On Sun, Jul 4, 2010 at 10:50 AM, Janiko <[email protected]> wrote:
> Hi,
>
> I'm using ossec, I never had to add a custom rule until now, so I need
> help from the community.
>
> I (and I guess I'm not alone...) need to block a specific kind of http
> request, that looks like this :
>
> 87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST /blog-perso%20%20/
> contact.php HTTP/1.1" 404 1449 "-" "Casper Bot Search"
> 87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST /blog-perso%20%20/
> contact.php HTTP/1.1" 404 1449 "-" "Casper Bot Search"
> 87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST /blog-perso%20%20/
> contact.php HTTP/1.1" 404 1449 "-" "Casper Bot Search"
> 87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST /blog-perso%20%20/
> contact.php HTTP/1.1" 404 1449 "-" "Casper Bot Search"
>
> In fact, the only specific thing about this kind of request (except
> flooding servers) is the referrer "Casper Bot Search". So what could
> be the rule to stop that (I only know that this rule should be added
> in local_rules.xml).
>
> Thank you in advance for your help !
>
> - Janiko
>
-------Before the rule is added---------
# ./ossec-logtest
2010/07/04 15:31:30 ossec-testrule: INFO: Started (pid: 7691).
ossec-testrule: Type one log per line.
87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST
/blog-perso%20%20/contact.php HTTP/1.1" 404 1449 "-" "Casper Bot
Search"
**Phase 1: Completed pre-decoding.
full event: '87.229.22.22 - - [04/Jul/2010:18:44:53 +0400]
"POST /blog-perso%20%20/contact.php HTTP/1.1" 404 1449 "-" "Casper Bot
Search"'
hostname: 'ix'
program_name: '(null)'
log: '87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST
/blog-perso%20%20/contact.php HTTP/1.1" 404 1449 "-" "Casper Bot
Search"'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '87.229.22.22'
url: '/blog-perso%20%20/contact.php'
id: '404'
**Phase 3: Completed filtering (rules).
Rule id: '31101'
Level: '5'
Description: 'Web server 400 error code.'
**Alert to be generated.
------rule-------
<rule id="500001" level="10">
<if_sid>31101</if_sid>
<match>Casper Bot Search</match>
<description>Casper badness</description>
</rule>
------after adding the rule------
# ./ossec-logtest
2010/07/04 15:34:33 ossec-testrule: INFO: Started (pid: 12157).
ossec-testrule: Type one log per line.
87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST
/blog-perso%20%20/contact.php HTTP/1.1" 404 1449 "-" "Casper Bot
Search"
**Phase 1: Completed pre-decoding.
full event: '87.229.22.22 - - [04/Jul/2010:18:44:53 +0400]
"POST /blog-perso%20%20/contact.php HTTP/1.1" 404 1449 "-" "Casper Bot
Search"'
hostname: 'ix'
program_name: '(null)'
log: '87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST
/blog-perso%20%20/contact.php HTTP/1.1" 404 1449 "-" "Casper Bot
Search"'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '87.229.22.22'
url: '/blog-perso%20%20/contact.php'
id: '404'
**Phase 3: Completed filtering (rules).
Rule id: '500001'
Level: '10'
Description: 'Casper badness'
**Alert to be generated.
You may have to adjust the rule a bit. To do the blocking, add an
active response that blocks the srcip returned by this rule.
