server. I do get email alerts that where it is showing there are 400 error > > codes but the offending ipaddress is not getting blocked as I am able to > get > > the correct files download from the IIS server at the same time. > > > > > > Which rule are you getting emails for? > 31101? This one is only level 5 and won't trigger your AR. > > I'm guessing 31151 should trigger it though. > > Does route-null.cmd log its activity anywhere? Did you check that log? > I guess it's possible that the srcip isn't getting passed along from > the 31151 rule. >
route-null.cmd is supposed to logs the activity at active-response/active-responses.log. However, I do not see any logs over there? On the server I can see the logs under /var/ossec/logs/alerts/alerts.log What is wrong agent or server configuration? ** Alert 1293195385.116304: mail - web,accesslog,web_scan,recon, 2010 Dec 24 18:26:25 (windowsxp2) 172.16.4.184->\WINDOWS\System32\LogFiles\W3SVC1\ex101224.log Rule: 31151 (level 10) -> 'Mutiple web server 400 error codes from same source ip.' Src IP: 172.16.2.63 User: (none) 2010-12-24 13:08:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-24 13:08:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-24 13:08:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-24 13:08:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-24 13:08:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-24 13:08:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-24 13:08:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-24 13:08:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-24 13:08:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-24 13:08:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-24 13:08:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - > > Do let me know why the offending ipaddress is not getting blocked and > also, > > if you need any further information > > > > route print from the Windows Agent > > > > 172.16.4.134 255.255.255.255 172.16.4.184 172.16.4.184 1 > > > > Ossec.conf on the Windows Agent > > <localfile> > > <location>%WinDir%\System32\LogFiles\W3SVC1\ex%y%m%d.log</location> > > <log_format>iis</log_format> > > </localfile> > > > > > > <command> > > <name>win_nullroute</name> > > <executable>route-null.cmd</executable> > > <expect>srcip</expect> > > <timeout_allowed>yes</timeout_allowed> > > </command> > > > > <active-response> > > <command>win_nullroute</command> > > <location>local</location> > > <level>6</level> > > <timeout>600</timeout> > > </active-response> > > > > <active-response> > > <disabled>no</disabled> > > </active-response> > > > > > > >
