On Mon, Jan 23, 2012 at 4:19 PM, Jason 'XenoPhage' Frisvold
<[email protected]> wrote:
> On Jan 23, 2012, at 5:05 PM, Damien Hull wrote:
>> I have ossec 2.6 running on Ubuntu 10.04 LTS. This is a web server
>> running LAMP....
>>
>> There are several websites on this server. Every now and then OSSEC
>> will block an IP address for accessing a website. This is not an
>> attack of any kind. I've had it happen to me. I'll access a website on
>> the server and bam, blocked.
>>
>> I have it configured to unblock the IP after 10 minutes. I figured
>> after 10 minutes a hacker will get tired and move on. I don't want
>> this to happen with users of my server.
>>
>> Is there a way to configure OSSEC so this doesn't happen? I've never
>> taken the time to tweak OSSEC....
>>
>> NOTE
>> The latest alert was for Moodle. I'm guessing a user clicked on
>> something and OSSEC didn't like it...
>
>
> It blocks for a reason. If you can provide the alert it sent, that would go
> a long way to identifying what it's seeing as bad. It's probably something
> simple. I haven't had a chance to fully test Moodle as of yet, but I expect
> there will be a number of items that need to be handled in order to make it
> all run smoothly. Incidentally, is this Moodle 1 or 2?
>
> ---------------------------
> Jason 'XenoPhage' Frisvold
> [email protected]
> ---------------------------
> "Any sufficiently advanced magic is indistinguishable from technology."
> - Niven's Inverse of Clarke's Third Law
>
>
>
I just found the alert in my ticket system. Here's the new info...
Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes
from same source ip."
1. It looks like this rule caused OSSEC to block the IP Address
2. Here's the config from web_rules.xml. Notice the 31101. That's why
I thought 31101 was the problem.
<rule id="31151" level="10" frequency="10" timeframe="120">
<if_matched_sid>31101</if_matched_sid>
<same_source_ip />
<description>Mutiple web server 400 error codes </description>
<description>from same source ip.</description>
<group>web_scan,recon,</group>
</rule>
Questions:
1. Should I modify this?
2. If so what would be a good modification?
