Re: [ossec-list] Unable to block offending ipaddress on Windows Agent

Ankush Grover Thu, 30 Dec 2010 05:48:44 -0800

>
> Try setting up an active response just for rule id 31151. See if that
> works.
>


31151 is working fine for Linux server or agent but not for Windows agent

OSSEC HIDS Notification.
2010 Dec 30 14:45:15

Received From: (linux1) 172.16.2.63->/var/log/httpd/access_log
Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes
from same source ip."
Portion of the log(s):

Linux Agent Logs

172.17.2.68 - - [30/Dec/2010:14:52:59 +0530] "HEAD
/testingfor/testing.html HTTP/1.0" 404 - "-" "Wget/1.10.2 (Red Hat
modified)"
172.17.2.68 - - [30/Dec/2010:14:52:59 +0530] "HEAD
/testingfor/testing.html HTTP/1.0" 404 - "-" "Wget/1.10.2 (Red Hat
modified)"
172.17.2.68 - - [30/Dec/2010:14:52:58 +0530] "HEAD
/testingfor/testing.html HTTP/1.0" 404 - "-" "Wget/1.10.2 (Red Hat
modified)"
172.17.2.68 - - [30/Dec/2010:14:52:58 +0530] "HEAD
/testingfor/testing.html HTTP/1.0" 404 - "-" "Wget/1.10.2 (Red Hat
modified)"
172.17.2.68 - - [30/Dec/2010:14:52:58 +0530] "HEAD
/testingfor/testing.html HTTP/1.0" 404 - "-" "Wget/1.10.2 (Red Hat
modified)"
172.17.2.68 - - [30/Dec/2010:14:52:58 +0530] "HEAD
/testingfor/testing.html HTTP/1.0" 404 - "-" "Wget/1.10.2 (Red Hat
modified)"
172.17.2.68 - - [30/Dec/2010:14:52:58 +0530] "HEAD
/testingfor/testing.html HTTP/1.0" 404 - "-" "Wget/1.10.2 (Red Hat
modified)"
172.17.2.68 - - [30/Dec/2010:14:52:57 +0530] "HEAD
/testingfor/testing.html HTTP/1.0" 404 - "-" "Wget/1.10.2 (Red Hat
modified)"
172.17.2.68 - - [30/Dec/2010:14:52:57 +0530] "HEAD
/testingfor/testing.html HTTP/1.0" 404 - "-" "Wget/1.10.2 (Red Hat
modified)"
172.17.2.68 - - [30/Dec/2010:14:52:57 +0530] "HEAD
/testingfor/testing.html HTTP/1.0" 404 - "-" "Wget/1.10.2 (Red Hat
modified)"
172.17.2.68 - - [30/Dec/2010:14:52:57 +0530] "HEAD
/testingfor/testing.html HTTP/1.0" 404 - "-" "Wget/1.10.2 (Red Hat
modified)"


Windows Agent Log:

Received From: (windowsxp2)
172.16.4.184->\WINDOWS\System32\LogFiles\W3SVC1\ex101230.log
Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes
from same source ip."
Portion of the log(s):

2010-12-30 09:15:51 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184
80 HEAD /test/testing.html - 404 3 144 137 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-30 09:15:51 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184
80 HEAD /test/testing.html - 404 3 144 137 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-30 09:15:50 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184
80 HEAD /test/testing.html - 404 3 144 137 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-30 09:15:50 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184
80 HEAD /test/testing.html - 404 3 144 137 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-30 09:15:50 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184
80 HEAD /test/testing.html - 404 3 144 137 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-30 09:15:50 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184
80 HEAD /test/testing.html - 404 3 144 137 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-30 09:15:50 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184
80 HEAD /test/testing.html - 404 3 144 137 16 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-30 09:15:50 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184
80 HEAD /test/testing.html - 404 3 144 137 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-30 09:15:50 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184
80 HEAD /test/testing.html - 404 3 144 137 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-30 09:15:50 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184
80 HEAD /test/testing.html - 404 3 144 137 15 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -

Active Responses logs files on Windows Agent( C:\Program
Files\ossec-agent\active-response\active-responses.log)

12/29/2010  02:57 "active-response/bin/route-null.cmd" add "-"
"172.16.2.63" "1293614054.95420 31151 (windowsxp2)
172.16.4.184->\WINDOWS\System32\LogFiles\W3SVC1\ex101229.log"
12/30/2010  02:47 "active-response/bin/route-null.cmd" add "-"
"172.16.2.63" "1293699885.76268 31151 (windowsxp2)
172.16.4.184->\WINDOWS\System32\LogFiles\W3SVC1\ex101230.log"
12/30/2010  03:00 "active-response/bin/route-null.cmd" delete "-"
"172.16.2.63" "1293699885.76268 31151 (windowsxp2)
172.16.4.184->\WINDOWS\System32\LogFiles\W3SVC1\ex101230.log"

2010-12-30 09:15:50 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184
80 HEAD /test/testing.html - 404 3 144 137 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -


What can be wrong on the Windows side that 31151 rule is not working?
One thing that is different from Linux/Windows log is that in Linux
logs 'Source IPAddress' is coming first whereas in Windows it is
coming at the 3rd column.


Regards

Ankush

Re: [ossec-list] Unable to block offending ipaddress on Windows Agent

Reply via email to