On Fri, Dec 24, 2010 at 8:20 AM, Ankush Grover <[email protected]> wrote: > server. I do get email alerts that where it is showing there are 400 error >> >> > codes but the offending ipaddress is not getting blocked as I am able to >> > get >> > the correct files download from the IIS server at the same time. >> > >> > >> >> Which rule are you getting emails for? >> 31101? This one is only level 5 and won't trigger your AR. >> >> I'm guessing 31151 should trigger it though. >> >> Does route-null.cmd log its activity anywhere? Did you check that log? >> I guess it's possible that the srcip isn't getting passed along from >> the 31151 rule. > > route-null.cmd is supposed to logs the activity at > active-response/active-responses.log. However, I do not see any logs over > there? On the server I can see the logs under > /var/ossec/logs/alerts/alerts.log > > What is wrong agent or server configuration? > > ** Alert 1293195385.116304: mail - web,accesslog,web_scan,recon, > 2010 Dec 24 18:26:25 (windowsxp2) > 172.16.4.184->\WINDOWS\System32\LogFiles\W3SVC1\ex101224.log > Rule: 31151 (level 10) -> 'Mutiple web server 400 error codes from same > source ip.' > Src IP: 172.16.2.63 > User: (none) > 2010-12-24 13:08:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > Wget/1.10.2+(Red+Hat+modified) - - > 2010-12-24 13:08:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > Wget/1.10.2+(Red+Hat+modified) - - > 2010-12-24 13:08:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > Wget/1.10.2+(Red+Hat+modified) - - > 2010-12-24 13:08:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > Wget/1.10.2+(Red+Hat+modified) - - > 2010-12-24 13:08:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > Wget/1.10.2+(Red+Hat+modified) - - > 2010-12-24 13:08:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > Wget/1.10.2+(Red+Hat+modified) - - > 2010-12-24 13:08:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > Wget/1.10.2+(Red+Hat+modified) - - > 2010-12-24 13:08:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > Wget/1.10.2+(Red+Hat+modified) - - > 2010-12-24 13:08:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > Wget/1.10.2+(Red+Hat+modified) - - > 2010-12-24 13:08:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > Wget/1.10.2+(Red+Hat+modified) - - > 2010-12-24 13:08:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > Wget/1.10.2+(Red+Hat+modified) - - > > > >> >> > Do let me know why the offending ipaddress is not getting blocked and >> > also, >> > if you need any further information >> > >> > route print from the Windows Agent >> > >> > 172.16.4.134 255.255.255.255 172.16.4.184 172.16.4.184 1 >> > >> > Ossec.conf on the Windows Agent >> > <localfile> >> > <location>%WinDir%\System32\LogFiles\W3SVC1\ex%y%m%d.log</location> >> > <log_format>iis</log_format> >> > </localfile> >> > >> > >> > <command> >> > <name>win_nullroute</name> >> > <executable>route-null.cmd</executable> >> > <expect>srcip</expect> >> > <timeout_allowed>yes</timeout_allowed> >> > </command> >> > >> > <active-response> >> > <command>win_nullroute</command> >> > <location>local</location> >> > <level>6</level> >> > <timeout>600</timeout> >> > </active-response> >> > >> > <active-response> >> > <disabled>no</disabled> >> > </active-response> >> > >> > >> > > >
Try setting up an active response just for rule id 31151. See if that works.
