On Tue, Dec 4, 2012 at 11:15 AM, Daniel Requena <requ...@gmail.com> wrote:
> Thank you!
> I'm pretty sure I already tried the 35005 "interception" approach, but I'll
> try again.
> Just for the record, is it possible to "match" multiple sites on a single
> rule, like this? Or even using a regex?
>
The pipe ("|") should work, regex doesn't help.
>
> <rule id="100102" level="0">
> <if_sid>35005</if_sid>
>
> <match>facebook.com|facebook.com:443|static.facebook.com|...etc...</match>
>
> <description>ignore facebook</description>
> </rule>
>
> Regards.
>
>
> 2012/12/4 dan (ddp) <ddp...@gmail.com>
>
>> On Tue, Dec 4, 2012 at 7:30 AM, Daniel Requena <requ...@gmail.com> wrote:
>> > Hi
>> >
>> > Just extracted from squid access.log
>> >
>> > 1354623033.296 0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
>> > s-static.ak.facebook.com:443 - NONE/- text/html
>> > 1354623033.297 1 10.0.0.202 TCP_DENIED/403 3789 CONNECT
>> > s-static.ak.facebook.com:443 - NONE/- text/html
>> > 1354623033.297 1 10.0.0.202 TCP_DENIED/403 3765 CONNECT
>> > www.facebook.com:443 - NONE/- text/html
>> > 1354623033.298 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT
>> > www.facebook.com:443 - NONE/- text/html
>> > 1354623033.299 0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
>> > s-static.ak.facebook.com:443 - NONE/- text/html
>> > 1354623033.299 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT
>> > www.facebook.com:443 - NONE/- text/html
>> > 1354623033.303 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT
>> > www.facebook.com:443 - NONE/- text/html
>> >
>> > This is the alert that is generated from it:
>> >
>> > Received From: (proxy) 10.0.0.55->/var/log/squid/access.log
>> > Rule: 35051 fired (level 10) -> "Multiple attempts to access forbidden
>> > file
>> > or directory from same source ip."
>> > Portion of the log(s):
>> >
>>
>> Ok, that rule fires due to multiple alerts. So if we ignore the
>> original alert, this one won't fire.
>>
>> This is from a fairly basic 2.7:
>> # cat /tmp/f | /var/ossec/bin/ossec-logtest
>> 2012/12/04 08:49:44 ossec-testrule: INFO: Reading local decoder file.
>> 2012/12/04 08:49:44 ossec-testrule: INFO: Started (pid: 29617).
>> ossec-testrule: Type one log per line.
>>
>>
>>
>> **Phase 1: Completed pre-decoding.
>> full event: '1354623033.296 0 10.0.0.202 TCP_DENIED/403
>> 3789 CONNECT s-static.ak.facebook.com:443 - NONE/- text/html'
>> hostname: 'arrakis'
>> program_name: '(null)'
>> log: '0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
>> s-static.ak.facebook.com:443 - NONE/- text/html'
>>
>> **Phase 2: Completed decoding.
>> decoder: 'squid-accesslog'
>> srcip: '10.0.0.202'
>> action: 'TCP_DENIED'
>> id: '403'
>> url: 's-static.ak.facebook.com:443'
>>
>> **Phase 3: Completed filtering (rules).
>> Rule id: '35005'
>> Level: '5'
>> Description: 'Forbidden: Attempt to access forbidden file or
>> directory.'
>> **Alert to be generated.
>>
>>
>> So we need to ignore 35005. Let's try this:
>>
>> <rule id="100102" level="0">
>> <if_sid>35005</if_sid>
>> <match>facebook.com</match>
>> <description>ignore facebook</description>
>> </rule>
>>
>> Your match was "<match>.facebook.com/</match>," but this does not
>> appear in the log messages you provided.
>>
>> So the logtest output with the new rule:
>> # cat /tmp/f | /var/ossec/bin/ossec-logtest
>> 2012/12/04 08:51:31 ossec-testrule: INFO: Reading local decoder file.
>> 2012/12/04 08:51:31 ossec-testrule: INFO: Started (pid: 25432).
>> ossec-testrule: Type one log per line.
>>
>>
>>
>> **Phase 1: Completed pre-decoding.
>> full event: '1354623033.296 0 10.0.0.202 TCP_DENIED/403
>> 3789 CONNECT s-static.ak.facebook.com:443 - NONE/- text/html'
>> hostname: 'arrakis'
>> program_name: '(null)'
>> log: '0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
>> s-static.ak.facebook.com:443 - NONE/- text/html'
>>
>> **Phase 2: Completed decoding.
>> decoder: 'squid-accesslog'
>> srcip: '10.0.0.202'
>> action: 'TCP_DENIED'
>> id: '403'
>> url: 's-static.ak.facebook.com:443'
>>
>> **Phase 3: Completed filtering (rules).
>> Rule id: '100102'
>> Level: '0'
>> Description: 'ignore facebook'
>>
>> So it's ignored. Now we test the multiple attempts thing, and I get
>> nothing but 100102 alerts.
>>
>>
>> >
>> >
>> > About the upgrade, I'm doing it right now.
>> >
>> > On Monday, December 3, 2012 6:06:15 PM UTC-2, dan (ddpbsd) wrote:
>> >>
>> >> On Mon, Dec 3, 2012 at 2:13 PM, Daniel Requena <req...@gmail.com>
>> >> wrote:
>> >> > Hi,
>> >> >
>> >> > I'm trying to customize the behavior of the rule 35051
>> >> > (squid_rules.xml) in order to not have it fired if someone tries to
>> >> > access
>> >> > facebook website.
>> >> > This rule keeps annoying me, because Facebook "like" button is
>> >> > EVERYWHERE and my proxy server blocks it.
>> >> > I wrote this piece of rule on my local_rules.xml but with no
>> >> > success.
>> >> >
>> >> > <rule id="100060" level="0">
>> >> > <if_sid>35051</if_sid>
>> >> > <match>.facebook.com/</match>
>> >> > <description>Squid cache report</description>
>> >> > </rule>
>> >> >
>> >> > Does anybody have the same problem? I'm I doing something wrong?
>> >> > I appreciate any help.
>> >> >
>> >> > Regards.
>> >> >
>> >>
>> >> Can you provide a log sample?
>> >>
>> >> > ps: I'm using Ossec Server v2.5.1
>> >>
>> >> Upgrade.
>
>
>
>
> --
> Atenciosamente
> Daniel Requena
