[ossec-list] Re: Problem with Apache2 Access Log

Wed, 24 Jan 2007 19:19:48 -0800 


While looking at your problem I just found a problem at the apache decoder.
We only parse the apache logs from devices in the America's or part of Europe
(we look for the "-" in the timezone, so every country east of
Greenwich is excluded) :)

To fix that, you need to open the file /var/ossec/etc/decoder.xml and
go to line 907
where you will see the following regex:

<regex>^(\d+.\d+.\d+.\d+) \S+ \S+ [\S+ -\d+] </regex>

Change it to (instead of the "-", we can have the "+" too):

<regex>^(\d+.\d+.\d+.\d+) \S+ \S+ [\S+ \S\d+] </regex>

I will fix it in the next release for everyone else...

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net



On 1/24/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:


hello,
I have a problem with Apache2 Access Log, (but not with Error Log)
/* ossec.conf

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/access_mywebsite.com.log</location>
  </localfile>
*/
---
/* /var/log/apache2/access_mywebsite.com.log (right: root:root)
123.123.123.123 - apache [24/Jan/2007:15:25:14 +0100] "GET
/ossec/css/cal.css HTTP/1.1" 304 - "http://www.mywebsite.com/ossec/";
"Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.1) Gecko/20061204
Firefox/2.0.0.1"
123.123.123.123 - apache [24/Jan/2007:15:25:14 +0100] "GET
/ossec/js/calendar.js HTTP/1.1" 304 - "http://www.mywebsite.com/ossec/";
"Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.1) Gecko/20061204
Firefox/2.0.0.1"
123.123.123.123 - apache [24/Jan/2007:15:25:14 +0100] "GET
/ossec/js/calendar-en.js HTTP/1.1" 304 -
"http://www.mywebsite.com/ossec/"; "Mozilla/5.0 (Windows; U; Windows NT
5.1; fr; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
123.123.123.123 - apache [24/Jan/2007:15:25:14 +0100] "GET
/ossec/js/calendar-setup.js HTTP/1.1" 304 -
"http://www.mywebsite.com/ossec/"; "Mozilla/5.0 (Windows; U; Windows NT
5.1; fr; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
123.123.123.123 - apache [24/Jan/2007:15:25:14 +0100] "GET
/ossec/js/hide.js HTTP/1.1" 304 - "http://www.mywebsite.com/ossec/";
"Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.1) Gecko/20061204
Firefox/2.0.0.1"
123.123.123.123 - apache [24/Jan/2007:15:25:14 +0100] "GET
/ossec/css/css.css HTTP/1.1" 304 - "http://www.mywebsite.com/ossec/";
"Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.1) Gecko/20061204
Firefox/2.0.0.1"
123.123.123.123 - apache [24/Jan/2007:15:25:29 +0100] "GET /ossec/
HTTP/1.1" 200 18595 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr;
rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
*/

when I made a GET request with index.php?xsstest=<script>alert('XSS
TEST')</script>
ossec doesn't match the entry in the apache2 log.

If you have any ideas thx in advance (i haven't modify the decoder.xml
and the web_rules.xml and they are include in the conf)

Reply via email to