Hi There,
Just fine tuning OSSEC and need a bit of help understanding why a
particular rule was fired to trigger Active Response.
Turns out that we like Peter's idea of just firing Active Repsonse
based on the rules we set.
Atleast this way we know which rules are being match to trigger Active
Response.
----------
Step 1.
----------
I have done it like this in the ossec.conf file to match the rules I
want to enable Active Response on.
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every matching rule.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<rules_id>5551,5706,5712,5720,11210,30107,31103,31104</rules_id>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<rules_id>5551,5706,5712,5720,11210,30107,31103,31104</rules_id>
<timeout>600</timeout>
</active-response>
----------
Step 2.
----------
"tail -f active-responses.log" to make sure it was just matching the
rules we specified (which it was).
Mon Oct 8 12:47:10 EST 2007 /usr/local/ossec/active-response/bin/host-
deny.sh add - 58.168.238.226 1191811630.2518074 31104
Mon Oct 8 12:47:10 EST 2007 /usr/local/ossec/active-response/bin/
firewall-drop.sh add - 58.168.238.226 1191811630.2518074 31104
I see IP address 58.168.238.226 has matched one of the rules (31104)
and is now being blocked.
----------
Step 3.
----------
I then check alerts.log to see why rule 31104 was triggered and I
can't work out why ???
It doesn't seem to match any of the <url> tag and this is where I'm a
bit lost.
--------------------
web_rules.xml
--------------------
<rule id="31104" level="6">
<if_sid>31100</if_sid>
<!-- Attempt to do directory transversal, simple sql injections,
- or access to the etc or bin directory (unix). -->
<url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..</url>
<url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|</url>
<url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%|</
url>
<url>cat%|exec%|rm%20</url>
<description>Common web attack.</description>
<info>http://www.armbrustconsulting.com/LogEntries.html</info>
<group>attack,</group>
</rule>
--------------
alerts.log
--------------
Src IP: 58.168.238.226
User: (none)
58.168.238.226 - - [08/Oct/2007:12:45:30 +1000] "GET /popblank.js HTTP/
1.1" 404 970 "http://www.marlboroughps.vic.edu.au/contents.htm";
"Mozilla/4.0 (compatibl
e; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
** Alert 1191811530.2512070: - web,accesslog,
2007 Oct 08 12:45:30 plesk2->/etc/httpd/logs/access_log
Rule: 31101 (level 5) -> 'Web server 400 error code.'
Src IP: 58.168.238.226
User: (none)
58.168.238.226 - - [08/Oct/2007:12:45:30 +1000] "GET /popblank.js HTTP/
1.1" 404 970 "http://www.marlboroughps.vic.edu.au/contents.htm";
"Mozilla/4.0 (compatibl
e; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
Src IP: 58.168.238.226
User: (none)
58.168.238.226 - - [08/Oct/2007:12:47:10 +1000] "GET /uniform%20price
%20list.doc HTTP/1.1" 404 970 "http://www.marlboroughps.vic.edu.au/";
"Mozilla/4.0 (compat
ible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
** Alert 1191811630.2518074: mail - web,accesslog,attack,
2007 Oct 08 12:47:10 plesk2->/etc/httpd/logs/access_log
Rule: 31104 (level 6) -> 'Common web attack.'
Src IP: 58.168.238.226
User: (none)
58.168.238.226 - - [08/Oct/2007:12:47:10 +1000] "GET /uniform%20price
%20list.doc HTTP/1.1" 404 970 "http://www.marlboroughps.vic.edu.au/";
"Mozilla/4.0 (compat
ible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
--------------------
Can someone please explain to me why rule 31104 was triggered???
--------------------
Thank you in advance.
