Just so this does not lost in the mailing list I have created a wiki page
from your email at: <http://www.ossec.net/wiki/Drupal>. If you have any
updates you can edit the page and or email the this list.
I have also created an issue in my personal issue list so that I can
follow on the integration:
<http://bitbucket.org/jrossi/ossec-hids-patches/issue/7/drupal-decoder-and-rules-intagration>
(This is not a ossec bug tracker just something I use to remember things)
Thanks for the rules btw ;) installing drupal tp test them out.
--
Jeremy Rossi
e: look at the headers people
t: http://twitter.com/jrossi
--On June 18, 2010 3:32:50 PM -0400 "Justin C. Klein Keane"
<[email protected]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
in seeking a solution to defend Drupal (an open source web based
content management system) against brute force login attacks I realized
that the latest version of Drupal (Drupal 6) can write to syslog. This
made for perfect integration with OSSEC. I wrote the following custom
decoder which I've tested on OSSEC 2.2 and 2.3
<!-- Drupal decoder.
By Justin C. Klein Keane
Drupal 6 must be configured with Syslog module enabled
Sample:
Jun 16 11:45:29 webtest drupal: 172.16.46.129
http://172.16.46.129/drupal-6.16|1276703129|user|172.16.46.1|http://172.1
6.46.129/drupal-6.16/node?destination=node||0||Login attempt failed for
admin.
- -->
<decoder name="drupal">
<program_name>^drupal</program_name>
<prematch>\d+.\d+.\d+.\d \S+|\d+|\w+|</prematch>
<regex
offset="after_prematch">(\d+.\d+.\d+.\d+)\|(\.+)\|\.*\|\d+\|\.*\|(\.+)</r
egex> <order>srcip,url,data</order>
</decoder>
Also, I've written a few basic rules that also seem to work:
<!--
DRUPAL RULES
(use custom drupal decoder)
- -->
<rule id="104110" level="3">
<decoded_as>drupal</decoded_as>
<match>Drupal</match>
<description>Drupal syslog message</description>
</rule>
<rule id="104120" level="6">
<if_sid>104110,1002</if_sid>
<match>Login attempt failed</match>
<description>Drupal failed login!</description>
</rule>
<rule id="104225" level="11">
<if_sid>104120</if_sid>
<!-- Note "admin" should be changed to whatever your uid 1 account
is -->
<match>Login attempt failed for admin.</match>
<description>Drupal failed attempt to log in as admin!</description>
</rule>
<rule id="104130" level="10" frequency="4" timeframe="360">
<if_matched_sid>104120</if_matched_sid>
<description>Possible Drupal brute force attack </description>
<description>(high number of logins).</description>
</rule>
<rule id="104140" level="10">
<if_sid>104110</if_sid>
<match>Illegal choice</match>
<description>Drupal possible input injection (XSS/XSRF)
attack!</description>
</rule>
<rule id="104150" level="7">
<if_sid>104110,1002</if_sid>
<match>Access denied</match>
<description>Drupal access denied error (permissions
rejected).</description>
</rule>
<rule id="104160" level="10">
<if_sid>104150</if_sid>
<match>admin/</match>
<description>Drupal access denied to admin screen.</description>
</rule>
If folks find any use for these and would like to test them out I'd be
interested in any feedback you could provide. Thanks,
- --
Justin C. Klein Keane
Sr. Information Security Specialist
Information Security and Unix Systems
University of Pennsylvania
School of Arts and Sciences
The digital signature on this e-mail can be confirmed using the public
key at https://www.sas.upenn.edu/computing/user/3.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkwbyeIACgkQR4a3EW2yjlRc5wCfav5r40yaHE8JyFEKNf3UhhnW
vZEAnjYmRyglvrG/179ZVqGLM1hhNDFl
=8vP1
-----END PGP SIGNATURE-----
