On Mon, Dec 17, 2012 at 3:49 PM, Dhinakaran G <[email protected]> wrote: > Hi all, > > In web_rules.xml rule is triggering alert that are stored in the log , but > not reaching our email notication , any idea. > > here the file: > -------------------- > <group name="web,accesslog,"> > <rule id="31100" level="5"> > <category>web-log</category> > <description>Access log messages grouped.</description> > </rule> > > <rule id="31108" level="5"> > <if_sid>31100</if_sid> > <id>^2|^3</id> > <compiled_rule>is_simple_http_request</compiled_rule> > <description>Ignored URLs (simple queries).</description> > </rule> > > <rule id="31101" level="5"> > <if_sid>31100</if_sid> > <id>^4</id> > <description>Web server 400 error code.</description> > </rule> > > <rule id="31102" level="5"> > <if_sid>31101</if_sid> > <url>.jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$|.js$</url> > <compiled_rule>is_simple_http_request</compiled_rule> > <description>Ignored extensions on 400 error codes.</description> > </rule> > > <rule id="31103" level="6"> > <if_sid>31100</if_sid> > > <url>='|select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url> > <url>union+|where+|null,null|xp_cmdshell</url> > <description>SQL injection attempt.</description> > <group>attack,sql_injection,</group> > </rule> > > <rule id="31104" level="6"> > <if_sid>31100</if_sid> > > <!-- Attempt to do directory transversal, simple sql injections, > - or access to the etc or bin directory (unix). --> > <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..|</url> > <url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|</url> > <url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%20|</url> > <url>cat%20|exec%20|rm%20</url> > <description>Common web attack.</description> > <group>attack,</group> > </rule> > > <rule id="31105" level="6"> > <if_sid>31100</if_sid> > > <url>%3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url> > <url>%20ONLOAD=|INPUT%20|iframe%20</url> > <description>XSS (Cross Site Scripting) attempt.</description> > <group>attack,</group> > </rule> > > <rule id="31106" level="6"> > <if_sid>31103, 31104, 31105</if_sid> > <id>^200</id> > <description>A web attack returned code 200 (success).</description> > > <group>attack,</group> > </rule> > > <rule id="31110" level="6"> > <if_sid>31100</if_sid> > <url>?-d|?-s|?-a|?-b|?-w</url> > <description>PHP CGI-bin vulnerability attempt.</description> > <group>attack,</group> > </rule> > > <rule id="31109" level="6"> > <if_sid>31100</if_sid> > <url>+as+varchar(8000)</url> > > <regex>%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)</regex> > <description>MSSQL Injection attempt (/ur.php, urchin.js)</description> > <group>attack,</group> > </rule> > > > <!-- If your site have a search engine, you may need to ignore > - it in here. > --> > <rule id="31107" level="0"> > <if_sid>31103, 31104, 31105</if_sid> > <url>^/search.php?search=|^/index.php?searchword=</url> > <description>Ignored URLs for the web attacks</description> > </rule> > > <rule id="31115" level="13" maxsize="5900"> > <if_sid>31100</if_sid> > <description>URL too long. Higher than allowed on most </description> > <description>browsers. Possible attack.</description> > <group>invalid_access,</group> > </rule> > > <!-- 500 error codes, server error > - http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html > --> > <rule id="31120" level="5"> > <if_sid>31100</if_sid> > <id>^50</id> > <description>Web server 500 error code (server error).</description> > </rule> > > <rule id="31121" level="4"> > <if_sid>31120</if_sid> > <id>^501</id> > <description>Web server 501 error code (Not Implemented).</description> > </rule> > <rule id="31122" level="5"> > <if_sid>31120</if_sid> > <id>^500</id> > <options>alert_by_email</options> > <description>Web server 500 error code (Internal Error).</description> > <group>system_error,</group> > </rule> > > <rule id="31123" level="4"> > <if_sid>31120</if_sid> > <id>^503</id> > <options>alert_by_email</options> > <description>Web server 503 error code (Service > unavailable).</description> > </rule> > > > <!-- Rules to ignore crawlers --> > <rule id="31140" level="0"> > <if_sid>31101</if_sid> > <compiled_rule>is_valid_crawler</compiled_rule> > <description>Ignoring google/msn/yahoo bots.</description> > </rule> > > > <rule id="31151" level="10" frequency="10" timeframe="120"> > > <if_matched_sid>31101</if_matched_sid> > <same_source_ip /> > <description>Multiple web server 400 error codes </description> > <description>from same source ip.</description> > <group>web_scan,recon,</group> > </rule> > > <rule id="31152" level="10" frequency="6" timeframe="120"> > <if_matched_sid>31103</if_matched_sid> > <same_source_ip /> > <description>Multiple SQL injection attempts from same </description> > <description>souce ip.</description> > <group>attack,sql_injection,</group> > </rule> > > <rule id="31153" level="10" frequency="8" timeframe="120"> > <if_matched_sid>31104</if_matched_sid> > <same_source_ip /> > <description>Multiple common web attacks from same souce > ip.</description> > <group>attack,</group> > </rule> > > <rule id="31154" level="10" frequency="8" timeframe="120"> > <if_matched_sid>31105</if_matched_sid> > <same_source_ip /> > <description>Multiple XSS (Cross Site Scripting) attempts </description> > <description>from same souce ip.</description> > <group>attack,</group> > </rule> > > <rule id="31161" level="10" frequency="8" timeframe="120"> > <if_matched_sid>31121</if_matched_sid> > <same_source_ip /> > <description>Multiple web server 501 error code (Not > Implemented).</description> > <group>web_scan,recon,</group> > </rule> > > <rule id="31162" level="10" frequency="5" timeframe="120"> > <if_matched_sid>31122</if_matched_sid> > <same_source_ip /> > <description>Multiple web server 500 error code (Internal > Error).</description> > <group>system_error,</group> > </rule> > > <rule id="31163" level="10" frequency="8" timeframe="120"> > <if_matched_sid>31123</if_matched_sid> > <same_source_ip /> > <description>Multiple web server 503 error code (Service > unavailable).</description> > <group>web_scan,recon,</group> > </rule> > </group> <!-- Web access log --> > > log: > ==== > > ==================================================== > > root@ossec-server:/var/ossec/logs/alerts# tail -f alerts.log > Rule: 31101 (level 5) -> 'Web server 400 error code.' > Src IP: 10.91.27.83 > 10.91.27.83 - - [18/Dec/2012:02:17:50 +0530] "GET /_hostmanager/healthcheck > HTTP/1.1" 404 543 "-" "ELB-HealthChecker/1.0" > > ** Alert 1355777301.244484: - web,accesslog, > 2012 Dec 18 02:18:21 ossec-server->/var/log/apache2/access.log > Rule: 31101 (level 5) -> 'Web server 400 error code.' > Src IP: 10.91.27.83 > 10.91.27.83 - - [18/Dec/2012:02:18:20 +0530] "GET /_hostmanager/healthcheck > HTTP/1.1" 404 543 "-" "ELB-HealthChecker/1.0" > > ** Alert 1355777331.244789: - web,accesslog, > 2012 Dec 18 02:18:51 ossec-server->/var/log/apache2/access.log > Rule: 31101 (level 5) -> 'Web server 400 error code.' > Src IP: 10.91.27.83 > 10.91.27.83 - - [18/Dec/2012:02:18:50 +0530] "GET /_hostmanager/healthcheck > HTTP/1.1" 404 543 "-" "ELB-HealthChecker/1.0" > >
Are you sure level 5 alerts should trigger emails? The default is 7.
