I asked for regex, because there are alot of website "variations" like: facebook.com:443, static.ak.facebook.com, facebook.com/plugins/-alot_of_chars, etc... Thanks for your help.
2012/12/6 dan (ddp) <ddp...@gmail.com> > On Tue, Dec 4, 2012 at 11:15 AM, Daniel Requena <requ...@gmail.com> wrote: > > Thank you! > > I'm pretty sure I already tried the 35005 "interception" approach, but > I'll > > try again. > > Just for the record, is it possible to "match" multiple sites on a single > > rule, like this? Or even using a regex? > > > > The pipe ("|") should work, regex doesn't help. > > > > > <rule id="100102" level="0"> > > <if_sid>35005</if_sid> > > > > <match>facebook.com|facebook.com:443|static.facebook.com > |...etc...</match> > > > > <description>ignore facebook</description> > > </rule> > > > > Regards. > > > > > > 2012/12/4 dan (ddp) <ddp...@gmail.com> > > > >> On Tue, Dec 4, 2012 at 7:30 AM, Daniel Requena <requ...@gmail.com> > wrote: > >> > Hi > >> > > >> > Just extracted from squid access.log > >> > > >> > 1354623033.296 0 10.0.0.202 TCP_DENIED/403 3789 CONNECT > >> > s-static.ak.facebook.com:443 - NONE/- text/html > >> > 1354623033.297 1 10.0.0.202 TCP_DENIED/403 3789 CONNECT > >> > s-static.ak.facebook.com:443 - NONE/- text/html > >> > 1354623033.297 1 10.0.0.202 TCP_DENIED/403 3765 CONNECT > >> > www.facebook.com:443 - NONE/- text/html > >> > 1354623033.298 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT > >> > www.facebook.com:443 - NONE/- text/html > >> > 1354623033.299 0 10.0.0.202 TCP_DENIED/403 3789 CONNECT > >> > s-static.ak.facebook.com:443 - NONE/- text/html > >> > 1354623033.299 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT > >> > www.facebook.com:443 - NONE/- text/html > >> > 1354623033.303 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT > >> > www.facebook.com:443 - NONE/- text/html > >> > > >> > This is the alert that is generated from it: > >> > > >> > Received From: (proxy) 10.0.0.55->/var/log/squid/access.log > >> > Rule: 35051 fired (level 10) -> "Multiple attempts to access forbidden > >> > file > >> > or directory from same source ip." > >> > Portion of the log(s): > >> > > >> > >> Ok, that rule fires due to multiple alerts. So if we ignore the > >> original alert, this one won't fire. > >> > >> This is from a fairly basic 2.7: > >> # cat /tmp/f | /var/ossec/bin/ossec-logtest > >> 2012/12/04 08:49:44 ossec-testrule: INFO: Reading local decoder file. > >> 2012/12/04 08:49:44 ossec-testrule: INFO: Started (pid: 29617). > >> ossec-testrule: Type one log per line. > >> > >> > >> > >> **Phase 1: Completed pre-decoding. > >> full event: '1354623033.296 0 10.0.0.202 TCP_DENIED/403 > >> 3789 CONNECT s-static.ak.facebook.com:443 - NONE/- text/html' > >> hostname: 'arrakis' > >> program_name: '(null)' > >> log: '0 10.0.0.202 TCP_DENIED/403 3789 CONNECT > >> s-static.ak.facebook.com:443 - NONE/- text/html' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'squid-accesslog' > >> srcip: '10.0.0.202' > >> action: 'TCP_DENIED' > >> id: '403' > >> url: 's-static.ak.facebook.com:443' > >> > >> **Phase 3: Completed filtering (rules). > >> Rule id: '35005' > >> Level: '5' > >> Description: 'Forbidden: Attempt to access forbidden file or > >> directory.' > >> **Alert to be generated. > >> > >> > >> So we need to ignore 35005. Let's try this: > >> > >> <rule id="100102" level="0"> > >> <if_sid>35005</if_sid> > >> <match>facebook.com</match> > >> <description>ignore facebook</description> > >> </rule> > >> > >> Your match was "<match>.facebook.com/</match>," but this does not > >> appear in the log messages you provided. > >> > >> So the logtest output with the new rule: > >> # cat /tmp/f | /var/ossec/bin/ossec-logtest > >> 2012/12/04 08:51:31 ossec-testrule: INFO: Reading local decoder file. > >> 2012/12/04 08:51:31 ossec-testrule: INFO: Started (pid: 25432). > >> ossec-testrule: Type one log per line. > >> > >> > >> > >> **Phase 1: Completed pre-decoding. > >> full event: '1354623033.296 0 10.0.0.202 TCP_DENIED/403 > >> 3789 CONNECT s-static.ak.facebook.com:443 - NONE/- text/html' > >> hostname: 'arrakis' > >> program_name: '(null)' > >> log: '0 10.0.0.202 TCP_DENIED/403 3789 CONNECT > >> s-static.ak.facebook.com:443 - NONE/- text/html' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'squid-accesslog' > >> srcip: '10.0.0.202' > >> action: 'TCP_DENIED' > >> id: '403' > >> url: 's-static.ak.facebook.com:443' > >> > >> **Phase 3: Completed filtering (rules). > >> Rule id: '100102' > >> Level: '0' > >> Description: 'ignore facebook' > >> > >> So it's ignored. Now we test the multiple attempts thing, and I get > >> nothing but 100102 alerts. > >> > >> > >> > > >> > > >> > About the upgrade, I'm doing it right now. > >> > > >> > On Monday, December 3, 2012 6:06:15 PM UTC-2, dan (ddpbsd) wrote: > >> >> > >> >> On Mon, Dec 3, 2012 at 2:13 PM, Daniel Requena <req...@gmail.com> > >> >> wrote: > >> >> > Hi, > >> >> > > >> >> > I'm trying to customize the behavior of the rule 35051 > >> >> > (squid_rules.xml) in order to not have it fired if someone tries to > >> >> > access > >> >> > facebook website. > >> >> > This rule keeps annoying me, because Facebook "like" button is > >> >> > EVERYWHERE and my proxy server blocks it. > >> >> > I wrote this piece of rule on my local_rules.xml but with no > >> >> > success. > >> >> > > >> >> > <rule id="100060" level="0"> > >> >> > <if_sid>35051</if_sid> > >> >> > <match>.facebook.com/</match> > >> >> > <description>Squid cache report</description> > >> >> > </rule> > >> >> > > >> >> > Does anybody have the same problem? I'm I doing something > wrong? > >> >> > I appreciate any help. > >> >> > > >> >> > Regards. > >> >> > > >> >> > >> >> Can you provide a log sample? > >> >> > >> >> > ps: I'm using Ossec Server v2.5.1 > >> >> > >> >> Upgrade. > > > > > > > > > > -- > > Atenciosamente > > Daniel Requena > -- Atenciosamente Daniel Requena