 - NONE/- text/html >> > 1354623033.298 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT >> > www.facebook.com:443 - NONE/- text/html >> > 1354623033.299 0 10.0.0.202 TCP_DENIED/403 3789 CONNECT >> > s-static.ak.facebook.com:443 - NONE/- text/html >> > 1354623033.299 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT >> > www.facebook.com:443 - NONE/- text/html >> > 1354623033.303 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT >> > www.facebook.com:443 - NONE/- text/html >> > >> > This is the alert that is generated from it: >> > >> > Received From: (proxy) 10.0.0.55->/var/log/squid/access.log >> > Rule: 35051 fired (level 10) -> "Multiple attempts to access forbidden >> > file >> > or directory from same source ip." >> > Portion of the log(s): >> > >> >> Ok, that rule fires due to multiple alerts. So if we ignore the >> original alert, this one won't fire. >> >> This is from a fairly basic 2.7: >> # cat /tmp/f | /var/ossec/bin/ossec-logtest >> 2012/12/04 08:49:44 ossec-testrule: INFO: Reading local decoder file. >> 2012/12/04 08:49:44 ossec-testrule: INFO: Started (pid: 29617). >> ossec-testrule: Type one log per line. >> >> >> >> **Phase 1: Completed pre-decoding. >> full event: '1354623033.296 0 10.0.0.202 TCP_DENIED/403 >> 3789 CONNECT s-static.ak.facebook.com:443 - NONE/- text/html' >> hostname: 'arrakis' >> program_name: '(null)' >> log: '0 10.0.0.202 TCP_DENIED/403 3789 CONNECT >> s-static.ak.facebook.com:443 - NONE/- text/html' >> >> **Phase 2: Completed decoding. >> decoder: 'squid-accesslog' >> srcip: '10.0.0.202' >> action: 'TCP_DENIED' >> id: '403' >> url: 's-static.ak.facebook.com:443' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '35005' >> Level: '5' >> Description: 'Forbidden: Attempt to access forbidden file or >> directory.' >> **Alert to be generated. >> >> >> So we need to ignore 35005. Let's try this: >> >> <rule id="100102" level="0"> >> <if_sid>35005</if_sid> >> <match>facebook.com</match> >> <description>ignore facebook</description> >> </rule> >> >> Your match was "<match>.facebook.com/</match>," but this does not >> appear in the log messages you provided. >> >> So the logtest output with the new rule: >> # cat /tmp/f | /var/ossec/bin/ossec-logtest >> 2012/12/04 08:51:31 ossec-testrule: INFO: Reading local decoder file. >> 2012/12/04 08:51:31 ossec-testrule: INFO: Started (pid: 25432). >> ossec-testrule: Type one log per line. >> >> >> >> **Phase 1: Completed pre-decoding. >> full event: '1354623033.296 0 10.0.0.202 TCP_DENIED/403 >> 3789 CONNECT s-static.ak.facebook.com:443 - NONE/- text/html' >> hostname: 'arrakis' >> program_name: '(null)' >> log: '0 10.0.0.202 TCP_DENIED/403 3789 CONNECT >> s-static.ak.facebook.com:443 - NONE/- text/html' >> >> **Phase 2: Completed decoding. >> decoder: 'squid-accesslog' >> srcip: '10.0.0.202' >> action: 'TCP_DENIED' >> id: '403' >> url: 's-static.ak.facebook.com:443' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '100102' >> Level: '0' >> Description: 'ignore facebook' >> >> So it's ignored. Now we test the multiple attempts thing, and I get >> nothing but 100102 alerts. >> >> >> > >> > >> > About the upgrade, I'm doing it right now. >> > >> > On Monday, December 3, 2012 6:06:15 PM UTC-2, dan (ddpbsd) wrote: >> >> >> >> On Mon, Dec 3, 2012 at 2:13 PM, Daniel Requena <req...@gmail.com> >> >> wrote: >> >> > Hi, >> >> > >> >> > I'm trying to customize the behavior of the rule 35051 >> >> > (squid_rules.xml) in order to not have it fired if someone tries to >> >> > access >> >> > facebook website. >> >> > This rule keeps annoying me, because Facebook "like" button is >> >> > EVERYWHERE and my proxy server blocks it. >> >> > I wrote this piece of rule on my local_rules.xml but with no >> >> > success. >> >> > >> >> > <rule id="100060" level="0"> >> >> > <if_sid>35051</if_sid> >> >> > <match>.facebook.com/</match> >> >> > <description>Squid cache report</description> >> >> > </rule> >> >> > >> >> > Does anybody have the same problem? I'm I doing something wrong? >> >> > I appreciate any help. >> >> > >> >> > Regards. >> >> > >> >> >> >> Can you provide a log sample? >> >> >> >> > ps: I'm using Ossec Server v2.5.1 >> >> >> >> Upgrade. > > > > > -- > Atenciosamente > Daniel Requena