Thank you so much I ll try tomorrow -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Cid Sent: Sunday, September 10, 2006 5:18 PM To: [email protected] Subject: [ossec-list] Re: SQL Injection Detection
The issue in your case is that when you started the agent, the IIS log was not available (as seen on the "Unable to open" messages in the log). Therefore, after a few attempts it ignored your IIS log, not monitoring it anymore (even after the day change). If you restart your agent it should start working again.. I have a fix for this issue (ignoring the log forever) on the latest snapshot: For Unix/Linux: http://www.ossec.net/files/snapshots/ossec-hids-060910.tar.gz For Windows: http://www.ossec.net/files/snapshots/ossec-win32-060910.exe Hope it helps.. -- Daniel B. Cid dcid ( at ) ossec.net On 9/9/06, |SaMaN| <[EMAIL PROTECTED]> wrote: > > A suicide guy is looking for a solution *knock knock* > > -----Original Message----- > From: [email protected] [mailto:[EMAIL PROTECTED] On > Behalf Of [EMAIL PROTECTED] > Sent: Friday, September 08, 2006 10:18 AM > To: [email protected] > Subject: [ossec-list] Re: SQL Injection Detection > > > Agent is Windows 2000 5.00.2195 SP 4. I get security, application, event > logs from that agent except IIS logs. > > File > ---- > > C:\WINNT\system32\LogFiles\W3SVC1\ex060907.log > > IIS Log with XSS and SQL Injection logs > ----------------------------------------------- > > 2006-09-07 08:22:39 10.1.X.X - 195.X.X.X 80 GET /dohtaccess.html > dir=><script>alert(document.cookie);</script> 404 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) > 2006-09-07 08:22:39 10.1.X.X - 195.X.X.X 80 GET /modules.php > op=modload&name=Kalender&file=index&type=view&eid=<script>alert(document.coo > kie)</script> 404 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) > 2006-09-07 08:23:30 10.1.X.X - 195.X.X.X 80 GET /reports/x.asp t=^' 302 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) > 2006-09-07 08:23:30 10.1.X.X - 195.X.X.X 80 GET /reports/x.asp t=\' 302 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) > 2006-09-07 08:23:30 10.1.X.X - 195.X.X.X 80 GET /reports/x.asp t=/' 302 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) > 2006-09-07 08:23:49 10.1.X.X - 195.X.X.X 80 GET /page1.asp > xformname=olasistudy1&__instanceid__=' 200 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) > 2006-09-07 08:30:37 10.1.X.X - 195.X.X.X 80 TRACE > /<script>alert('TRACE');</script> - 200 - > > Agent's IIS Config Line > ---------------------------- > > <localfile> > <location>C:\WINNT/System32/LogFiles/W3SVC1/ex%y%m%d.log</location> > <log_format>iis</log_format> > </localfile> > > Agent's ossec.log > --------------------------- > > 2006/08/25 14:11:02 ossec-agent: Starting syscheckd thread. > 2006/08/25 14:11:02 ossec-agent(1951): Analyzing event log: 'Application'. > 2006/08/25 14:11:03 ossec-agent(1951): Analyzing event log: 'Security'. > 2006/08/25 14:11:03 ossec-agent(1951): Analyzing event log: 'System'. > 2006/08/25 14:11:04 ossec-agent(1950): Analyzing file: > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060825.log'. > 2006/08/25 14:11:04 ossec-agent: Started (pid: 2328). > 2006/08/26 00:00:59 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. > 2006/08/26 00:00:59 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. > 2006/08/26 00:05:19 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. > 2006/08/26 00:09:39 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. > 2006/08/26 00:13:59 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. > 2006/08/26 00:18:19 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. > 2006/08/26 00:22:39 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. > 2006/08/26 00:27:00 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. > 2006/08/26 00:31:20 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. > 2006/08/26 00:35:40 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. > 2006/08/26 00:40:00 ossec-agent(1904): Unable to read file: > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log' > 2006/08/28 16:51:01 ossec-agent: Starting syscheckd thread. > 2006/08/28 16:51:01 ossec-agent: No previous counter available for > 'SERVER3'. > 2006/08/28 16:51:01 ossec-agent: Assigning counter for agent SERVER3: '0:0'. > 2006/08/28 16:51:01 ossec-agent: Assigning sender counter: 4:6987 > 2006/08/28 16:51:02 ossec-agent(1951): Analyzing event log: 'Application'. > 2006/08/28 16:51:02 ossec-agent(1951): Analyzing event log: 'Security'. > 2006/08/28 16:51:05 ossec-agent(1951): Analyzing event log: 'System'. > 2006/08/28 16:51:06 ossec-agent(1950): Analyzing file: > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060828.log'. > 2006/08/28 16:51:06 ossec-agent: Started (pid: 2276). > 2006/08/29 00:00:26 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. > 2006/08/29 00:00:26 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. > 2006/08/29 00:04:46 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. > 2006/08/29 00:09:06 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. > 2006/08/29 00:13:26 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. > 2006/08/29 00:17:46 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. > 2006/08/29 00:22:06 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. > 2006/08/29 00:26:27 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. > 2006/08/29 00:30:47 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. > 2006/08/29 00:35:07 ossec-agent(1103): Unable to open file > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. > 2006/08/29 00:39:27 ossec-agent(1904): Unable to read file: > 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log' > >
