Hello,
I have spent some time trying to eliminate noise from Snort logs (in
particular, two events which are ok on a given server), but without a
success.
Googling, reading manuals and experimenting didn't help much. Even enabling
all debugs in /var/ossec/etc/internal_
options.conf didn't gave me any obvious clues to solution.
The problem is, that local rules exactly for Snort events fire very well
and does the intended action only while running ossec-logtest tool.
When the OSSEC service is started normally, the local rule is not fired any
more.
Could there be a problem with snort log format? In fact, it shouldn't,
since if there were a problem with multiline format of snort alert file,
there wouldn't be any osscec alert from snort file at all. But the point
is, that standard alerts are there - only my custom alert is ignored.
I tried to do the similar thing with alerts from sshd, and in this case
everything works as expected.
Two custom rules are as follows:
<group name="ids,">
<rule id="100001" level="4">
<if_sid>20100,20101</if_sid>
<decoded_as>snort</decoded_as>
<!-- [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
- [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING
-->
<id>119:15:1|119:16:1</id>
<description>Lower the level for some (http_inspect)
events.</description>
</rule>
</group> <!-- IDS -->
<group name="sshd,">
<rule id="100099" level="5">
<if_sid>5710</if_sid>
<decoded_as>sshd</decoded_as>
<description>IVARSG: rule intercepted, works fine!!!!.</description>
</rule>
</group> <!-- IDS -->
Rule 100099 fires in both scenario - logtest and when ossec run as service,
however, rule 100001 fires only when tested with logtest (rule while rule
20101 also fires in both scenarios).
Could someone please suggest some solution?
See attached detailed info as suggested in "How do I troubleshoot ossec?"
section (ip addresses and hostname is modified a little).
Thanks in advance for your time and help,
Ivars
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
hostname:/var/ossec# /var/ossec/bin/ossec-analysisd -V
OSSEC HIDS v2.7 - Trend Micro Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License (version 2) as
published by the Free Software Foundation. For more details, go to
http://www.ossec.net/main/license/
hostname:/var/ossec# cat /etc/ossec-init.conf
DIRECTORY="/var/ossec"
VERSION="v2.7"
DATE="Thu Jan 31 10:38:22 EET 2013"
TYPE="local"
hostname:/var/ossec# cat /var/ossec/etc/ossec.conf
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>localhost</smtp_server>
<email_from>[email protected]</email_from>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>cimserver_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>dovecot_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<include>trend-osce_rules.xml</include>
<include>ms-se_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>zeus_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>vmware_rules.xml</include>
<include>ms_dhcp_rules.xml</include>
<include>asterisk_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>openbsd_rules.xml</include>
<include>clam_av_rules.xml</include>
<include>bro-ids_rules.xml</include>
<include>dropbear_rules.xml</include>
<include>local_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
</rootcheck>
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>194.999.999.999</white_list>
<white_list>194.999.999.998</white_list>
</global>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>6</email_alert_level>
</alerts>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mail.info</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
<localfile>
<log_format>snort-full</log_format>
<location>/var/log/snort/alert</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/default/error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/default/access.log</location>
</localfile>
<localfile>
<log_format>command</log_format>
<command>df -h</command>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 5</command>
</localfile>
</ossec_config>
hostname:/var/ossec# cat /var/ossec/logs/ossec.log
2013/02/06 11:55:02 ossec-testrule: INFO: Reading local decoder file.
2013/02/06 11:55:02 ossec-testrule: INFO: Started (pid: 21855).
2013/02/06 11:55:02 ossec-execd: INFO: Started (pid: 21876).
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading local decoder file.
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'rules_config.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'telnetd_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'syslog_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'arpwatch_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'symantec-av_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'symantec-ws_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'vsftpd_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'pure-ftpd_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'proftpd_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'ms_ftpd_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'hordeimp_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'roundcube_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'wordpress_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'cimserver_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'vpopmail_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'vmpop3d_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'courier_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'web_appsec_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'apache_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file: 'nginx_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file: 'php_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'postgresql_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'firewall_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'cisco-ios_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'netscreenfw_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'sonicwall_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'postfix_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'sendmail_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'mailscanner_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'dovecot_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'ms-exchange_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'racoon_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'vpn_concentrator_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'msauth_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'mcafee_av_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'trend-osce_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file: 'ms-se_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'solaris_bsm_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'vmware_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'ms_dhcp_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'asterisk_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'attack_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'openbsd_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'clam_av_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'bro-ids_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file:
'dropbear_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml'
2013/02/06 11:55:02 ossec-analysisd: INFO: Total rules enabled: '1291'
2013/02/06 11:55:02 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2013/02/06 11:55:02 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab'
2013/02/06 11:55:02 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
2013/02/06 11:55:02 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics'
2013/02/06 11:55:02 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2013/02/06 11:55:02 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2013/02/06 11:55:02 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2013/02/06 11:55:02 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
2013/02/06 11:55:02 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
2013/02/06 11:55:02 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs'
2013/02/06 11:55:02 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates'
2013/02/06 11:55:02 ossec-analysisd: INFO: Ignoring file: '/etc/svc/volatile'
2013/02/06 11:55:07 ossec-syscheckd: INFO: Started (pid: 21891).
2013/02/06 11:55:07 ossec-rootcheck: INFO: Started (pid: 21891).
2013/02/06 11:55:07 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2013/02/06 11:55:07 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2013/02/06 11:55:07 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2013/02/06 11:55:07 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2013/02/06 11:55:07 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2013/02/06 11:55:08 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/messages'.
2013/02/06 11:55:08 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/auth.log'.
2013/02/06 11:55:08 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/syslog'.
2013/02/06 11:55:08 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/mail.info'.
2013/02/06 11:55:08 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/dpkg.log'.
2013/02/06 11:55:08 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/snort/alert'.
2013/02/06 11:55:08 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/apache2/default/error.log'.
2013/02/06 11:55:08 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/apache2/default/access.log'.
2013/02/06 11:55:08 ossec-logcollector: INFO: Monitoring output of
command(360): df -h
2013/02/06 11:55:08 ossec-logcollector: INFO: Monitoring full output of
command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
2013/02/06 11:55:08 ossec-logcollector: INFO: Monitoring full output of
command(360): last -n 5
2013/02/06 11:55:08 ossec-logcollector: INFO: Started (pid: 21884).
2013/02/06 11:56:09 ossec-syscheckd: INFO: Starting syscheck scan (forwarding
database).
2013/02/06 11:56:09 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
2013/02/06 11:58:05 ossec-testrule: INFO: Reading local decoder file.
2013/02/06 11:58:05 ossec-testrule: INFO: Started (pid: 22005).
hostname:/var/ossec# tail -n20 /var/log/snort/alert
[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
[Priority: 3]
02/06-11:55:49.787890 159.999.999.999:30462 -> 89.999.999.999:80
TCP TTL:121 TOS:0x0 ID:15553 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x471E860 Ack: 0x513034D4 Win: 0xF3C TcpLen: 20
[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
[Priority: 3]
02/06-11:57:07.186371 80.999.999.999:55739 -> 89.999.999.999:80
TCP TTL:118 TOS:0x0 ID:19937 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x6AEA760E Ack: 0x8EECD1F9 Win: 0x4029 TcpLen: 20
[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
[Priority: 3]
02/06-12:02:23.572923 80.999.999.999:53850 -> 89.999.999.999:80
TCP TTL:118 TOS:0x0 ID:27948 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xD13E38B Ack: 0xBE736F85 Win: 0x4029 TcpLen: 20
hostname:/var/ossec# tail -n20 /var/ossec/logs/alerts/alerts.log
** Alert 1360144513.15441: mail - ossec,
2013 Feb 06 11:55:13 hostname->ossec-monitord
Rule: 502 (level 3) -> 'Ossec server started.'
ossec: Ossec started.
** Alert 1360144550.15600: mail - ids,
2013 Feb 06 11:55:50 hostname->/var/log/snort/alert
Rule: 20101 (level 6) -> 'IDS event.'
[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
** Alert 1360144628.15799: mail - ids,
2013 Feb 06 11:57:08 hostname->/var/log/snort/alert
Rule: 20101 (level 6) -> 'IDS event.'
[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
** Alert 1360144944.15991: mail - ids,
2013 Feb 06 12:02:24 hostname->/var/log/snort/alert
Rule: 20101 (level 6) -> 'IDS event.'
[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
hostname:/var/ossec# /var/ossec/bin/ossec-logtest
2013/02/06 11:58:05 ossec-testrule: INFO: Reading local decoder file.
2013/02/06 11:58:05 ossec-testrule: INFO: Started (pid: 22005).
ossec-testrule: Type one log per line.
[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**] [Priority:
3] 02/06-11:55:49.787890 159.999.999.999:30462 -> 89.999.999.999:80 TCP TTL:121
TOS:0x0 ID:15553 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x471E860 Ack:
0x513034D4 Win: 0xF3C TcpLen: 20
**Phase 1: Completed pre-decoding.
full event: '[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI
DIRECTORY [**] [Priority: 3] 02/06-11:55:49.787890 159.999.999.999:30462 ->
89.999.999.999:80 TCP TTL:121 TOS:0x0 ID:15553 IpLen:20 DgmLen:1500 DF ***A****
Seq: 0x471E860 Ack: 0x513034D4 Win: 0xF3C TcpLen: 20'
hostname: 'hostname'
program_name: '(null)'
log: '[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
[Priority: 3] 02/06-11:55:49.787890 159.999.999.999:30462 -> 89.999.999.999:80
TCP TTL:121 TOS:0x0 ID:15553 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x471E860
Ack: 0x513034D4 Win: 0xF3C TcpLen: 20'
**Phase 2: Completed decoding.
decoder: 'snort'
id: '119:15:1'
srcip: '159.999.999.999'
dstip: '89.999.999.999'
**Phase 3: Completed filtering (rules).
Rule id: '100001'
Level: '4'
Description: 'Lower the level for some (http_inspect) events.'
**Alert to be generated.
hostname:/var/ossec# cat /var/ossec/rules/local_rules.xml
<!-- Modify it at your will. -->
<group name="ids,">
<rule id="100001" level="4">
<if_sid>20100,20101</if_sid>
<decoded_as>snort</decoded_as>
<!-- [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
- [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING
-->
<id>119:15:1|119:16:1</id>
<description>Lower the level for some (http_inspect) events.</description>
</rule>
</group> <!-- IDS -->
<group name="sshd,">
<rule id="100099" level="5">
<if_sid>5710</if_sid>
<decoded_as>sshd</decoded_as>
<description>IVARSG: rule intercepted, works fine!!!!.</description>
</rule>
</group> <!-- IDS -->
<!-- EOF -->
hostname:/var/ossec# uname -a
Linux hostname.domain.tld 2.6.26-1-686 #1 SMP Sat Jan 10 18:29:31 UTC 2009 i686
GNU/Linux
