[ossec-list] ossec rules and server restart

Wed, 25 Jul 2012 12:17:11 -0700 

I need some help in understanding why a rule isn't being obeyed. The
exception I created, rule id 100000, seems to be working properly according
to the ossec-logtest, but my customer's IP is still being blocked by the
ossec agent. I may be making some bad assumptions. Are these assumptions
correct?

   1. The rules are defined only in the server's ossec.conf (AND NOT in the
   agent's ossec.conf), right?
   2. Is it necessary to restart the agent's after updating or creating a
   new rule?


ossec-testrule: Type one log per line.

Jul 25 10:31:10 web6 suhosin[17752]: ALERT - Include filename
('../../../../wp-config.php') contains too many '../' (attacker
'216.115.6.136', file '/hsphere/local/home/lfc2012/
livingfaithchurchwi.org/hp_wordpress/wp-content/plugins/web-ninja-google-analytics/js/gadmain.js.php',
line 24)


**Phase 1: Completed pre-decoding.
       full event: 'Jul 25 10:31:10 web6 suhosin[17752]: ALERT - Include
filename ('../../../../wp-config.php') contains too many '../' (attacker
'216.115.6.136', file '/hsphere/local/home/lfc2012/
livingfaithchurchwi.org/hp_wordpress/wp-content/plugins/web-ninja-google-analytics/js/gadmain.js.php',
line 24) '
       hostname: 'web6'
       program_name: 'suhosin'
       log: 'ALERT - Include filename ('../../../../wp-config.php')
contains too many '../' (attacker '216.115.6.136', file
'/hsphere/local/home/lfc2012/
livingfaithchurchwi.org/hp_wordpress/wp-content/plugins/web-ninja-google-analytics/js/gadmain.js.php',
line 24) '

**Phase 2: Completed decoding.
       decoder: 'suhosin'
       id: 'Include filename ('../../../../wp-config.php') contains too
many '../''
       srcip: '216.115.6.136'

**Rule debugging:
    Trying rule: 3 - Generic template for all ids rules.
       *Rule 3 matched.
       *Trying child rules.
    Trying rule: 20100 - First time this IDS alert is generated.
       *Rule 20100 matched.
       *Trying child rules.
    Trying rule: 20102 - Ignored snort ids.
    Trying rule: 20103 - Ignored snort ids.
    Trying rule: 100000 - ignore suhosin blocks for now
       *Rule 100000 matched.

**Phase 3: Completed filtering (rules).
       Rule id: '100000'
       Level: '0'
       Description: 'ignore suhosin blocks for now'


-- 
Gil Vidals

CONFIDENTIALITY NOTICE: The information contained in this transmission may
contain privileged and confidential information.  It is intended only for
the use of the person(s) named above.  If you are not the intended
recipient, please contact the sender by reply email and permanently delete
the original message.

Reply via email to