On Tue, Dec 4, 2012 at 7:30 AM, Daniel Requena <[email protected]> wrote:
> Hi
>
> Just extracted from squid access.log
>
> 1354623033.296 0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
> s-static.ak.facebook.com:443 - NONE/- text/html
> 1354623033.297 1 10.0.0.202 TCP_DENIED/403 3789 CONNECT
> s-static.ak.facebook.com:443 - NONE/- text/html
> 1354623033.297 1 10.0.0.202 TCP_DENIED/403 3765 CONNECT
> www.facebook.com:443 - NONE/- text/html
> 1354623033.298 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT
> www.facebook.com:443 - NONE/- text/html
> 1354623033.299 0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
> s-static.ak.facebook.com:443 - NONE/- text/html
> 1354623033.299 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT
> www.facebook.com:443 - NONE/- text/html
> 1354623033.303 0 10.0.0.202 TCP_DENIED/403 3765 CONNECT
> www.facebook.com:443 - NONE/- text/html
>
> This is the alert that is generated from it:
>
> Received From: (proxy) 10.0.0.55->/var/log/squid/access.log
> Rule: 35051 fired (level 10) -> "Multiple attempts to access forbidden file
> or directory from same source ip."
> Portion of the log(s):
>
Ok, that rule fires due to multiple alerts. So if we ignore the
original alert, this one won't fire.
This is from a fairly basic 2.7:
# cat /tmp/f | /var/ossec/bin/ossec-logtest
2012/12/04 08:49:44 ossec-testrule: INFO: Reading local decoder file.
2012/12/04 08:49:44 ossec-testrule: INFO: Started (pid: 29617).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '1354623033.296 0 10.0.0.202 TCP_DENIED/403
3789 CONNECT s-static.ak.facebook.com:443 - NONE/- text/html'
hostname: 'arrakis'
program_name: '(null)'
log: '0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
s-static.ak.facebook.com:443 - NONE/- text/html'
**Phase 2: Completed decoding.
decoder: 'squid-accesslog'
srcip: '10.0.0.202'
action: 'TCP_DENIED'
id: '403'
url: 's-static.ak.facebook.com:443'
**Phase 3: Completed filtering (rules).
Rule id: '35005'
Level: '5'
Description: 'Forbidden: Attempt to access forbidden file or directory.'
**Alert to be generated.
So we need to ignore 35005. Let's try this:
<rule id="100102" level="0">
<if_sid>35005</if_sid>
<match>facebook.com</match>
<description>ignore facebook</description>
</rule>
Your match was "<match>.facebook.com/</match>," but this does not
appear in the log messages you provided.
So the logtest output with the new rule:
# cat /tmp/f | /var/ossec/bin/ossec-logtest
2012/12/04 08:51:31 ossec-testrule: INFO: Reading local decoder file.
2012/12/04 08:51:31 ossec-testrule: INFO: Started (pid: 25432).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '1354623033.296 0 10.0.0.202 TCP_DENIED/403
3789 CONNECT s-static.ak.facebook.com:443 - NONE/- text/html'
hostname: 'arrakis'
program_name: '(null)'
log: '0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
s-static.ak.facebook.com:443 - NONE/- text/html'
**Phase 2: Completed decoding.
decoder: 'squid-accesslog'
srcip: '10.0.0.202'
action: 'TCP_DENIED'
id: '403'
url: 's-static.ak.facebook.com:443'
**Phase 3: Completed filtering (rules).
Rule id: '100102'
Level: '0'
Description: 'ignore facebook'
So it's ignored. Now we test the multiple attempts thing, and I get
nothing but 100102 alerts.
>
>
> About the upgrade, I'm doing it right now.
>
> On Monday, December 3, 2012 6:06:15 PM UTC-2, dan (ddpbsd) wrote:
>>
>> On Mon, Dec 3, 2012 at 2:13 PM, Daniel Requena <[email protected]> wrote:
>> > Hi,
>> >
>> > I'm trying to customize the behavior of the rule 35051
>> > (squid_rules.xml) in order to not have it fired if someone tries to
>> > access
>> > facebook website.
>> > This rule keeps annoying me, because Facebook "like" button is
>> > EVERYWHERE and my proxy server blocks it.
>> > I wrote this piece of rule on my local_rules.xml but with no
>> > success.
>> >
>> > <rule id="100060" level="0">
>> > <if_sid>35051</if_sid>
>> > <match>.facebook.com/</match>
>> > <description>Squid cache report</description>
>> > </rule>
>> >
>> > Does anybody have the same problem? I'm I doing something wrong?
>> > I appreciate any help.
>> >
>> > Regards.
>> >
>>
>> Can you provide a log sample?
>>
>> > ps: I'm using Ossec Server v2.5.1
>>
>> Upgrade.
