On Mon, Feb 11, 2013 at 4:32 PM, Charles Bailey <[email protected]> wrote: > Thanks for the replies! > > As for documentation... What would have helped me immensely would have been > a complete, start-to-finish walkthrough installing OSSEC on something > common, like Ubuntu, and configuring with Windows. I modified the Config > file based on guesses, without a great deal of confidence, and I suspect > it's not complete, or done right. I did find some things documented, but it > was spread throughout the Internet. I'm assuming this is to encourage > purchasing the book, but I wanted to actually see OSSEC before investing in > anything. Also, the book is for an older version. >
I couldn't care less about book sales (sorry Daniel ;)). I just don't think walk-throughs teach enough to be worth it. > As for the 404 error, someone keeps trying to access files that don't exist. > Some are weird, like > www.mywebsite.com/best-practices-in-european-countries.html, and some are > obvious attempts at finding installed programs with vulnerabilities. After > seeing a ton of these, I decided to start looking for an IDS. I'm concerned > that, even though I still these probes for installed programs, OSSEC isn't > doing anything, other than reporting a 400 error. > Create a rule to make it alert on 404s specifically. Using a basic 404 log message: http://ossec.net/doc/syntax/head_ossec_config.active-response.html Run it through ossec-logtest: # /var/ossec/bin/ossec-logtest 2013/02/12 09:22:00 ossec-testrule: INFO: Reading local decoder file. 2013/02/12 09:22:01 ossec-testrule: INFO: Started (pid: 21409). ossec-testrule: Type one log per line. 127.0.0.1 - - [07/Feb/2013:13:22:22 -0500] "GET /favicon.ico HTTP/1.1" 404 217 **Phase 1: Completed pre-decoding. full event: '127.0.0.1 - - [07/Feb/2013:13:22:22 -0500] "GET /favicon.ico HTTP/1.1" 404 217' hostname: 'arrakis' program_name: '(null)' log: '127.0.0.1 - - [07/Feb/2013:13:22:22 -0500] "GET /favicon.ico HTTP/1.1" 404 217' **Phase 2: Completed decoding. decoder: 'web-accesslog' srcip: '127.0.0.1' url: '/favicon.ico' id: '404' **Phase 3: Completed filtering (rules). Rule id: '31102' Level: '0' Description: 'Ignored extensions on 400 error codes.' Create a basic rule to make 404s alert level higher (add it to /var/ossec/rules/local_rules.xml): <rule id="200201" level="10> <if_sid>31102</if_sid> <id>404</id> <description>four oh four</description> </rule> Find out I didn't have the closing double quote around the level: # /var/ossec/bin/ossec-logtest 2013/02/12 09:24:17 ossec-testrule: INFO: Reading local decoder file. 2013/02/12 09:24:17 ossec-analysisd(1226): ERROR: Error reading XML file 'rules//local_rules.xml': XMLERR: Attribute 'level' not closed. (line 119). 2013/02/12 09:24:17 ossec-testrule(1220): ERROR: Error loading the rules: 'local_rules.xml'. Fix it, and rerun ossec-logtest: # /var/ossec/bin/ossec-logtest 2013/02/12 09:25:19 ossec-testrule: INFO: Reading local decoder file. 2013/02/12 09:25:19 ossec-testrule: INFO: Started (pid: 21334). ossec-testrule: Type one log per line. 127.0.0.1 - - [07/Feb/2013:13:22:22 -0500] "GET /favicon.ico HTTP/1.1" 404 217 **Phase 1: Completed pre-decoding. full event: '127.0.0.1 - - [07/Feb/2013:13:22:22 -0500] "GET /favicon.ico HTTP/1.1" 404 217' hostname: 'arrakis' program_name: '(null)' log: '127.0.0.1 - - [07/Feb/2013:13:22:22 -0500] "GET /favicon.ico HTTP/1.1" 404 217' **Phase 2: Completed decoding. decoder: 'web-accesslog' srcip: '127.0.0.1' url: '/favicon.ico' id: '404' **Phase 3: Completed filtering (rules). Rule id: '200201' Level: '10' Description: 'four oh four' **Alert to be generated. > As for Active Response, all I could find was a website that told me how to > enable it. No other configuration. How/where would I find out how to > configure it? > This is a starting place: http://ossec.net/doc/syntax/head_ossec_config.active-response.html I don't do much with Windows, so this is speculation: <active-response> <command>route-null.cmd</command> <!-- I don't know what this should be --> <location>local</location> <rules_id>200201</rules_id> </active-response> This could potentially null route every host committing an act of 404 on the server. > Although it would be ideal, I wasn't able to fix the PHP errors. They were > minor warnings. I looked inside local_rules.xml, and was completely > confused. Where can I find documentation on how to configure it to ignore > PHP errors? > Provide samples of the alerts and I can do your work for you. > Thanks again! > > > > > > On Monday, February 11, 2013 12:50:10 PM UTC-5, Charles Bailey wrote: >> >> I wanted the 'Best' IDS for my Windows Apache server, and after a lot of >> looking around I chose OSSEC. Documentation was pretty sparse, and I'm a >> Linux newbie, but somehow I managed to install Ubuntu, OSSEC, and the Web >> interface, and I have the client running on my Windows server. I put in a >> number of log files in the config file to monitor, and it seems to be >> working. I've got a number of questions: >> >> 1) How does it block hack attempts? Windows Firewall? Some other >> mechanism? >> >> 2) This might be the expected result, but when I get a 404, OSSEC shows it >> as a 400 error. >> >> 3) When someone tries to access a page repeatedly that's not on my server, >> OSSEC doesn't block them. Actually, I haven't seen ANY blocks. Do they show >> up in the log? >> >> 4) Does OSSEC go by a set of rules to detect hack attempts? How would I >> update them? How can I tell if they need updating? >> >> 5) I keep getting minor PHP config errors logged, almost every minute. How >> can I disable those from being logged? >> >> 6) What files should be monitored? I mainly have just the Apache log and >> error files monitored. >> >> >> Thanks for any help you can offer! >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
