On Thu, Feb 24, 2011 at 3:21 PM, carlopmart <[email protected]> wrote:
> Hi all,
>
> I have included a squid proxy server on our monitoring logs via OSSEC. But,
> I have receiving a lot of alerts in 30 minutes (75 more ore less). All
> alerts are like this:
>
> OSSEC HIDS Notification.
> 2011 Feb 24 21:00:45
>
> Received From: (rhelclunode02)
> 172.25.50.15->/var/log/squid/anon/proxy-anon-access.log
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> 1298577645.051 3 work01.mydomain.com TCP_DENIED/403 4005
> GEThttp://feedads.g.doubleclick.net/~a/3tvrTRqbOyfw7K11Fel0SLcLBMM/0/di -
> NONE/- text/html
>
Can you double check the spacing in this message? It seems off. Here's
the decoder:
<decoder name="squid-accesslog">
<type>squid</type>
<prematch>^\d+ \d+.\d+.\d+.\d+ </prematch>
<regex>^\d+ (\d+.\d+.\d+.\d+) (\w+)/(\d+) \d+ \w+ (\S+) </regex>
<order>srcip,action,id,url</order>
</decoder>
According to the decoder the decimal (.) in 1298577645.051 could make
this not match. Having multiple spaces between 1298577645.051 and 3
could also cause this problem. It looks like the 3 may be part of the
initial 1298577645.051, but I can't be sure. Your log also has a
hostname where I'm guessing an IP address would normally be, so that
will have to be accounted for... I think this is all easily fixable.
If the spacing and decimal points above are common in your logs, send
me (obfuscate them, send privately if you want) a few more samples.
I'll fix-up the decoder.
> I have configured a policy under squid server to block adservers, certain
> sites, etc ... This TCP_DENIED is correct, because .doubleclick.net domain
> is in the blacklist. But why rule 1002 is fired?? I see the rule and
> contains BAD_WORDS variable that includes "denied" word. Is that the
> problem??
>
> Maybe I have defined bad my logfiles under agent.conf??
>
> <localfile>
> <log_format>squid</log_format>
> <location>/var/log/squid/anon/*.log</location>
> </localfile>
>
> Thanks.
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
>
