Dear Dan,
So meaning that the existing apache rules wont trigger this
as an alert is it ? How to create new rules and are we allowed to add
existing rules? Does it need any compilation or just some xml documents?
You added these what are these actually
*Phase 1: Completed pre-decoding.
full event: '[Sun Oct 13 12:33:29 2013] [error] [client
103.246.38.196] Directory index forbidden by Options directive:
/var/www/html/*******/'
hostname: 'arrakis'
program_name: '(null)'
log: '[error] [client 103.246.38.196] Directory index forbidden
by Options directive: /var/www/html/*******/'
**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
srcip: '103.246.38.196'
**Phase 3: Completed filtering (rules).
Rule id: '30101'
Level: '0'
Description: 'Apache error messages grouped.'
On Thu, Nov 7, 2013 at 11:24 PM, dan (ddp) <[email protected]> wrote:
> On Thu, Nov 7, 2013 at 10:20 AM, frwa onto <[email protected]> wrote:
> > Dear Dan,
> > The log message is from the httpd error log. Here is the
> part
> > of the log where I notice.
> >
> > [Sun Oct 13 12:33:29 2013] [error] [client 103.246.38.196] Directory
> index
> > forbidden by Options directive: /var/www/html/*******/
> > [Sun Oct 13 12:33:30 2013] [error] [client 103.246.38.196] File does not
> > exist: /var/www/html/images
> > [Sun Oct 13 12:33:30 2013] [error] [client 103.246.38.196] Directory
> index
> > forbidden by Options directive: /var/www/html/******/images/
> >
>
> The rules that match these log messages won't trigger an email or
> anything. So you'll have to create better rules for them.
>
> /tmp/xxx contains the log messages above.
>
> # cat /tmp/xxx | /var/ossec/bin/ossec-logtest
> 2013/11/07 10:23:20 ossec-testrule: INFO: Reading local decoder file.
> 2013/11/07 10:23:21 ossec-testrule: INFO: Started (pid: 16416).
> ossec-testrule: Type one log per line.
>
>
>
> **Phase 1: Completed pre-decoding.
> full event: '[Sun Oct 13 12:33:29 2013] [error] [client
> 103.246.38.196] Directory index forbidden by Options directive:
> /var/www/html/*******/'
> hostname: 'arrakis'
> program_name: '(null)'
> log: '[error] [client 103.246.38.196] Directory index forbidden
> by Options directive: /var/www/html/*******/'
>
> **Phase 2: Completed decoding.
> decoder: 'apache-errorlog'
> srcip: '103.246.38.196'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '30101'
> Level: '0'
> Description: 'Apache error messages grouped.'
>
>
> **Phase 1: Completed pre-decoding.
> full event: '[Sun Oct 13 12:33:30 2013] [error] [client
> 103.246.38.196] File does not exist: /var/www/html/images'
> hostname: 'arrakis'
> program_name: '(null)'
> log: '[error] [client 103.246.38.196] File does not exist:
> /var/www/html/images'
>
> **Phase 2: Completed decoding.
> decoder: 'apache-errorlog'
> srcip: '103.246.38.196'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '30112'
> Level: '0'
> Description: 'Attempt to access an non-existent file (those are
> reported on the access.log).'
>
>
>
> > What should I look for the ossec.log for the syscheckd ? What is the
> command
> > to turning the debug for syscheckd ?
> >
>
> Kill ossec-syscheckd, then run `/var/ossec/bin/ossec-syscheckd -d`
>
> >
> > On Wed, Nov 6, 2013 at 11:45 PM, dan (ddp) <[email protected]> wrote:
> >>
> >> On Wed, Nov 6, 2013 at 10:39 AM, frwa onto <[email protected]> wrote:
> >> > Dear Dan,
> >> > Which log sample you prefer to have the apache error
> log
> >> > or
> >>
> >> Which log messasge do you want to trigger an alert? That is the
> >> important one here, right? In your original message you mentioned a
> >> log message containing "Directory index forbidden by Options
> >> directive:," but did not include the entire log message. I assume this
> >> is the log message you want an alert on?
> >>
> >> > the ossec log ? Are the rules need tweaking too? How can I be sure the
> >> > rootkit is running any log to check on it?
> >> >
> >>
> >> Check the ossec.log. If there is no mention of it, try turning on
> >> debug for syscheckd.
> >>
> >> >
> >> > On Wed, Nov 6, 2013 at 10:58 PM, dan (ddp) <[email protected]> wrote:
> >> >>
> >> >> On Wed, Nov 6, 2013 at 9:54 AM, frwa onto <[email protected]>
> wrote:
> >> >> > Dear Dan,
> >> >> > If I look into my ossec.conf I can see this both
> these
> >> >> > apache_rules.xml and web_appsec_rules.xml and I can see it monitors
> >> >> > the
> >> >> > /var/log/httpd/error_log. What else do I need to check on ? Is
> >> >> > monitoring
> >> >> > just fine or must I still create rules sorry I am newbie into this.
> >> >> > Besides
> >> >>
> >> >> You didn't provide a log sample, so I cannot determine whether the
> log
> >> >> will be identified by OSSEC or not.
> >> >>
> >> >> > that when will the rootkit check will be done on a period basic or
> >> >> > launch
> >> >> > manually ?
> >> >> >
> >> >>
> >> >> It should scan periodically.
> >> >>
> >> >> > On Wednesday, November 6, 2013 12:29:02 AM UTC+8, dan (ddpbsd)
> wrote:
> >> >> >>
> >> >> >> On Sun, Nov 3, 2013 at 12:51 PM, frwa onto <[email protected]>
> >> >> >> wrote:
> >> >> >> > Dear All,
> >> >> >> > I am new to ossec. I am still learning how it works
> >> >> >> > just
> >> >> >> > wondering can it detect scraper activities because I have banned
> >> >> >> > directory
> >> >> >> > traversing but I notice yet the scrapper manage to get to some
> of
> >> >> >> > the
> >> >> >> > directories but got this error Directory index forbidden by
> >> >> >> > Options
> >> >> >> > directive:
> >> >> >> >
> >> >> >>
> >> >> >> Are these logs being monitored by OSSEC? You should be able to
> >> >> >> create
> >> >> >> a rule looking for the log message.
> >> >> >>
> >> >> >> > --
> >> >> >> >
> >> >> >> > ---
> >> >> >> > You received this message because you are subscribed to the
> Google
> >> >> >> > Groups
> >> >> >> > "ossec-list" group.
> >> >> >> > To unsubscribe from this group and stop receiving emails from
> it,
> >> >> >> > send
> >> >> >> > an
> >> >> >> > email to [email protected].
> >> >> >> > For more options, visit
> https://groups.google.com/groups/opt_out.
> >> >> >
> >> >> > --
> >> >> >
> >> >> > ---
> >> >> > You received this message because you are subscribed to the Google
> >> >> > Groups
> >> >> > "ossec-list" group.
> >> >> > To unsubscribe from this group and stop receiving emails from it,
> >> >> > send
> >> >> > an
> >> >> > email to [email protected].
> >> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >> >>
> >> >> --
> >> >>
> >> >> ---
> >> >> You received this message because you are subscribed to a topic in
> the
> >> >> Google Groups "ossec-list" group.
> >> >> To unsubscribe from this topic, visit
> >> >> https://groups.google.com/d/topic/ossec-list/O551cLvYKrs/unsubscribe
> .
> >> >> To unsubscribe from this group and all its topics, send an email to
> >> >> [email protected].
> >> >>
> >> >> For more options, visit https://groups.google.com/groups/opt_out.
> >> >
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it, send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to a topic in the
> >> Google Groups "ossec-list" group.
> >> To unsubscribe from this topic, visit
> >> https://groups.google.com/d/topic/ossec-list/O551cLvYKrs/unsubscribe.
> >> To unsubscribe from this group and all its topics, send an email to
> >> [email protected].
> >> For more options, visit https://groups.google.com/groups/opt_out.
> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/O551cLvYKrs/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
