[ossec-list] ossec-analysisd: ERROR: Compiled rule not found: if_bad_useragent

Mon, 02 Apr 2012 03:39:00 -0700 

Hi all,


I need a rule for Apache to check if a "bad useragent" like Nikto, Zeus, 
WebReaper etc is crawling a webserver. Additionally I need a file where all 
my forbidden useragents are listed. My first thought was to use the <list> 
tag in a rule like this:

 <rule id="109005" level="14">
    <if_sid>31100</if_sid>
   <list field="url" lookup="match_key">rules/bad_useragents</list>
    <description>APACHE: A BAD USERAGENT IS CRAWLING...</description>
 </rule>

But my problem in this solution is, that the useragent-informations in the 
logs are really heavy to extract using regex with a decoder.
A sample-log looks like this one:

Mar 30 13:32:00 ossec-server apache[26757]: 192.168.0.28 - - 
[30/Mar/2012:13:32:00 +0200] "GET /Elv8O72e.cwr HTTP/1.1" 404 272 "-" 
"Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"

and the useragent in this case is: Mozilla/4.75 (Nikto/2.1.4) 
(Evasions:None) (Test:map_codes) 
but with other agents it might look different. so I can't use the list-tag 
because I can't extract the useragent itself
That's why I thought to use a compiled rule:

#include "shared.h"
#include "eventinfo.h"
#include "config.h"
#include "regex.h"

void *if_bad_useragent(Eventinfo *lf)
{
FILE *useragents;
useragents = fopen("/var/ossec/rules/bad_useragents","r");
char line[256];


if(useragents != NULL){
        while (fgets(line,256,useragents)){

                regex_t regex;
                int reti;
/*DEFINE REGEX*/
                reti = regcomp(&regex,".*",0); // OF COURSE THIS IS NOT THE 
CORRECT REGEX, BUT I USED .* TO TEST THE RULE TO BE SURE IT WILL WORK
                if( reti ) { fprintf(stderr,"OSSEC-HIDS: 
~/ossec/ossec-hids-2.6/src/analysisd/compiled_rules/if_bad_useragent.c: 
Could not compile regex\n"); exit(1);}
/*EXECUTE REGEX*/
                reti = regexec(&regex,"abc",0,NULL,0);
                if(!reti){
                        fclose(useragents);
                        return(lf);
                }
                regfree(&regex);

        }
}
    return(NULL);
}

I created this the file if_bad_useragent.c in src/analysisd/compiled_rules 
with the content above. After that I executed the 3 following commands:
./register_rule.sh build
*Build completed.
./register_rule.sh save
*Save completed at /var/ossec/compiled_rules/
./register_rule.sh list
*Available functions:
check_id_size
comp_mswin_targetuser_calleruser_diff
comp_srcuser_dstuser
if_bad_useragent
is_simple_http_request
is_valid_crawler

But when I want to test my rule using ossec-logtest I always get the 
following error: 
2012/04/02 10:36:44 ossec-analysisd: ERROR: Compiled rule not found: 
'if_bad_useragent'
2012/04/02 10:36:44 ossec-analysisd(1274): ERROR: Invalid configuration. 
Element 'compiled_rule': if_bad_useragent.
2012/04/02 10:36:44 ossec-testrule(1220): ERROR: Error loading the rules: 
'local_rules.xml'.

My installed OSSEC-Version is:
 bin/ossec-analysisd -V

OSSEC HIDS v2.6 - Trend Micro Inc.

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License (version 2) as
published by the Free Software Foundation. For more details, go to
http://www.ossec.net/main/license/

Does anyone has an idea what I must change?


THX in advance

P.S at the moment I'm using the following rule, which I think is quite slow 
etc:
 <rule id="109005" level="14">
    <if_sid>31100</if_sid>
    <match>BlackWidow|ChinaClaw|Custo|DISCo|Download 
Demon|EirGrabber|EmailSiphon|EmailWolf|Express 
WebPictures|ExtractorPro|EyeNetIE|FlashGet|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|GrabNet|Grafula|HMView|HTTrack|HTTrack|Image
 
Stripper|Image Sucker|Indy Library|Indy Library|InterGET|Internet Ninja|JOC 
Web Spider|JetCar|LeechFTP|MIDown tool|Mass Downloader|Mister 
PiX|Navroad|NearSite|NetAnts|NetSpider|NetZIP|Net Vampire|Octopus|Offline 
Explorer|Offline Navigator|PageGrabber|Papa 
Foto|ReGet|RealDownload|SiteSnagger|SmartDownload|SuperBot|SuperHTTP|Surfbot|Teleport
 
Pro|TurnitinBot|VoidEYE|WWWOFFLE|WebAuto|WebCopier|WebFetch|WebGo 
IS|WebLeacher|WebReaper|WebSauger|WebStripper|WebWhacker|WebZIP|Web Image 
Collector|Web Sucker|Website Quester|Website eXtractor|Widow|Xaldon 
WebSpider|Zeus|archiverloader|casper|clshttp|cmsworldmap|curl|diavol|dotbot|eCatch|email|extract|flicky|grab|harvest|jakarta|java|kmccrew|larbin|libwww|miner|nikto|pavuk|pcBrowser|planetwork|pycurl|python|scan|skygrid|tAkeOut|wget|winhttp</match>
    <description>APACHE: A BAD USERAGENT IS CRAWLING...</description>
 </rule>

Reply via email to