Hi...
Sorry for the delay...
First of all, thank you for your help. But there must be smth I don't
understand : I've added a rule that works with ossec-logtest, but I
can't see any alerts in the ossec logs. What's wrong ?
For information, when using ossec-logtest, I got the message :
**Phase 3: Completed filtering (rules).
Rule id: '500001'
Level: '10'
Description: 'Casper badness'
**Alert to be generated.
But nothing in the logs, and no active response (though I guess that a
10-level alert should fire the host-deny response). Again, thank you
for your help !
On 4 juil, 21:36, "dan (ddp)" <[email protected]> wrote:
> On Sun, Jul 4, 2010 at 10:50 AM, Janiko <[email protected]> wrote:
> > Hi,
>
> > I'm using ossec, I never had to add a custom rule until now, so I need
> > help from the community.
>
> > I (and I guess I'm not alone...) need to block a specific kind of http
> > request, that looks like this :
>
> > 87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST /blog-perso%20%20/
> > contact.php HTTP/1.1" 404 1449 "-" "Casper Bot Search"
> > 87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST /blog-perso%20%20/
> > contact.php HTTP/1.1" 404 1449 "-" "Casper Bot Search"
> > 87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST /blog-perso%20%20/
> > contact.php HTTP/1.1" 404 1449 "-" "Casper Bot Search"
> > 87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST /blog-perso%20%20/
> > contact.php HTTP/1.1" 404 1449 "-" "Casper Bot Search"
>
> > In fact, the only specific thing about this kind of request (except
> > flooding servers) is the referrer "Casper Bot Search". So what could
> > be the rule to stop that (I only know that this rule should be added
> > in local_rules.xml).
>
> > Thank you in advance for your help !
>
> > - Janiko
>
> -------Before the rule is added---------
> # ./ossec-logtest
> 2010/07/04 15:31:30 ossec-testrule: INFO: Started (pid: 7691).
> ossec-testrule: Type one log per line.
>
> 87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST
> /blog-perso%20%20/contact.php HTTP/1.1" 404 1449 "-" "Casper Bot
> Search"
>
> **Phase 1: Completed pre-decoding.
> full event: '87.229.22.22 - - [04/Jul/2010:18:44:53 +0400]
> "POST /blog-perso%20%20/contact.php HTTP/1.1" 404 1449 "-" "Casper Bot
> Search"'
> hostname: 'ix'
> program_name: '(null)'
> log: '87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST
> /blog-perso%20%20/contact.php HTTP/1.1" 404 1449 "-" "Casper Bot
> Search"'
>
> **Phase 2: Completed decoding.
> decoder: 'web-accesslog'
> srcip: '87.229.22.22'
> url: '/blog-perso%20%20/contact.php'
> id: '404'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '31101'
> Level: '5'
> Description: 'Web server 400 error code.'
> **Alert to be generated.
>
> ------rule-------
> <rule id="500001" level="10">
> <if_sid>31101</if_sid>
> <match>Casper Bot Search</match>
> <description>Casper badness</description>
> </rule>
>
> ------after adding the rule------
> # ./ossec-logtest
> 2010/07/04 15:34:33 ossec-testrule: INFO: Started (pid: 12157).
> ossec-testrule: Type one log per line.
>
> 87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST
> /blog-perso%20%20/contact.php HTTP/1.1" 404 1449 "-" "Casper Bot
> Search"
>
> **Phase 1: Completed pre-decoding.
> full event: '87.229.22.22 - - [04/Jul/2010:18:44:53 +0400]
> "POST /blog-perso%20%20/contact.php HTTP/1.1" 404 1449 "-" "Casper Bot
> Search"'
> hostname: 'ix'
> program_name: '(null)'
> log: '87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST
> /blog-perso%20%20/contact.php HTTP/1.1" 404 1449 "-" "Casper Bot
> Search"'
>
> **Phase 2: Completed decoding.
> decoder: 'web-accesslog'
> srcip: '87.229.22.22'
> url: '/blog-perso%20%20/contact.php'
> id: '404'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '500001'
> Level: '10'
> Description: 'Casper badness'
> **Alert to be generated.
>
> You may have to adjust the rule a bit. To do the blocking, add an
> active response that blocks the srcip returned by this rule.
