On Tue, Sep 25, 2012 at 10:14 AM, Leonardo Bacha Abrantes
<[email protected]> wrote:
> Hi Dan,
>
>
> The apache log is:
>
>
> [Tue Sep 25 11:03:50 2012] [error] [client 192.168.21.18] ModSecurity:
> Access denied with code 403 (phase 2). Pattern match
> "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2
> ..." at REQUEST_COOKIES:__utmz. [file
> "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "235"] [id "981245"] [msg "Detects basic SQL authentication bypass
> attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"] [tag
> "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri
> "/sites/all/themes/mysite/img/btlai.jpg"] [unique_id
> "UGG5xn8AAAEAABzuFRgAAAAS"] [Tue Sep 25 11:03:50 2012] [error] [client
> 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). Pattern
> match
> "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2
> ..." at REQUEST_COOKIES:__utmz. [file
> "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "235"] [id "981245"] [msg "Detects basic SQL authentication bypass
> attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"] [tag
> "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri
> "/sites/all/themes/mysite/img/logo-brasil.jpg"] [unique_id
> "UGG5xn8AAAEAAByF90UAAAAP"]
>
>
>
> thanks!!
>
Running it through ossec-logtest I see:
**Phase 1: Completed pre-decoding.
full event: '[Tue Sep 25 11:03:50 2012] [error] [client
192.168.21.18] ModSecurity: Access denied with code 403 (phase 2).
Pattern match
"(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2
..." at REQUEST_COOKIES:__utmz. [file
"/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "235"] [id "981245"] [msg "Detects basic SQL authentication
bypass attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"]
[tag "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri
"/sites/all/themes/mysite/img/btlai.jpg"] [unique_id
"UGG5xn8AAAEAABzuFRgAAAAS"] [Tue Sep 25 11:03:50 2012] [error] [client
192.168.21.18] ModSecurity: Access denied with code 403 (phase 2).
Pattern match
"(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2
..." at REQUEST_COOKIES:__utmz. [file
"/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "235"] [id "981245"] [msg "Detects basic SQL authentication
bypass attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"]
[tag "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri
"/sites/all/themes/mysite/img/logo-brasil.jpg"] [unique_id
"UGG5xn8AAAEAAByF90UAAAAP"]'
hostname: 'arrakis'
program_name: '(null)'
log: '[error] [client 192.168.21.18] ModSecurity: Access denied
with code 403 (phase 2). Pattern match
"(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2
..." at REQUEST_COOKIES:__utmz. [file
"/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "235"] [id "981245"] [msg "Detects basic SQL authentication
bypass attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"]
[tag "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri
"/sites/all/themes/mysite/img/btlai.jpg"] [unique_id
"UGG5xn8AAAEAABzuFRgAAAAS"] [Tue Sep 25 11:03:50 2012] [error] [client
192.168.21.18] ModSecurity: Access denied with code 403 (phase 2).
Pattern match
"(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2
..." at REQUEST_COOKIES:__utmz. [file
"/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "235"] [id "981245"] [msg "Detects basic SQL authentication
bypass attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"]
[tag "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri
"/sites/all/themes/mysite/img/logo-brasil.jpg"] [unique_id
"UGG5xn8AAAEAAByF90UAAAAP"]'
**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
srcip: '192.168.21.18'
**Phase 3: Completed filtering (rules).
Rule id: '30118'
Level: '6'
Description: 'Access attempt blocked by Mod Security.'
**Alert to be generated.
An important part to look at is "log: '[error] [client 192.168.21.18]
ModSecurity: Access denied with code ..." You are looking for
"<match>^client 192.168.21.18</match>" which requires "client" to be
the first part of the log.
Changing the rule to:
<rule id="100201" level="5">
<if_sid>30118</if_sid> <!--I also tried to put the specific
number of rule (30119, 30118,etc.)-->
<match>^[error] [client 192.168.21.18</match>
<description>Blahblahblah</description>
</rule>
Produces this output:
**Phase 1: Completed pre-decoding.
full event: '[Tue Sep 25 11:03:50 2012] [error] [client
192.168.21.18] ModSecurity: Access denied with code 403 (phase 2).
Pattern match
"(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2
..." at REQUEST_COOKIES:__utmz. [file
"/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "235"] [id "981245"] [msg "Detects basic SQL authentication
bypass attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"]
[tag "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri
"/sites/all/themes/mysite/img/btlai.jpg"] [unique_id
"UGG5xn8AAAEAABzuFRgAAAAS"] [Tue Sep 25 11:03:50 2012] [error] [client
192.168.21.18] ModSecurity: Access denied with code 403 (phase 2).
Pattern match
"(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2
..." at REQUEST_COOKIES:__utmz. [file
"/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "235"] [id "981245"] [msg "Detects basic SQL authentication
bypass attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"]
[tag "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri
"/sites/all/themes/mysite/img/logo-brasil.jpg"] [unique_id
"UGG5xn8AAAEAAByF90UAAAAP"]'
hostname: 'arrakis'
program_name: '(null)'
log: '[error] [client 192.168.21.18] ModSecurity: Access denied
with code 403 (phase 2). Pattern match
"(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2
..." at REQUEST_COOKIES:__utmz. [file
"/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "235"] [id "981245"] [msg "Detects basic SQL authentication
bypass attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"]
[tag "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri
"/sites/all/themes/mysite/img/btlai.jpg"] [unique_id
"UGG5xn8AAAEAABzuFRgAAAAS"] [Tue Sep 25 11:03:50 2012] [error] [client
192.168.21.18] ModSecurity: Access denied with code 403 (phase 2).
Pattern match
"(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2
..." at REQUEST_COOKIES:__utmz. [file
"/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "235"] [id "981245"] [msg "Detects basic SQL authentication
bypass attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"]
[tag "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri
"/sites/all/themes/mysite/img/logo-brasil.jpg"] [unique_id
"UGG5xn8AAAEAAByF90UAAAAP"]'
**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
srcip: '192.168.21.18'
**Phase 3: Completed filtering (rules).
Rule id: '100201'
Level: '5'
Description: 'Blahblahblah'
**Alert to be generated.
Roughly 3 minutes worth of "work."
>
>
>
> On Tue, Sep 25, 2012 at 11:08 AM, dan (ddp) <[email protected]> wrote:
>>
>> On Tue, Sep 25, 2012 at 10:04 AM, Leonardo Bacha Abrantes
>> <[email protected]> wrote:
>> > Guys,
>> >
>> > I created a rule and inserted it into local_rules.xml, but it is not
>> > working.
>> >
>> > <group name="web,accesslog,">
>> > <rule id="100201" level="5">
>> > <if_sid>31100</if_sid> #I also tried to put the specific
>> > number
>> > of rule (30119, 30118,etc.)
>> > <match>^client 192.168.21.18</match>
>> > <options>no_email_alert</options>
>> > </rule>
>> > </group>
>> >
>> > what is wrong on it ?
>> >
>> > thanks!
>> >
>>
>> Your log sample didn't come through, or I missed it. Can you resend?
>>
>> >
>> >
>> > On Mon, Sep 24, 2012 at 9:13 AM, Leonardo Bacha Abrantes
>> > <[email protected]> wrote:
>> >>
>> >> yes! exactly this! :)
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> On Sun, Sep 23, 2012 at 11:30 AM, JB <[email protected]> wrote:
>> >>>
>> >>> Do you mean NOT to trigger alerts when the "Location" is
>> >>> 'your.reverse.proxy.ip -> /var/log/httpd/access_log'?
>> >>>
>> >>>
>> >>> On Friday, September 21, 2012 10:58:17 AM UTC-7, Leonardo Bacha
>> >>> Abrantes
>> >>> wrote:
>> >>>>
>> >>>> Hey guys!
>> >>>>
>> >>>> I have a machine working a reverse proxy that redirect requests to
>> >>>> another machine which is my webserver and am receiving a lot of
>> >>>> alerts of my
>> >>>> webserver that has the ip of my reverse proxy.
>> >>>> I don't want to receive alerts of my webserver that has the ip of my
>> >>>> reverse proxy.
>> >>>>
>> >>>> I found a rule below to ignore any alert but how can I specify to
>> >>>> ignore
>> >>>> alerts only in access.log and error.log from reverse proxy ?
>> >>>>
>> >>>> <rule id="100123" level="0">
>> >>>> <if_level>8</if_level>
>> >>>> <srcip>Ip of my reverse proxy</srcip>
>> >>>> <description>Ignoring any alert above level 8 that has MYIP
>> >>>> decoded.</description>
>> >>>> <rule>
>> >>>>
>> >>>> many thanks!
>> >>>>
>> >>>>
>> >>>>
>> >>
>> >
>
>
