I asked for regex, because there are alot of website "variations" like:
facebook.com:443, static.ak.facebook.com,
facebook.com/plugins/-alot_of_chars, etc...
Thanks for your help.
2012/12/6 dan (ddp) <ddp...@gmail.com>
> On Tue, Dec 4, 2012 at 11:15 AM, Daniel Requena <requ...@gmail.com> wrote:
> > Thank you!
> > I'm pretty sure I already tried the 35005 "interception" approach, but
> I'll
> > try again.
> > Just for the record, is it possible to "match" multiple sites on a single
> > rule, like this? Or even using a regex?
> >
>
> The pipe ("|") should work, regex doesn't help.
>
> >
> > <rule id="100102" level="0">
> > <if_sid>35005</if_sid>
> >
> > <match>facebook.com|facebook.com:443|static.facebook.com
> |...etc...</match>
> >
> > <description>ignore facebook</description>
> > </rule>
> >
> > Regards.
> >
> >
> > 2012/12/4 dan (ddp) <ddp...@gmail.com>
> >
> >> On Tue, Dec 4, 2012 at 7:30 AM, Daniel Requena <requ...@gmail.com>
> wrote:
> >> > Hi
> >> >
> >> > Just extracted from squid access.log
> >> >
> >> > 1354623033.296 0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
> >> > s-static.ak.facebook.com:443 - NONE/- text/html
> >> > 1354623033.297 1 10.0.0.202 TCP_DENIED/403 3789 CONNECT
> >> > s-static.ak.facebook.com:443 - NONE/- text/html
> >> > 1354623033.297 1 10.0.0.202 TCP_DENIED/403 3765 CONNECT
> >> > www.facebook.com:443 - NONE/- text/html
> >> > 1354623033.298 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT
> >> > www.facebook.com:443 - NONE/- text/html
> >> > 1354623033.299 0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
> >> > s-static.ak.facebook.com:443 - NONE/- text/html
> >> > 1354623033.299 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT
> >> > www.facebook.com:443 - NONE/- text/html
> >> > 1354623033.303 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT
> >> > www.facebook.com:443 - NONE/- text/html
> >> >
> >> > This is the alert that is generated from it:
> >> >
> >> > Received From: (proxy) 10.0.0.55->/var/log/squid/access.log
> >> > Rule: 35051 fired (level 10) -> "Multiple attempts to access forbidden
> >> > file
> >> > or directory from same source ip."
> >> > Portion of the log(s):
> >> >
> >>
> >> Ok, that rule fires due to multiple alerts. So if we ignore the
> >> original alert, this one won't fire.
> >>
> >> This is from a fairly basic 2.7:
> >> # cat /tmp/f | /var/ossec/bin/ossec-logtest
> >> 2012/12/04 08:49:44 ossec-testrule: INFO: Reading local decoder file.
> >> 2012/12/04 08:49:44 ossec-testrule: INFO: Started (pid: 29617).
> >> ossec-testrule: Type one log per line.
> >>
> >>
> >>
> >> **Phase 1: Completed pre-decoding.
> >> full event: '1354623033.296 0 10.0.0.202 TCP_DENIED/403
> >> 3789 CONNECT s-static.ak.facebook.com:443 - NONE/- text/html'
> >> hostname: 'arrakis'
> >> program_name: '(null)'
> >> log: '0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
> >> s-static.ak.facebook.com:443 - NONE/- text/html'
> >>
> >> **Phase 2: Completed decoding.
> >> decoder: 'squid-accesslog'
> >> srcip: '10.0.0.202'
> >> action: 'TCP_DENIED'
> >> id: '403'
> >> url: 's-static.ak.facebook.com:443'
> >>
> >> **Phase 3: Completed filtering (rules).
> >> Rule id: '35005'
> >> Level: '5'
> >> Description: 'Forbidden: Attempt to access forbidden file or
> >> directory.'
> >> **Alert to be generated.
> >>
> >>
> >> So we need to ignore 35005. Let's try this:
> >>
> >> <rule id="100102" level="0">
> >> <if_sid>35005</if_sid>
> >> <match>facebook.com</match>
> >> <description>ignore facebook</description>
> >> </rule>
> >>
> >> Your match was "<match>.facebook.com/</match>," but this does not
> >> appear in the log messages you provided.
> >>
> >> So the logtest output with the new rule:
> >> # cat /tmp/f | /var/ossec/bin/ossec-logtest
> >> 2012/12/04 08:51:31 ossec-testrule: INFO: Reading local decoder file.
> >> 2012/12/04 08:51:31 ossec-testrule: INFO: Started (pid: 25432).
> >> ossec-testrule: Type one log per line.
> >>
> >>
> >>
> >> **Phase 1: Completed pre-decoding.
> >> full event: '1354623033.296 0 10.0.0.202 TCP_DENIED/403
> >> 3789 CONNECT s-static.ak.facebook.com:443 - NONE/- text/html'
> >> hostname: 'arrakis'
> >> program_name: '(null)'
> >> log: '0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
> >> s-static.ak.facebook.com:443 - NONE/- text/html'
> >>
> >> **Phase 2: Completed decoding.
> >> decoder: 'squid-accesslog'
> >> srcip: '10.0.0.202'
> >> action: 'TCP_DENIED'
> >> id: '403'
> >> url: 's-static.ak.facebook.com:443'
> >>
> >> **Phase 3: Completed filtering (rules).
> >> Rule id: '100102'
> >> Level: '0'
> >> Description: 'ignore facebook'
> >>
> >> So it's ignored. Now we test the multiple attempts thing, and I get
> >> nothing but 100102 alerts.
> >>
> >>
> >> >
> >> >
> >> > About the upgrade, I'm doing it right now.
> >> >
> >> > On Monday, December 3, 2012 6:06:15 PM UTC-2, dan (ddpbsd) wrote:
> >> >>
> >> >> On Mon, Dec 3, 2012 at 2:13 PM, Daniel Requena <req...@gmail.com>
> >> >> wrote:
> >> >> > Hi,
> >> >> >
> >> >> > I'm trying to customize the behavior of the rule 35051
> >> >> > (squid_rules.xml) in order to not have it fired if someone tries to
> >> >> > access
> >> >> > facebook website.
> >> >> > This rule keeps annoying me, because Facebook "like" button is
> >> >> > EVERYWHERE and my proxy server blocks it.
> >> >> > I wrote this piece of rule on my local_rules.xml but with no
> >> >> > success.
> >> >> >
> >> >> > <rule id="100060" level="0">
> >> >> > <if_sid>35051</if_sid>
> >> >> > <match>.facebook.com/</match>
> >> >> > <description>Squid cache report</description>
> >> >> > </rule>
> >> >> >
> >> >> > Does anybody have the same problem? I'm I doing something
> wrong?
> >> >> > I appreciate any help.
> >> >> >
> >> >> > Regards.
> >> >> >
> >> >>
> >> >> Can you provide a log sample?
> >> >>
> >> >> > ps: I'm using Ossec Server v2.5.1
> >> >>
> >> >> Upgrade.
> >
> >
> >
> >
> > --
> > Atenciosamente
> > Daniel Requena
>
--
Atenciosamente
Daniel Requena
