Re: [ossec-list] Problem with rule 35051

Tue, 04 Dec 2012 08:19:53 -0800 

Thank you!
I'm pretty sure I already tried the 35005 "interception" approach, but I'll
try again.
Just for the record, is it possible to "match" multiple sites on a single
rule, like this? Or even using a regex?

  <rule id="100102" level="0">
    <if_sid>35005</if_sid>
    <match>facebook.com|facebook.com:443| <http://facebook.com>
static.facebook.com|...etc...</match>
    <description>ignore facebook</description>
  </rule>

 Regards.


2012/12/4 dan (ddp) <[email protected]>

> On Tue, Dec 4, 2012 at 7:30 AM, Daniel Requena <[email protected]> wrote:
> > Hi
> >
> >    Just extracted from squid access.log
> >
> > 1354623033.296      0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
> > s-static.ak.facebook.com:443 - NONE/- text/html
> > 1354623033.297      1 10.0.0.202 TCP_DENIED/403 3789 CONNECT
> > s-static.ak.facebook.com:443 - NONE/- text/html
> > 1354623033.297      1 10.0.0.202 TCP_DENIED/403 3765 CONNECT
> > www.facebook.com:443 - NONE/- text/html
> > 1354623033.298      0 10.0.0.202 TCP_DENIED/403 3765 CONNECT
> > www.facebook.com:443 - NONE/- text/html
> > 1354623033.299      0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
> > s-static.ak.facebook.com:443 - NONE/- text/html
> > 1354623033.299      0 10.0.0.202 TCP_DENIED/403 3765 CONNECT
> > www.facebook.com:443 - NONE/- text/html
> > 1354623033.303      0 10.0.0.202 TCP_DENIED/403 3765 CONNECT
> > www.facebook.com:443 - NONE/- text/html
> >
> >      This is the alert that is generated from it:
> >
> > Received From: (proxy) 10.0.0.55->/var/log/squid/access.log
> > Rule: 35051 fired (level 10) -> "Multiple attempts to access forbidden
> file
> > or directory from same source ip."
> > Portion of the log(s):
> >
>
> Ok, that rule fires due to multiple alerts. So if we ignore the
> original alert, this one won't fire.
>
> This is from a fairly basic 2.7:
> # cat /tmp/f  | /var/ossec/bin/ossec-logtest
> 2012/12/04 08:49:44 ossec-testrule: INFO: Reading local decoder file.
> 2012/12/04 08:49:44 ossec-testrule: INFO: Started (pid: 29617).
> ossec-testrule: Type one log per line.
>
>
>
> **Phase 1: Completed pre-decoding.
>        full event: '1354623033.296      0 10.0.0.202 TCP_DENIED/403
> 3789 CONNECT s-static.ak.facebook.com:443 - NONE/- text/html'
>        hostname: 'arrakis'
>        program_name: '(null)'
>        log: '0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
> s-static.ak.facebook.com:443 - NONE/- text/html'
>
> **Phase 2: Completed decoding.
>        decoder: 'squid-accesslog'
>        srcip: '10.0.0.202'
>        action: 'TCP_DENIED'
>        id: '403'
>        url: 's-static.ak.facebook.com:443'
>
> **Phase 3: Completed filtering (rules).
>        Rule id: '35005'
>        Level: '5'
>        Description: 'Forbidden: Attempt to access forbidden file or
> directory.'
> **Alert to be generated.
>
>
> So we need to ignore 35005. Let's try this:
>
>   <rule id="100102" level="0">
>     <if_sid>35005</if_sid>
>     <match>facebook.com</match>
>     <description>ignore facebook</description>
>   </rule>
>
> Your match was "<match>.facebook.com/</match>," but this does not
> appear in the log messages you provided.
>
> So the logtest output with the new rule:
> # cat /tmp/f  | /var/ossec/bin/ossec-logtest
> 2012/12/04 08:51:31 ossec-testrule: INFO: Reading local decoder file.
> 2012/12/04 08:51:31 ossec-testrule: INFO: Started (pid: 25432).
> ossec-testrule: Type one log per line.
>
>
>
> **Phase 1: Completed pre-decoding.
>        full event: '1354623033.296      0 10.0.0.202 TCP_DENIED/403
> 3789 CONNECT s-static.ak.facebook.com:443 - NONE/- text/html'
>        hostname: 'arrakis'
>        program_name: '(null)'
>        log: '0 10.0.0.202 TCP_DENIED/403 3789 CONNECT
> s-static.ak.facebook.com:443 - NONE/- text/html'
>
> **Phase 2: Completed decoding.
>        decoder: 'squid-accesslog'
>        srcip: '10.0.0.202'
>        action: 'TCP_DENIED'
>        id: '403'
>        url: 's-static.ak.facebook.com:443'
>
> **Phase 3: Completed filtering (rules).
>        Rule id: '100102'
>        Level: '0'
>        Description: 'ignore facebook'
>
> So it's ignored. Now we test the multiple attempts thing, and I get
> nothing but 100102 alerts.
>
>
> >
> >
> >     About the upgrade, I'm doing it right now.
> >
> > On Monday, December 3, 2012 6:06:15 PM UTC-2, dan (ddpbsd) wrote:
> >>
> >> On Mon, Dec 3, 2012 at 2:13 PM, Daniel Requena <[email protected]>
> wrote:
> >> > Hi,
> >> >
> >> >      I'm trying to customize the behavior of the rule 35051
> >> > (squid_rules.xml) in order to not have it fired if someone tries to
> >> > access
> >> > facebook website.
> >> >      This rule keeps annoying me, because Facebook "like" button is
> >> > EVERYWHERE and my proxy server blocks it.
> >> >      I wrote this piece of rule on my local_rules.xml but with no
> >> > success.
> >> >
> >> >  <rule id="100060" level="0">
> >> >     <if_sid>35051</if_sid>
> >> >     <match>.facebook.com/</match>
> >> >     <description>Squid cache report</description>
> >> > </rule>
> >> >
> >> >      Does anybody have the same problem? I'm I doing something wrong?
> >> >      I appreciate any help.
> >> >
> >> > Regards.
> >> >
> >>
> >> Can you provide a log sample?
> >>
> >> > ps: I'm using Ossec Server v2.5.1
> >>
> >> Upgrade.
>



-- 
Atenciosamente
      Daniel Requena

Reply via email to