Ok,
So I've read through a few posts, and can't quite seem to work this
one out. What I'm trying to do is to generate an alert when a specific
name (or anything really) is picked up in a url picked up from a web
server access log.
What I've done so far....
1) Created a new folder: /var/ossec/lists
2) Created a file in the folder called 'names'
3) Created the following line in the /var/ossec/etc/ossec.conf
<ossec_config> <!-- rules global entry -->
<Rules>
......lots of other rules......
<list>lists/names</list>
<Rules>
</ossec_config> <!-- rules global entry -->
4) in the file 'names' added the following:
name1:bob_jones
name2:frank_smith
5) run the following: /var/ossec/bin/ossec-makelists .... This
creates the names.cdb file as expected.
6) Created a rule as such:
<rule id="100333" level="11">
<if_sid>31100</if_sid>
<list field="url">lists/names</list>
<description>Detect names appearing in web access log</
description>
</rule>
7) run /var/ossec/bin/ossec-logtest and pasted the following log entry
in:
192.168.1.1 - jbloggs [23/Feb/2012:11:01:42 +0000] "GET /server/
reports.php?column=data&operator=
%3D&value=bob_jones&action=Add&save_as=&filter=_none_ HTTP/1.1" 200
9341
8) The output I get from the log test is:
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '192.168.1.1'
url: '/server/reports.php?column=data&operator=
%3D&value=bob_jones&action=Add&save_as=&filter=_none_'
id: '200'
**Phase 3: Completed filtering (rules).
Rule id: '31100'
Level: '0'
Description: 'Access log messages grouped.'
*************************************************************************************************
So my questions are:
1 - Is the rule correct?
2 - Is the list correct?
3 - Will using the list allow a search in this way to detect part of
the URL string, and not the full thing?
Have I missed anything glaringly obvious?
Thanks greatly in advance...
Pip
