On Tue, Dec 4, 2012 at 7:30 AM, Daniel Requena <[email protected]> wrote:
> Hi
>
>    Just extracted from squid access.log
>
> 1354623033.296      0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
> s-static.ak.facebook.com:443 - NONE/- text/html
> 1354623033.297      1 10.0.0.202 TCP_DENIED/403 3789 CONNECT
> s-static.ak.facebook.com:443 - NONE/- text/html
> 1354623033.297      1 10.0.0.202 TCP_DENIED/403 3765 CONNECT
> www.facebook.com:443 - NONE/- text/html
> 1354623033.298      0 10.0.0.202 TCP_DENIED/403 3765 CONNECT
> www.facebook.com:443 - NONE/- text/html
> 1354623033.299      0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
> s-static.ak.facebook.com:443 - NONE/- text/html
> 1354623033.299      0 10.0.0.202 TCP_DENIED/403 3765 CONNECT
> www.facebook.com:443 - NONE/- text/html
> 1354623033.303      0 10.0.0.202 TCP_DENIED/403 3765 CONNECT
> www.facebook.com:443 - NONE/- text/html
>
>      This is the alert that is generated from it:
>
> Received From: (proxy) 10.0.0.55->/var/log/squid/access.log
> Rule: 35051 fired (level 10) -> "Multiple attempts to access forbidden file
> or directory from same source ip."
> Portion of the log(s):
>

Ok, that rule fires due to multiple alerts. So if we ignore the
original alert, this one won't fire.

This is from a fairly basic 2.7:
# cat /tmp/f  | /var/ossec/bin/ossec-logtest
2012/12/04 08:49:44 ossec-testrule: INFO: Reading local decoder file.
2012/12/04 08:49:44 ossec-testrule: INFO: Started (pid: 29617).
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
       full event: '1354623033.296      0 10.0.0.202 TCP_DENIED/403
3789 CONNECT s-static.ak.facebook.com:443 - NONE/- text/html'
       hostname: 'arrakis'
       program_name: '(null)'
       log: '0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
s-static.ak.facebook.com:443 - NONE/- text/html'

**Phase 2: Completed decoding.
       decoder: 'squid-accesslog'
       srcip: '10.0.0.202'
       action: 'TCP_DENIED'
       id: '403'
       url: 's-static.ak.facebook.com:443'

**Phase 3: Completed filtering (rules).
       Rule id: '35005'
       Level: '5'
       Description: 'Forbidden: Attempt to access forbidden file or directory.'
**Alert to be generated.


So we need to ignore 35005. Let's try this:

  <rule id="100102" level="0">
    <if_sid>35005</if_sid>
    <match>facebook.com</match>
    <description>ignore facebook</description>
  </rule>

Your match was "<match>.facebook.com/</match>," but this does not
appear in the log messages you provided.

So the logtest output with the new rule:
# cat /tmp/f  | /var/ossec/bin/ossec-logtest
2012/12/04 08:51:31 ossec-testrule: INFO: Reading local decoder file.
2012/12/04 08:51:31 ossec-testrule: INFO: Started (pid: 25432).
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
       full event: '1354623033.296      0 10.0.0.202 TCP_DENIED/403
3789 CONNECT s-static.ak.facebook.com:443 - NONE/- text/html'
       hostname: 'arrakis'
       program_name: '(null)'
       log: '0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
s-static.ak.facebook.com:443 - NONE/- text/html'

**Phase 2: Completed decoding.
       decoder: 'squid-accesslog'
       srcip: '10.0.0.202'
       action: 'TCP_DENIED'
       id: '403'
       url: 's-static.ak.facebook.com:443'

**Phase 3: Completed filtering (rules).
       Rule id: '100102'
       Level: '0'
       Description: 'ignore facebook'

So it's ignored. Now we test the multiple attempts thing, and I get
nothing but 100102 alerts.


>
>
>     About the upgrade, I'm doing it right now.
>
> On Monday, December 3, 2012 6:06:15 PM UTC-2, dan (ddpbsd) wrote:
>>
>> On Mon, Dec 3, 2012 at 2:13 PM, Daniel Requena <[email protected]> wrote:
>> > Hi,
>> >
>> >      I'm trying to customize the behavior of the rule 35051
>> > (squid_rules.xml) in order to not have it fired if someone tries to
>> > access
>> > facebook website.
>> >      This rule keeps annoying me, because Facebook "like" button is
>> > EVERYWHERE and my proxy server blocks it.
>> >      I wrote this piece of rule on my local_rules.xml but with no
>> > success.
>> >
>> >  <rule id="100060" level="0">
>> >     <if_sid>35051</if_sid>
>> >     <match>.facebook.com/</match>
>> >     <description>Squid cache report</description>
>> > </rule>
>> >
>> >      Does anybody have the same problem? I'm I doing something wrong?
>> >      I appreciate any help.
>> >
>> > Regards.
>> >
>>
>> Can you provide a log sample?
>>
>> > ps: I'm using Ossec Server v2.5.1
>>
>> Upgrade.

Reply via email to