[ossec-list] Drupal Decoder and Rules

Justin C. Klein Keane Fri, 18 Jun 2010 20:48:00 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,


  in seeking a solution to defend Drupal (an open source web based
content management system) against brute force login attacks I realized
that the latest version of Drupal (Drupal 6) can write to syslog.  This
made for perfect integration with OSSEC.  I wrote the following custom
decoder which I've tested on OSSEC 2.2 and 2.3


<!--  Drupal decoder.
By Justin C. Klein Keane
Drupal 6 must be configured with Syslog module enabled
Sample:
Jun 16 11:45:29 webtest drupal: 172.16.46.129
http://172.16.46.129/drupal-6.16|1276703129|user|172.16.46.1|http://172.16.46.129/drupal-6.16/node?destination=node||0||Login
attempt failed for admin.
- -->
<decoder name="drupal">
  <program_name>^drupal</program_name>
  <prematch>\d+.\d+.\d+.\d \S+|\d+|\w+|</prematch>
  <regex
offset="after_prematch">(\d+.\d+.\d+.\d+)\|(\.+)\|\.*\|\d+\|\.*\|(\.+)</regex>
  <order>srcip,url,data</order>
</decoder>


Also, I've written a few basic rules that also seem to work:


<!--

        DRUPAL RULES
        (use custom drupal decoder)

- -->

  <rule id="104110" level="3">
    <decoded_as>drupal</decoded_as>
    <match>Drupal</match>
    <description>Drupal syslog message</description>
  </rule>

  <rule id="104120" level="6">
    <if_sid>104110,1002</if_sid>
    <match>Login attempt failed</match>
    <description>Drupal failed login!</description>
  </rule>

  <rule id="104225" level="11">
    <if_sid>104120</if_sid>
    <!-- Note "admin" should be changed to whatever your uid 1 account
is -->
    <match>Login attempt failed for admin.</match>
    <description>Drupal failed attempt to log in as admin!</description>
  </rule>

  <rule id="104130" level="10" frequency="4" timeframe="360">
    <if_matched_sid>104120</if_matched_sid>
    <description>Possible Drupal brute force attack </description>
    <description>(high number of logins).</description>
  </rule>

  <rule id="104140" level="10">
    <if_sid>104110</if_sid>
    <match>Illegal choice</match>
    <description>Drupal possible input injection (XSS/XSRF)
attack!</description>
  </rule>

  <rule id="104150" level="7">
    <if_sid>104110,1002</if_sid>
    <match>Access denied</match>
    <description>Drupal access denied error (permissions
rejected).</description>
  </rule>

  <rule id="104160" level="10">
    <if_sid>104150</if_sid>
    <match>admin/</match>
    <description>Drupal access denied to admin screen.</description>
  </rule>


If folks find any use for these and would like to test them out I'd be
interested in any feedback you could provide.  Thanks,

- -- 
Justin C. Klein Keane

Sr. Information Security Specialist
Information Security and Unix Systems
University of Pennsylvania
School of Arts and Sciences


The digital signature on this e-mail can be confirmed using the public
key at https://www.sas.upenn.edu/computing/user/3.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkwbyeIACgkQR4a3EW2yjlRc5wCfav5r40yaHE8JyFEKNf3UhhnW
vZEAnjYmRyglvrG/179ZVqGLM1hhNDFl
=8vP1
-----END PGP SIGNATURE-----

[ossec-list] Drupal Decoder and Rules

Reply via email to