Justinas,
This is the rule that is triggering these active responses. Is there
something in your site that is causing the google bot to trigger it?
You should be able to find the answer in your web logs.
<rule id="31104" level="6">
<if_sid>31100</if_sid>
<!-- Attempt to do directory transversal, simple sql injections,
- or access to the etc or bin directory (unix). -->
<url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..|</url>
<url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|</url>
<url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%20|</url>
<url>cat%20|exec%20|rm%20</url>
<description>Common web attack.</description>
<group>attack,</group>
</rule>
While looking into this you can either up the limit when the active
response is triggering or do an overwrite in the local rules file to
lower this level.
Either way I would look at the web logs to see what is causing this.
On Sun, Oct 9, 2011 at 04:04, Justinas Lelys <[email protected]> wrote:
> Hi,
>
> I think it's because of some 500 errors, that crawler causes.
>
> Here is active-responses.log fragment:
> Sun Oct 9 03:47:23 EEST 2011 /usr/bin/ossec/active-response/bin/
> firewall-drop.sh delete - 66.249.71.115 1318120556.20115 31104
> Sun Oct 9 03:47:23 EEST 2011 /usr/bin/ossec/active-response/bin/host-
> deny.sh delete - 66.249.71.115 1318120556.20115 31104
> Sun Oct 9 03:49:09 EEST 2011 /usr/bin/ossec/active-response/bin/host-
> deny.sh add - 66.249.71.106 1318121349.21573 31104
> Sun Oct 9 03:49:09 EEST 2011 /usr/bin/ossec/active-response/bin/
> firewall-drop.sh add - 66.249.71.106 1318121349.21573 31104
> Sun Oct 9 03:52:09 EEST 2011 /usr/bin/ossec/active-response/bin/host-
> deny.sh delete - 66.249.71.108 1318120882.21061 31104
> Sun Oct 9 03:52:09 EEST 2011 /usr/bin/ossec/active-response/bin/
> firewall-drop.sh delete - 66.249.71.108 1318120882.21061 31104
> Sun Oct 9 03:57:42 EEST 2011 /usr/bin/ossec/active-response/bin/
> firewall-drop.sh add - 66.249.71.121 1318121862.22144 31104
> Sun Oct 9 03:57:42 EEST 2011 /usr/bin/ossec/active-response/bin/host-
> deny.sh add - 66.249.71.121 1318121862.22144 31104
> Sun Oct 9 03:59:12 EEST 2011 /usr/bin/ossec/active-response/bin/host-
> deny.sh delete - 66.249.71.106 1318121349.21573 31104
> Sun Oct 9 03:59:12 EEST 2011 /usr/bin/ossec/active-response/bin/
> firewall-drop.sh delete - 66.249.71.106 1318121349.21573 31104
> Sun Oct 9 04:01:37 EEST 2011 /usr/bin/ossec/active-response/bin/host-
> deny.sh add - 66.249.71.120 1318122097.22788 31104
> Sun Oct 9 04:01:37 EEST 2011 /usr/bin/ossec/active-response/bin/
> firewall-drop.sh add - 66.249.71.120 1318122097.22788 31104
> Sun Oct 9 04:09:07 EEST 2011 /usr/bin/ossec/active-response/bin/host-
> deny.sh delete - 66.249.71.121 1318121862.22144 31104
> Sun Oct 9 04:09:07 EEST 2011 /usr/bin/ossec/active-response/bin/
> firewall-drop.sh delete - 66.249.71.121 1318121862.22144 31104
> Sun Oct 9 04:12:07 EEST 2011 /usr/bin/ossec/active-response/bin/
> firewall-drop.sh delete - 66.249.71.120 1318122097.22788 31104
> Sun Oct 9 04:12:07 EEST 2011 /usr/bin/ossec/active-response/bin/host-
> deny.sh delete - 66.249.71.120 1318122097.22788 31104
> Sun Oct 9 06:50:31 EEST 2011 /usr/bin/ossec/active-response/bin/
> firewall-drop.sh add - 66.249.71.44 1318132231.40024 31104
> Sun Oct 9 06:50:31 EEST 2011 /usr/bin/ossec/active-response/bin/host-
> deny.sh add - 66.249.71.44 1318132231.40024 31104
> Sun Oct 9 07:01:01 EEST 2011 /usr/bin/ossec/active-response/bin/
> firewall-drop.sh delete - 66.249.71.44 1318132231.40024 31104
> Sun Oct 9 07:01:01 EEST 2011 /usr/bin/ossec/active-response/bin/host-
> deny.sh delete - 66.249.71.44 1318132231.40024 31104
>
>
> On Oct 7, 4:39 pm, Daniel Cid <[email protected]> wrote:
>> Hey,
>>
>> Can you find the rule that is causing it to get blocked? Just search
>> for their hostname
>> is the OSSEC alert logs (or in the active response log).
>>
>> thanks,
>>
>> Daniel B. Cid
>> dcid ( at ) ossec.net
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Oct 5, 2011 at 11:17 AM, Justinas Lelys <[email protected]> wrote:
>> > Hi,
>> > how could I whitelist google crawler? Ossec adds it to iptables drop:
>>
>> > target prot opt source destination
>> > DROP all -- crawl-66-249-72-44.googlebot.com anywhere
>>
>> > Tried to add in ossec.conf
>> > <white_list>crawl-66-249-72-44.googlebot.com</white_list>
>>
>> > Restarted ossec, but ossec still adds iptables rule to block crawler..
>> > Crawler hostname varies..
>
--
Registered Linux User # 379282
