Hi!
On Thu, Feb 23, 2012 at 03:48:35AM -0800, PJG wrote:
> Ok,
>
> So I've read through a few posts, and can't quite seem to work this
> one out. What I'm trying to do is to generate an alert when a specific
> name (or anything really) is picked up in a url picked up from a web
> server access log.
>
> What I've done so far....
>
> 1) Created a new folder: /var/ossec/lists
> 2) Created a file in the folder called 'names'
> 3) Created the following line in the /var/ossec/etc/ossec.conf
>
> <ossec_config> <!-- rules global entry -->
> <Rules>
> ......lots of other rules......
> <list>lists/names</list>
> <Rules>
> </ossec_config> <!-- rules global entry -->
>
>
Looks good so far.
> 4) in the file 'names' added the following:
>
> name1:bob_jones
> name2:frank_smith
This might need correction. CDB lookups are key based, and can be used
for existence checking, i.e., is the name or user in a certain list, or
not? If you want to answer a yes/no question like that, your list could
contain:
name1:1
name2:1
bob_jones:1
You can also do key/value matching - search on a key, and ossec will to
a regex check on the associated value:
bob_jones:good
frank_smith:bad
So you could write a rule that says, look up a given user, if the value
is 'good', don't do anything; if the value is bad, complain. Having an
additional rule to catch the case where the user is not found would
probably be a good idea too.
>
> 5) run the following: /var/ossec/bin/ossec-makelists .... This
> creates the names.cdb file as expected.
>
> 6) Created a rule as such:
>
> <rule id="100333" level="11">
> <if_sid>31100</if_sid>
> <list field="url">lists/names</list>
> <description>Detect names appearing in web access log</description>
> </rule>
>
> 7) run /var/ossec/bin/ossec-logtest and pasted the following log entry
> in:
>
> 192.168.1.1 - jbloggs [23/Feb/2012:11:01:42 +0000] "GET /server/
> reports.php?column=data&operator=
> %3D&value=bob_jones&action=Add&save_as=&filter=_none_ HTTP/1.1" 200
> 9341
>
> 8) The output I get from the log test is:
>
> **Phase 2: Completed decoding.
> decoder: 'web-accesslog'
> srcip: '192.168.1.1'
> url: '/server/reports.php?column=data&operator=
> %3D&value=bob_jones&action=Add&save_as=&filter=_none_'
> id: '200'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '31100'
> Level: '0'
> Description: 'Access log messages grouped.'
>
> *************************************************************************************************
>
> So my questions are:
>
> 1 - Is the rule correct?
> 2 - Is the list correct?
> 3 - Will using the list allow a search in this way to detect part of
> the URL string, and not the full thing?
I'm 95% certain that the answer to #3 is no, CDB lookups are done with
exact matches - if you wanted it to work the way you've got it set up,
the exact url that appears in what was decoded ('/server/reports...')
must be a line in the CDB file. Because of this, your rule isn't really
going to do what you want.
The thing you need to do is write a custom decoder for your web access
logs that can pull out the exact string you want to match and setting
the user field to that string. Then you change your rule to <list
field="user">lists/names</list>
http://www.ossec.net/doc/manual/rules-decoders/create-custom.html
Depending on the variety of URLs in your web logs (and those you want to
inspect/alert on), this could be easy or difficult. Here's an untested
one:
(/var/ossec/etc/local_decoder.xml):
<decoder name="untested">
<parent>web-accesslog</parent>
<!-- assumes value param always precedes action param, and contains user
name -->
<regex>value=(\w+)&action=</regex>
<order>user</order>
</decoder>
Andy
