Re: [ossec-list] Unable to block offending ipaddress on Windows Agent

Fri, 17 Dec 2010 07:37:10 -0800 

Is your active response configuration also on the server? If it isn't,
copy it to the server's ossec.conf, restart, and try again.

On Fri, Dec 17, 2010 at 7:27 AM, Ankush Grover <[email protected]> wrote:
> Hi Friends,
>
> I have installed Ossec 2.5.1 on Centos 5.x machine and an agent*2.5.1) on
> Windows XP where IIS is running. From another test machine (linux) I tried
> to wget some false files from IIS server which resulted in 404 errors on IIS
> server. I do get email alerts that where it is showing there are 400 error
> codes but the offending ipaddress is not getting blocked as I am able to get
> the correct files download from the IIS server at the same time.
>
>
> Do let me know why the offending ipaddress is not getting blocked and also,
> if you need any further information
>
> route print from the Windows Agent
>
> 172.16.4.134  255.255.255.255     172.16.4.184    172.16.4.184       1
>
> Ossec.conf on the Windows Agent
> <localfile>
>     <location>%WinDir%\System32\LogFiles\W3SVC1\ex%y%m%d.log</location>
>     <log_format>iis</log_format>
> </localfile>
>
>
> <command>
>     <name>win_nullroute</name>
>     <executable>route-null.cmd</executable>
>     <expect>srcip</expect>
>     <timeout_allowed>yes</timeout_allowed>
>     </command>
>
>     <active-response>
>     <command>win_nullroute</command>
>     <location>local</location>
>     <level>6</level>
>     <timeout>600</timeout>
>     </active-response>
>
>   <active-response>
>     <disabled>no</disabled>
>   </active-response>
>
>
>
>
> Logs of Default Web Site of IIS
>
> 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 15 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:50 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /iisstart.asp - 200 0 269 120 16 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:51 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 GET
> /iisstart.asp - 200 0 1532 174 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) ASPSESSIONIDSACBRRBC=NOLNENIBCCNAIBLOJGLKMMIC
> -
> 2010-12-17 11:34:51 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /iisstart.asp - 200 0 269 120 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 GET
> /iisstart.asp - 200 0 1532 194 16 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) ASPSESSIONIDSACBRRBC=OOLNENIBDCHEEGJBHLMFHOMP
> -
> 2010-12-17 11:34:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /iisstart.asp - 200 0 269 120 16 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 GET
> /iisstart.asp - 200 0 1532 194 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) ASPSESSIONIDSACBRRBC=POLNENIBAEDGCAPDJNEJEMPH
> -
> 2010-12-17 11:34:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /iisstart.asp - 200 0 269 120 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:54 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 GET
> /iisstart.asp - 200 0 1532 194 15 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) ASPSESSIONIDSACBRRBC=APLNENIBGJHMCKBAEBKOKALI
> -
> 2010-12-17 11:34:54 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /iisstart.asp - 200 0 269 120 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:55 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 GET
> /iisstart.asp - 200
>
>
> Logs from Ossec Server
>
> ** Alert 1292584981.362616: mail  - web,accesslog,web_scan,recon,
> 2010 Dec 17 16:53:01 (windowsxp)
> 172.16.4.184->\WINDOWS\System32\LogFiles\W3SVC1\ex101217.log
> Rule: 31151 (level 10) -> 'Mutiple web server 400 error codes from same
> source ip.'
> Src IP: 172.16.2.63
> User: (none)
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 15 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
> 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
>
> ** Alert 1292584981.364809: - web,accesslog,
> 2010 Dec 17 16:53:01 (windowsxp)
> 172.16.4.184->\WINDOWS\System32\LogFiles\W3SVC1\ex101217.log
> Rule: 31101 (level 5) -> 'Web server 400 error code.'
> Src IP: 172.16.2.63
> User: (none)
> 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> Wget/1.10.2+(Red+Hat+modified) - -
>
>
>
> Regards
>
> Ankush
>

Reply via email to