I'm having an issue extracting the IP out of a successfully triggered 
ModSecurity rule.

Details:
I'm using Ossec-Hid 2.8.3 on CentOS 7 with Apache 2.4.  I have borrowed the 
Apache 2.4 rules and decoder (Apache section) from Ossec 2.9b, which are:

+++++++++++++++++++++++++++++++++++++++++++
  <!-- Apache 2.4 ModSecurity Rules -->
  <rule id="30401" level="0">
    <if_sid>30301</if_sid>
    <match>ModSecurity: Warning</match>
    <description>ModSecurity Warning messages grouped</description>
  </rule>

  <rule id="30402" level="0">
    <if_sid>30301</if_sid>
    <match>ModSecurity: Access denied</match>
    <description>ModSecurity Access denied messages grouped</description>
  </rule>

  <rule id="30403" level="0">
    <if_sid>30301</if_sid>
    <match>ModSecurity: Audit log:</match>
    <description>ModSecurity Audit log messages grouped</description>
  </rule>

  <rule id="30411" level="7">
    <if_sid>30402</if_sid>
    <match>with code 403</match>
    <description>ModSecurity rejected a query</description>
  </rule>
+++++++++++++++++++++++++++++++++++++++++++

<decoder name="apache-errorlog">
  <program_name>^httpd</program_name>
</decoder>

<decoder name="apache-errorlog">
  <prematch>^[warn] |^[notice] |^[error] </prematch>
</decoder>

<decoder name="apache-errorlog">
  <prematch>^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:warn] |^[\w+ \w+ \d+ 
\d+:\d+:\d+.\d+ \d+] [\S+:notice] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] 
[\S*:error] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:info] </prematch>
</decoder>

<decoder name="apache24-errorlog-ip">
  <parent>apache-errorlog</parent>

  <prematch offset="after_parent">[client</prematch>
  <regex offset="after_prematch">^ (\S+):\d+] (\S+): </regex>
  <order>srcip,id</order>
</decoder>

<decoder name="apache24-modsec-errorlog-ip">
  <parent>apache-errorlog</parent>

  <prematch offset="after_parent">[client</prematch>
  <regex offset="after_prematch">^ (\S+)] ModSecurity: </regex>
  <order>srcip</order>
</decoder>

<decoder name="apache-errorlog-ip">
  <parent>apache-errorlog</parent>

  <prematch offset="after_parent">^[client</prematch>
  <regex offset="after_prematch">^ (\S+)] </regex>
  <order>srcip</order>
</decoder>
+++++++++++++++++++++++++++++++++++++++++++

The error_log shows as:

[Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client 46.4.84.147] 
ModSecurity: Access denied with code 403 (phase 2). String match 
"JDatabaseDriverMysqli" at REQUEST_HEADERS:User-Agent. [file 
"/etc/httpd/modsecurity.d/cwaf_rules/26_Apps_Joomla.conf"] [line "46"] [id 
"222390"] [rev "2"] [msg "COMODO WAF: PHP object injection or arbitrary 
code execution attacks in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 
(CVE-2015-8562)"] [hostname "xyz.com"] [uri "/"] [unique_id 
"VsLzrS4Zyx3R5xy6tzH0zAAAAAk"]


And Rule 30411 triggers successfully as (not matching alert to above, just 
an example):


** Alert 1455667932.9725404: mail  - apache,
2016 Feb 16 18:12:12 (server.mine.org) 1.1.1.1->/home/xyz/logs/error_log
Rule: 30411 (level 7) -> 'ModSecurity rejected a query'
[Tue Feb 16 18:12:12.419586 2016] [:error] [pid 22253] [client 178.137.167.9] 
ModSecurity: Access denied with code 403 (phase 2). Operator GT matched 5 at 
IP:multiple_username_count. [file 
"/etc/httpd/modsecurity.d/cwaf_rules/09_Bruteforce_Bruteforce.conf"] [line 
"79"] [id "230021"] [rev "3"] [msg "COMODO WAF: Multiple Username Violation: 
Too Many Usernames Submitted for Authentication."] [data "Current Username: 
xyz"] [hostname "www.xyz.com"] [uri "/administrator/index.php"] [unique_id 
"VsO63OFvCgWfU4iCpLmGvQAAABg"]


As you can see the srcip doesn't get listed as it should below Rule: 20411, 
same when doing an ossec-logtest.

I've done a ton of searching and can not find anything on this issue. I 
tried experimenting with the regex to no avail.

Can anyone suggest a correction to:

<decoder name="apache24-modsec-errorlog-ip">
  <parent>apache-errorlog</parent>

  <prematch offset="after_parent">[client</prematch>
  <regex offset="after_prematch">^ (\S+)] ModSecurity: </regex>
  <order>srcip</order>
</decoder>

Or offer another solution?

Thanks,
Brian

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to