Can you take a look at the file src/analysisd/compiled_rules/compiled_rules.h to see if your new function is there?
Also, did you re-run make and copied the new analysisd binary to /var/ossec/bin? *Btw, your current function is actually slower than using the <match> from OSSEC. It is doing a open+read+regex_compile on every single HTTP event and that can slow things down. It is better to pre-compile and keep in memory than having to do it every time. Besides that, it is a very good start :) Thanks, -- Daniel B. Cid http://dcid.me On Mon, Apr 2, 2012 at 7:36 AM, Stephane <[email protected]> wrote: > Hi all, > > > I need a rule for Apache to check if a "bad useragent" like Nikto, Zeus, > WebReaper etc is crawling a webserver. Additionally I need a file where all > my forbidden useragents are listed. My first thought was to use the <list> > tag in a rule like this: > > <rule id="109005" level="14"> > <if_sid>31100</if_sid> > <list field="url" lookup="match_key">rules/bad_useragents</list> > <description>APACHE: A BAD USERAGENT IS CRAWLING...</description> > </rule> > > But my problem in this solution is, that the useragent-informations in the > logs are really heavy to extract using regex with a decoder. > A sample-log looks like this one: > > Mar 30 13:32:00 ossec-server apache[26757]: 192.168.0.28 - - > [30/Mar/2012:13:32:00 +0200] "GET /Elv8O72e.cwr HTTP/1.1" 404 272 "-" > "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)" > > and the useragent in this case is: Mozilla/4.75 (Nikto/2.1.4) > (Evasions:None) (Test:map_codes) > but with other agents it might look different. so I can't use the list-tag > because I can't extract the useragent itself > That's why I thought to use a compiled rule: > > #include "shared.h" > #include "eventinfo.h" > #include "config.h" > #include "regex.h" > > void *if_bad_useragent(Eventinfo *lf) > { > FILE *useragents; > useragents = fopen("/var/ossec/rules/bad_useragents","r"); > char line[256]; > > > if(useragents != NULL){ > while (fgets(line,256,useragents)){ > > regex_t regex; > int reti; > /*DEFINE REGEX*/ > reti = regcomp(®ex,".*",0); // OF COURSE THIS IS NOT THE > CORRECT REGEX, BUT I USED .* TO TEST THE RULE TO BE SURE IT WILL WORK > if( reti ) { fprintf(stderr,"OSSEC-HIDS: > ~/ossec/ossec-hids-2.6/src/analysisd/compiled_rules/if_bad_useragent.c: > Could not compile regex\n"); exit(1);} > /*EXECUTE REGEX*/ > reti = regexec(®ex,"abc",0,NULL,0); > if(!reti){ > fclose(useragents); > return(lf); > } > regfree(®ex); > > } > } > return(NULL); > } > > I created this the file if_bad_useragent.c in src/analysisd/compiled_rules > with the content above. After that I executed the 3 following commands: > ./register_rule.sh build > *Build completed. > ./register_rule.sh save > *Save completed at /var/ossec/compiled_rules/ > ./register_rule.sh list > *Available functions: > check_id_size > comp_mswin_targetuser_calleruser_diff > comp_srcuser_dstuser > if_bad_useragent > is_simple_http_request > is_valid_crawler > > But when I want to test my rule using ossec-logtest I always get the > following error: > 2012/04/02 10:36:44 ossec-analysisd: ERROR: Compiled rule not found: > 'if_bad_useragent' > 2012/04/02 10:36:44 ossec-analysisd(1274): ERROR: Invalid configuration. > Element 'compiled_rule': if_bad_useragent. > 2012/04/02 10:36:44 ossec-testrule(1220): ERROR: Error loading the rules: > 'local_rules.xml'. > > My installed OSSEC-Version is: > bin/ossec-analysisd -V > > OSSEC HIDS v2.6 - Trend Micro Inc. > > This program is free software; you can redistribute it and/or modify > it under the terms of the GNU General Public License (version 2) as > published by the Free Software Foundation. For more details, go to > http://www.ossec.net/main/license/ > > Does anyone has an idea what I must change? > > > THX in advance > > P.S at the moment I'm using the following rule, which I think is quite slow > etc: > <rule id="109005" level="14"> > <if_sid>31100</if_sid> > <match>BlackWidow|ChinaClaw|Custo|DISCo|Download > Demon|EirGrabber|EmailSiphon|EmailWolf|Express > WebPictures|ExtractorPro|EyeNetIE|FlashGet|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|GrabNet|Grafula|HMView|HTTrack|HTTrack|Image > Stripper|Image Sucker|Indy Library|Indy Library|InterGET|Internet Ninja|JOC > Web Spider|JetCar|LeechFTP|MIDown tool|Mass Downloader|Mister > PiX|Navroad|NearSite|NetAnts|NetSpider|NetZIP|Net Vampire|Octopus|Offline > Explorer|Offline Navigator|PageGrabber|Papa > Foto|ReGet|RealDownload|SiteSnagger|SmartDownload|SuperBot|SuperHTTP|Surfbot|Teleport > Pro|TurnitinBot|VoidEYE|WWWOFFLE|WebAuto|WebCopier|WebFetch|WebGo > IS|WebLeacher|WebReaper|WebSauger|WebStripper|WebWhacker|WebZIP|Web Image > Collector|Web Sucker|Website Quester|Website eXtractor|Widow|Xaldon > WebSpider|Zeus|archiverloader|casper|clshttp|cmsworldmap|curl|diavol|dotbot|eCatch|email|extract|flicky|grab|harvest|jakarta|java|kmccrew|larbin|libwww|miner|nikto|pavuk|pcBrowser|planetwork|pycurl|python|scan|skygrid|tAkeOut|wget|winhttp</match> > <description>APACHE: A BAD USERAGENT IS CRAWLING...</description> > </rule> >
