On Thu, Nov 7, 2013 at 10:20 AM, frwa onto <[email protected]> wrote:
> Dear Dan,
> The log message is from the httpd error log. Here is the part
> of the log where I notice.
>
> [Sun Oct 13 12:33:29 2013] [error] [client 103.246.38.196] Directory index
> forbidden by Options directive: /var/www/html/*******/
> [Sun Oct 13 12:33:30 2013] [error] [client 103.246.38.196] File does not
> exist: /var/www/html/images
> [Sun Oct 13 12:33:30 2013] [error] [client 103.246.38.196] Directory index
> forbidden by Options directive: /var/www/html/******/images/
>
The rules that match these log messages won't trigger an email or
anything. So you'll have to create better rules for them.
/tmp/xxx contains the log messages above.
# cat /tmp/xxx | /var/ossec/bin/ossec-logtest
2013/11/07 10:23:20 ossec-testrule: INFO: Reading local decoder file.
2013/11/07 10:23:21 ossec-testrule: INFO: Started (pid: 16416).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '[Sun Oct 13 12:33:29 2013] [error] [client
103.246.38.196] Directory index forbidden by Options directive:
/var/www/html/*******/'
hostname: 'arrakis'
program_name: '(null)'
log: '[error] [client 103.246.38.196] Directory index forbidden
by Options directive: /var/www/html/*******/'
**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
srcip: '103.246.38.196'
**Phase 3: Completed filtering (rules).
Rule id: '30101'
Level: '0'
Description: 'Apache error messages grouped.'
**Phase 1: Completed pre-decoding.
full event: '[Sun Oct 13 12:33:30 2013] [error] [client
103.246.38.196] File does not exist: /var/www/html/images'
hostname: 'arrakis'
program_name: '(null)'
log: '[error] [client 103.246.38.196] File does not exist:
/var/www/html/images'
**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
srcip: '103.246.38.196'
**Phase 3: Completed filtering (rules).
Rule id: '30112'
Level: '0'
Description: 'Attempt to access an non-existent file (those are
reported on the access.log).'
> What should I look for the ossec.log for the syscheckd ? What is the command
> to turning the debug for syscheckd ?
>
Kill ossec-syscheckd, then run `/var/ossec/bin/ossec-syscheckd -d`
>
> On Wed, Nov 6, 2013 at 11:45 PM, dan (ddp) <[email protected]> wrote:
>>
>> On Wed, Nov 6, 2013 at 10:39 AM, frwa onto <[email protected]> wrote:
>> > Dear Dan,
>> > Which log sample you prefer to have the apache error log
>> > or
>>
>> Which log messasge do you want to trigger an alert? That is the
>> important one here, right? In your original message you mentioned a
>> log message containing "Directory index forbidden by Options
>> directive:," but did not include the entire log message. I assume this
>> is the log message you want an alert on?
>>
>> > the ossec log ? Are the rules need tweaking too? How can I be sure the
>> > rootkit is running any log to check on it?
>> >
>>
>> Check the ossec.log. If there is no mention of it, try turning on
>> debug for syscheckd.
>>
>> >
>> > On Wed, Nov 6, 2013 at 10:58 PM, dan (ddp) <[email protected]> wrote:
>> >>
>> >> On Wed, Nov 6, 2013 at 9:54 AM, frwa onto <[email protected]> wrote:
>> >> > Dear Dan,
>> >> > If I look into my ossec.conf I can see this both these
>> >> > apache_rules.xml and web_appsec_rules.xml and I can see it monitors
>> >> > the
>> >> > /var/log/httpd/error_log. What else do I need to check on ? Is
>> >> > monitoring
>> >> > just fine or must I still create rules sorry I am newbie into this.
>> >> > Besides
>> >>
>> >> You didn't provide a log sample, so I cannot determine whether the log
>> >> will be identified by OSSEC or not.
>> >>
>> >> > that when will the rootkit check will be done on a period basic or
>> >> > launch
>> >> > manually ?
>> >> >
>> >>
>> >> It should scan periodically.
>> >>
>> >> > On Wednesday, November 6, 2013 12:29:02 AM UTC+8, dan (ddpbsd) wrote:
>> >> >>
>> >> >> On Sun, Nov 3, 2013 at 12:51 PM, frwa onto <[email protected]>
>> >> >> wrote:
>> >> >> > Dear All,
>> >> >> > I am new to ossec. I am still learning how it works
>> >> >> > just
>> >> >> > wondering can it detect scraper activities because I have banned
>> >> >> > directory
>> >> >> > traversing but I notice yet the scrapper manage to get to some of
>> >> >> > the
>> >> >> > directories but got this error Directory index forbidden by
>> >> >> > Options
>> >> >> > directive:
>> >> >> >
>> >> >>
>> >> >> Are these logs being monitored by OSSEC? You should be able to
>> >> >> create
>> >> >> a rule looking for the log message.
>> >> >>
>> >> >> > --
>> >> >> >
>> >> >> > ---
>> >> >> > You received this message because you are subscribed to the Google
>> >> >> > Groups
>> >> >> > "ossec-list" group.
>> >> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> >> > send
>> >> >> > an
>> >> >> > email to [email protected].
>> >> >> > For more options, visit https://groups.google.com/groups/opt_out.
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> > send
>> >> > an
>> >> > email to [email protected].
>> >> > For more options, visit https://groups.google.com/groups/opt_out.
>> >>
>> >> --
>> >>
>> >> ---
>> >> You received this message because you are subscribed to a topic in the
>> >> Google Groups "ossec-list" group.
>> >> To unsubscribe from this topic, visit
>> >> https://groups.google.com/d/topic/ossec-list/O551cLvYKrs/unsubscribe.
>> >> To unsubscribe from this group and all its topics, send an email to
>> >> [email protected].
>> >>
>> >> For more options, visit https://groups.google.com/groups/opt_out.
>> >
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/groups/opt_out.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/O551cLvYKrs/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> [email protected].
>> For more options, visit https://groups.google.com/groups/opt_out.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
