Hi everyone,
I'm new to OSSEC management (in an existing and actually working
architecture) and I'm trying to get rid of 404 false positive alerts raised
by known bots as bingbot, msnbot, googlebot, majectic12 and so on.
The existing local_rules.xml declares those rules :
8<---------------------------------------------------------------------------------------------------
<group name="web,accesslog,">
...
<rule id="117003" level="3">
<if_sid>31101</if_sid>
<id>^404</id>
<description>Web server 404 error code.</description>
</rule>
<rule id="117004" level="8" frequency="10" timeframe="120">
<if_matched_sid>117003</if_matched_sid>
<same_source_ip />
<description>Multiple web server 404 error code</description>
<description>from same source ip.</description>
<group>web_scan,recon,</group>
</rule>
8<---------------------------------------------------------------------------------------------------
And I tried somthing like that to ignore some IP addresses of well known
crawl bots:
8<---------------------------------------------------------------------------------------------------
<rule id="117111" level="2">
<if_matched_sid>117003</if_matched_sid>
< ! - - Bnf.fr bot - - >
<srcip>194.199.7.23</srcip>
< ! - - Majestic12 - - >
<srcip>5.9.107.48</srcip>
<srcip>62.141.45.101</srcip>
<srcip>71.168.109.155</srcip>
<srcip>74.118.192.202</srcip>
<srcip>79.91.59.81</srcip>
<srcip>82.128.253.85</srcip>
<srcip>92.206.62.138</srcip>
<srcip>94.23.42.135</srcip>
<srcip>173.208.165.194</srcip>
<srcip>108.59.8.80</srcip>
<srcip>184.154.48.82</srcip>
<srcip>204.12.208.162</srcip>
<srcip>204.12.208.218</srcip>
<srcip>204.124.181.85</srcip>
< ! - - Bing - - >
<srcip>65.55.52.114</srcip>
<srcip>157.55.32.58</srcip>
<srcip>157.55.32.96</srcip>
<srcip>157.55.32.103</srcip>
<srcip>157.55.32.105</srcip>
<srcip>157.55.32.117</srcip>
<srcip>157.55.32.141</srcip>
<srcip>157.55.32.143</srcip>
<srcip>157.55.32.144</srcip>
<srcip>157.55.32.149</srcip>
<srcip>157.55.32.153</srcip>
<srcip>157.55.32.164</srcip>
<srcip>157.55.33.20</srcip>
<srcip>157.55.33.84</srcip>
<srcip>157.55.33.109</srcip>
<srcip>157.55.34.28</srcip>
<srcip>157.55.35.41</srcip>
<srcip>157.55.35.94</srcip>
<srcip>157.55.35.99</srcip>
<srcip>157.55.35.113</srcip>
<srcip>157.55.35.114</srcip>
<srcip>157.55.36.39</srcip>
< ! - - Ezooms ([email protected]) - - >
<srcip>208.115.111.75</srcip>
<srcip>208.115.113.91</srcip>
<options>no_email_alert</options>
<description>Crawl by a known bot.</description>
<group>web_scan,recon,</group>
</rule>
8<---------------------------------------------------------------------------------------------------
But when I test it with "cat /tmp/false_positive_bot_404.log |
/var/ossec/bin/ossec-logtest", the rule seems not to be executed:
8<---------------------------------------------------------------------------------------------------
2013/03/06 16:03:44 ossec-testrule: INFO: Reading local decoder file.
2013/03/06 16:03:44 ossec-testrule: INFO: Started (pid: 25317).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '157.55.33.109 - - [05/Mar/2013:13:30:04 +0100] "GET
/uploads/GED/84/ HTTP/1.1" 404 29506 "-" "Mozilla/5.0 (compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm)"'
hostname: 'esdv-ossec-01'
program_name: '(null)'
log: '157.55.33.109 - - [05/Mar/2013:13:30:04 +0100] "GET
/uploads/GED/84/ HTTP/1.1" 404 29506 "-" "Mozilla/5.0 (compatible;
bingbot/2.0; +http://www.bing.com/bingbot.htm)"'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '157.55.33.109'
url: '/uploads/GED/84/'
id: '404'
**Phase 3: Completed filtering (rules).
Rule id: '117003'
Level: '3'
Description: 'Web server 404 error code.'
**Alert to be generated.
8<---------------------------------------------------------------------------------------------------
What did I miss?
And my second question is: How can I describe a range of source IP
addresses and/or write a regex to match multiple IP addresses in only one
tag?
Best regards
Tom
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
