hi,
I created new active-response rules to ban ipslooking for non existing
files. In the ossec-hids-responses.log I see that this rules were active
but when I look in /var/log/apache2/error.log I find many entries from
this kind that should has blocked by ossec active-response. I don't
understand why I still see this entries in /var/log/apache2/error.log.
What's wrong?
It is maybe possible to avoid the active-resonse-rules by trying a first
to open a file several times and later trying to find other files. In my
logfiles I find the trying to open /var/www/sharedip/admin many times
and later the trying to open other files.
tom
--
the rules:
<ossec_config>
...
<active-response>
<command>host-deny</command>
<location>local</location>
<level>10</level>
<timeout>600</timeout>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<level>10</level>
<timeout>600</timeout>
</active-response>
...
</ossec_config>
<group name="apache,">
...
<rule id="30114" level="10" frequency="2" timeframe="120">
<if_matched_sid>30112</if_matched_sid>
<same_source_ip />
<description>Multiple attempts to access non-existent </description>
<description>files (web scan) from same source.</description>
<group>web_scan,recon,</group>
</rule>
...
</group> <!-- ERROR_LOG,APACHE -->
/var/ossec/active-response/ossec-hids-responses.log
Thu Nov 16 05:16:15 CET 2006
/var/ossec/active-response/bin/firewall-drop.sh add - 62.149.226.126
Thu Nov 16 05:16:15 CET 2006 /var/ossec/active-response/bin/host-deny.sh
add - 62.149.226.126
Thu Nov 16 05:26:47 CET 2006 /var/ossec/active-response/bin/host-deny.sh
delete - 62.149.226.126
Thu Nov 16 05:26:47 CET 2006
/var/ossec/active-response/bin/firewall-drop.sh delete - 62.149.226.126
/var/log/apache2/error.log
[Thu Nov 16 02:10:51 2006] [error] [client 82.165.235.21] File does not
exist: /var/www/sharedip/include.php
[Thu Nov 16 02:10:53 2006] [error] [client 82.165.235.21] File does not
exist: /var/www/sharedip/html
[Thu Nov 16 02:10:55 2006] [error] [client 82.165.235.21] File does not
exist: /var/www/sharedip/html
[Thu Nov 16 02:10:56 2006] [error] [client 82.165.235.21] File does not
exist: /var/www/sharedip/phpkit
[Thu Nov 16 02:10:57 2006] [error] [client 82.165.235.21] File does not
exist: /var/www/sharedip/page
[Thu Nov 16 05:16:11 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:11 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:11 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:11 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:11 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:11 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:11 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:11 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:11 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:11 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:12 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:12 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:12 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:12 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:12 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:12 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:12 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:12 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:12 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:12 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:13 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:13 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:13 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:13 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:13 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:13 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:13 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:13 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:13 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:13 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/phpmyadmin
[Thu Nov 16 05:16:13 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/phpMyAdmin
[Thu Nov 16 05:16:14 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/db
[Thu Nov 16 05:16:14 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/web
[Thu Nov 16 05:16:14 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/PMA
[Thu Nov 16 05:16:14 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/admin
[Thu Nov 16 05:16:14 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/mysql
[Thu Nov 16 05:16:14 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/myadmin
[Thu Nov 16 05:16:14 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/webadmin
[Thu Nov 16 05:16:14 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/sqlweb
[Thu Nov 16 05:16:14 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/websql
[Thu Nov 16 05:16:14 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/webdb
[Thu Nov 16 05:16:14 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/mysqladmin
[Thu Nov 16 05:16:15 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/mysql-admin
[Thu Nov 16 05:16:15 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/phpmyadmin2
[Thu Nov 16 05:16:15 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/php-my-admin
[Thu Nov 16 05:16:15 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/phpMyAdmin-2.2.3
[Thu Nov 16 05:16:15 2006] [error] [client 62.149.226.126] File does not
exist: /var/www/sharedip/phpMyAdmin-2.2.6
The mail content:
OSSEC HIDS Notification.
2006 Nov 16 05:16:15
Received From: server01->/var/log/apache2/error.log
Rule: 30114 fired (level 10) -> "Multiple attempts to access
non-existent files (web scan) from same source."
Portion of the log(s):
[error] [client 62.149.226.126] File does not exist: /var/www/sharedip/db
[error] [client 62.149.226.126] File does not exist:
/var/www/sharedip/phpMyAdmin
[error] [client 62.149.226.126] File does not exist:
/var/www/sharedip/phpmyadmin
--END OF NOTIFICATION
OSSEC HIDS Notification.
2006 Nov 16 05:16:15
Received From: server01->/var/log/apache2/error.log
Rule: 30114 fired (level 10) -> "Multiple attempts to access
non-existent files (web scan) from same source."
Portion of the log(s):
[error] [client 62.149.226.126] File does not exist: /var/www/sharedip/PMA
[error] [client 62.149.226.126] File does not exist: /var/www/sharedip/web
[error] [client 62.149.226.126] File does not exist:
/var/www/sharedip/phpMyAdmin
--END OF NOTIFICATION
OSSEC HIDS Notification.
2006 Nov 16 05:16:15
Received From: server01->/var/log/apache2/error.log
Rule: 30114 fired (level 10) -> "Multiple attempts to access
non-existent files (web scan) from same source."
Portion of the log(s):
[error] [client 62.149.226.126] File does not exist: /var/www/sharedip/mysql
[error] [client 62.149.226.126] File does not exist: /var/www/sharedip/admin
[error] [client 62.149.226.126] File does not exist: /var/www/sharedip/web
--END OF NOTIFICATION
OSSEC HIDS Notification.
2006 Nov 16 05:16:15
Received From: server01->/var/log/apache2/error.log
Rule: 30114 fired (level 10) -> "Multiple attempts to access
non-existent files (web scan) from same source."
Portion of the log(s):
[error] [client 62.149.226.126] File does not exist:
/var/www/sharedip/webadmin
[error] [client 62.149.226.126] File does not exist:
/var/www/sharedip/myadmin
[error] [client 62.149.226.126] File does not exist: /var/www/sharedip/admin
--END OF NOTIFICATION
OSSEC HIDS Notification.
2006 Nov 16 05:16:15
Received From: server01->/var/log/apache2/error.log
Rule: 30114 fired (level 10) -> "Multiple attempts to access
non-existent files (web scan) from same source."
Portion of the log(s):
[error] [client 62.149.226.126] File does not exist:
/var/www/sharedip/websql
[error] [client 62.149.226.126] File does not exist:
/var/www/sharedip/sqlweb
[error] [client 62.149.226.126] File does not exist:
/var/www/sharedip/myadmin
--END OF NOTIFICATION
OSSEC HIDS Notification.
2006 Nov 16 05:16:15
Received From: server01->/var/log/apache2/error.log
Rule: 30114 fired (level 10) -> "Multiple attempts to access
non-existent files (web scan) from same source."
Portion of the log(s):
[error] [client 62.149.226.126] File does not exist:
/var/www/sharedip/mysqladmin
[error] [client 62.149.226.126] File does not exist: /var/www/sharedip/webdb
[error] [client 62.149.226.126] File does not exist:
/var/www/sharedip/sqlweb
--END OF NOTIFICATION
OSSEC HIDS Notification.
2006 Nov 16 05:16:15
Received From: server01->/var/log/apache2/error.log
Rule: 30114 fired (level 10) -> "Multiple attempts to access
non-existent files (web scan) from same source."
Portion of the log(s):
[error] [client 62.149.226.126] File does not exist:
/var/www/sharedip/phpmyadmin2
[error] [client 62.149.226.126] File does not exist:
/var/www/sharedip/mysql-admin
[error] [client 62.149.226.126] File does not exist: /var/www/sharedip/webdb
--END OF NOTIFICATION
OSSEC HIDS Notification.
2006 Nov 16 05:16:17
Received From: server01->/var/log/apache2/error.log
Rule: 30114 fired (level 10) -> "Multiple attempts to access
non-existent files (web scan) from same source."
Portion of the log(s):
[error] [client 62.149.226.126] File does not exist:
/var/www/sharedip/phpMyAdmin-2.2.3
[error] [client 62.149.226.126] File does not exist:
/var/www/sharedip/php-my-admin
[error] [client 62.149.226.126] File does not exist:
/var/www/sharedip/mysql-admin
--END OF NOTIFICATION
