thanks a lot Dan!
On Tue, Sep 25, 2012 at 11:25 AM, dan (ddp) <[email protected]> wrote: > On Tue, Sep 25, 2012 at 10:14 AM, Leonardo Bacha Abrantes > <[email protected]> wrote: > > Hi Dan, > > > > > > The apache log is: > > > > > > [Tue Sep 25 11:03:50 2012] [error] [client 192.168.21.18] ModSecurity: > > Access denied with code 403 (phase 2). Pattern match > > > "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2 > > ..." at REQUEST_COOKIES:__utmz. [file > > > "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] > > [line "235"] [id "981245"] [msg "Detects basic SQL authentication bypass > > attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"] [tag > > "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri > > "/sites/all/themes/mysite/img/btlai.jpg"] [unique_id > > "UGG5xn8AAAEAABzuFRgAAAAS"] [Tue Sep 25 11:03:50 2012] [error] [client > > 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). > Pattern > > match > > > "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2 > > ..." at REQUEST_COOKIES:__utmz. [file > > > "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] > > [line "235"] [id "981245"] [msg "Detects basic SQL authentication bypass > > attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"] [tag > > "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri > > "/sites/all/themes/mysite/img/logo-brasil.jpg"] [unique_id > > "UGG5xn8AAAEAAByF90UAAAAP"] > > > > > > > > thanks!! > > > > Running it through ossec-logtest I see: > > **Phase 1: Completed pre-decoding. > full event: '[Tue Sep 25 11:03:50 2012] [error] [client > 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). > Pattern match > "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2 > ..." at REQUEST_COOKIES:__utmz. [file > > "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] > [line "235"] [id "981245"] [msg "Detects basic SQL authentication > bypass attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"] > [tag "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri > "/sites/all/themes/mysite/img/btlai.jpg"] [unique_id > "UGG5xn8AAAEAABzuFRgAAAAS"] [Tue Sep 25 11:03:50 2012] [error] [client > 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). > Pattern match > "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2 > ..." at REQUEST_COOKIES:__utmz. [file > > "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] > [line "235"] [id "981245"] [msg "Detects basic SQL authentication > bypass attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"] > [tag "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri > "/sites/all/themes/mysite/img/logo-brasil.jpg"] [unique_id > "UGG5xn8AAAEAAByF90UAAAAP"]' > hostname: 'arrakis' > program_name: '(null)' > log: '[error] [client 192.168.21.18] ModSecurity: Access denied > with code 403 (phase 2). Pattern match > > "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2 > ..." at REQUEST_COOKIES:__utmz. [file > > "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] > [line "235"] [id "981245"] [msg "Detects basic SQL authentication > bypass attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"] > [tag "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri > "/sites/all/themes/mysite/img/btlai.jpg"] [unique_id > "UGG5xn8AAAEAABzuFRgAAAAS"] [Tue Sep 25 11:03:50 2012] [error] [client > 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). > Pattern match > "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2 > ..." at REQUEST_COOKIES:__utmz. [file > > "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] > [line "235"] [id "981245"] [msg "Detects basic SQL authentication > bypass attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"] > [tag "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri > "/sites/all/themes/mysite/img/logo-brasil.jpg"] [unique_id > "UGG5xn8AAAEAAByF90UAAAAP"]' > > **Phase 2: Completed decoding. > decoder: 'apache-errorlog' > srcip: '192.168.21.18' > > **Phase 3: Completed filtering (rules). > Rule id: '30118' > Level: '6' > Description: 'Access attempt blocked by Mod Security.' > **Alert to be generated. > > An important part to look at is "log: '[error] [client 192.168.21.18] > ModSecurity: Access denied with code ..." You are looking for > "<match>^client 192.168.21.18</match>" which requires "client" to be > the first part of the log. > > Changing the rule to: > <rule id="100201" level="5"> > <if_sid>30118</if_sid> <!--I also tried to put the specific > number of rule (30119, 30118,etc.)--> > <match>^[error] [client 192.168.21.18</match> > <description>Blahblahblah</description> > </rule> > > Produces this output: > **Phase 1: Completed pre-decoding. > full event: '[Tue Sep 25 11:03:50 2012] [error] [client > 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). > Pattern match > "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2 > ..." at REQUEST_COOKIES:__utmz. [file > > "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] > [line "235"] [id "981245"] [msg "Detects basic SQL authentication > bypass attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"] > [tag "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri > "/sites/all/themes/mysite/img/btlai.jpg"] [unique_id > "UGG5xn8AAAEAABzuFRgAAAAS"] [Tue Sep 25 11:03:50 2012] [error] [client > 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). > Pattern match > "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2 > ..." at REQUEST_COOKIES:__utmz. [file > > "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] > [line "235"] [id "981245"] [msg "Detects basic SQL authentication > bypass attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"] > [tag "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri > "/sites/all/themes/mysite/img/logo-brasil.jpg"] [unique_id > "UGG5xn8AAAEAAByF90UAAAAP"]' > hostname: 'arrakis' > program_name: '(null)' > log: '[error] [client 192.168.21.18] ModSecurity: Access denied > with code 403 (phase 2). Pattern match > > "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2 > ..." at REQUEST_COOKIES:__utmz. [file > > "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] > [line "235"] [id "981245"] [msg "Detects basic SQL authentication > bypass attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"] > [tag "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri > "/sites/all/themes/mysite/img/btlai.jpg"] [unique_id > "UGG5xn8AAAEAABzuFRgAAAAS"] [Tue Sep 25 11:03:50 2012] [error] [client > 192.168.21.18] ModSecurity: Access denied with code 403 (phase 2). > Pattern match > "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4\\xe2 > ..." at REQUEST_COOKIES:__utmz. [file > > "/etc/httpd/conf.d/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] > [line "235"] [id "981245"] [msg "Detects basic SQL authentication > bypass attempts 2/3"] [data "\\xc2\\xba49 d"] [severity "CRITICAL"] > [tag "WEB_ATTACK/SQLI"] [hostname "www.mysite.com"] [uri > "/sites/all/themes/mysite/img/logo-brasil.jpg"] [unique_id > "UGG5xn8AAAEAAByF90UAAAAP"]' > > **Phase 2: Completed decoding. > decoder: 'apache-errorlog' > srcip: '192.168.21.18' > > **Phase 3: Completed filtering (rules). > Rule id: '100201' > Level: '5' > Description: 'Blahblahblah' > **Alert to be generated. > > > Roughly 3 minutes worth of "work." > > > > > > > > > On Tue, Sep 25, 2012 at 11:08 AM, dan (ddp) <[email protected]> wrote: > >> > >> On Tue, Sep 25, 2012 at 10:04 AM, Leonardo Bacha Abrantes > >> <[email protected]> wrote: > >> > Guys, > >> > > >> > I created a rule and inserted it into local_rules.xml, but it is not > >> > working. > >> > > >> > <group name="web,accesslog,"> > >> > <rule id="100201" level="5"> > >> > <if_sid>31100</if_sid> #I also tried to put the specific > >> > number > >> > of rule (30119, 30118,etc.) > >> > <match>^client 192.168.21.18</match> > >> > <options>no_email_alert</options> > >> > </rule> > >> > </group> > >> > > >> > what is wrong on it ? > >> > > >> > thanks! > >> > > >> > >> Your log sample didn't come through, or I missed it. Can you resend? > >> > >> > > >> > > >> > On Mon, Sep 24, 2012 at 9:13 AM, Leonardo Bacha Abrantes > >> > <[email protected]> wrote: > >> >> > >> >> yes! exactly this! :) > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> On Sun, Sep 23, 2012 at 11:30 AM, JB <[email protected]> wrote: > >> >>> > >> >>> Do you mean NOT to trigger alerts when the "Location" is > >> >>> 'your.reverse.proxy.ip -> /var/log/httpd/access_log'? > >> >>> > >> >>> > >> >>> On Friday, September 21, 2012 10:58:17 AM UTC-7, Leonardo Bacha > >> >>> Abrantes > >> >>> wrote: > >> >>>> > >> >>>> Hey guys! > >> >>>> > >> >>>> I have a machine working a reverse proxy that redirect requests to > >> >>>> another machine which is my webserver and am receiving a lot of > >> >>>> alerts of my > >> >>>> webserver that has the ip of my reverse proxy. > >> >>>> I don't want to receive alerts of my webserver that has the ip of > my > >> >>>> reverse proxy. > >> >>>> > >> >>>> I found a rule below to ignore any alert but how can I specify to > >> >>>> ignore > >> >>>> alerts only in access.log and error.log from reverse proxy ? > >> >>>> > >> >>>> <rule id="100123" level="0"> > >> >>>> <if_level>8</if_level> > >> >>>> <srcip>Ip of my reverse proxy</srcip> > >> >>>> <description>Ignoring any alert above level 8 that has MYIP > >> >>>> decoded.</description> > >> >>>> <rule> > >> >>>> > >> >>>> many thanks! > >> >>>> > >> >>>> > >> >>>> > >> >> > >> > > > > > >
