On Wed, Jul 25, 2012 at 3:16 PM, Gil Vidals <[email protected]> wrote:
> I need some help in understanding why a rule isn't being obeyed. The
> exception I created, rule id 100000, seems to be working properly according
> to the ossec-logtest, but my customer's IP is still being blocked by the
> ossec agent. I may be making some bad assumptions. Are these assumptions
> correct?
>
> The rules are defined only in the server's ossec.conf (AND NOT in the
> agent's ossec.conf), right?
Correct. Rules live only on the server.
> Is it necessary to restart the agent's after updating or creating a new
> rule?
>
No. Restarting the server's ossec processes is enough.
>
> ossec-testrule: Type one log per line.
>
> Jul 25 10:31:10 web6 suhosin[17752]: ALERT - Include filename
> ('../../../../wp-config.php') contains too many '../' (attacker
> '216.115.6.136', file
> '/hsphere/local/home/lfc2012/livingfaithchurchwi.org/hp_wordpress/wp-content/plugins/web-ninja-google-analytics/js/gadmain.js.php',
> line 24)
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'Jul 25 10:31:10 web6 suhosin[17752]: ALERT - Include
> filename ('../../../../wp-config.php') contains too many '../' (attacker
> '216.115.6.136', file
> '/hsphere/local/home/lfc2012/livingfaithchurchwi.org/hp_wordpress/wp-content/plugins/web-ninja-google-analytics/js/gadmain.js.php',
> line 24) '
> hostname: 'web6'
> program_name: 'suhosin'
> log: 'ALERT - Include filename ('../../../../wp-config.php') contains
> too many '../' (attacker '216.115.6.136', file
> '/hsphere/local/home/lfc2012/livingfaithchurchwi.org/hp_wordpress/wp-content/plugins/web-ninja-google-analytics/js/gadmain.js.php',
> line 24) '
>
> **Phase 2: Completed decoding.
> decoder: 'suhosin'
> id: 'Include filename ('../../../../wp-config.php') contains too many
> '../''
> srcip: '216.115.6.136'
>
> **Rule debugging:
> Trying rule: 3 - Generic template for all ids rules.
> *Rule 3 matched.
> *Trying child rules.
> Trying rule: 20100 - First time this IDS alert is generated.
> *Rule 20100 matched.
> *Trying child rules.
> Trying rule: 20102 - Ignored snort ids.
> Trying rule: 20103 - Ignored snort ids.
> Trying rule: 100000 - ignore suhosin blocks for now
> *Rule 100000 matched.
>
> **Phase 3: Completed filtering (rules).
> Rule id: '100000'
> Level: '0'
> Description: 'ignore suhosin blocks for now'
>
>
> --
> Gil Vidals
>
> CONFIDENTIALITY NOTICE: The information contained in this transmission may
> contain privileged and confidential information. It is intended only for
> the use of the person(s) named above. If you are not the intended
> recipient, please contact the sender by reply email and permanently delete
> the original message.
>
