Dear Dan,
Ok so to test it you created a file called xxx and you let
the ossec engine to run through it to decode the message rite. Please
correct me if my understanding is wrong here. Do you think for the two
rules Rule id: '30101' and '30112' should I increase the Level: '0' for the
email trigger as I have set now to 5 for email triggering?
On Fri, Nov 8, 2013 at 2:26 AM, dan (ddp) <[email protected]> wrote:
> On Thu, Nov 7, 2013 at 1:22 PM, frwa onto <[email protected]> wrote:
> > Dear Dan,
> > So meaning that the existing apache rules wont trigger
> this as
> > an alert is it ? How to create new rules and are we allowed to add
> existing
>
> I provided the output from ossec-logtest. That output tells you
> exactly what OSSEC does with the log messages you provided.
>
> > rules? Does it need any compilation or just some xml documents? You added
>
> Just xml documents. You'll have to restart the ossec processes on the
> server after modifying the rules.
>
> > these what are these actually
>
> Those are not rules, that is the output from ossec-logtest
>
> > *Phase 1: Completed pre-decoding.
> > full event: '[Sun Oct 13 12:33:29 2013] [error] [client
> > 103.246.38.196] Directory index forbidden by Options directive:
> > /var/www/html/*******/'
> > hostname: 'arrakis'
> > program_name: '(null)'
> > log: '[error] [client 103.246.38.196] Directory index forbidden
> > by Options directive: /var/www/html/*******/'
> >
> > **Phase 2: Completed decoding.
> > decoder: 'apache-errorlog'
> > srcip: '103.246.38.196'
> >
> > **Phase 3: Completed filtering (rules).
> > Rule id: '30101'
> > Level: '0'
> > Description: 'Apache error messages grouped.'
> >
> >
> > On Thu, Nov 7, 2013 at 11:24 PM, dan (ddp) <[email protected]> wrote:
> >>
> >> On Thu, Nov 7, 2013 at 10:20 AM, frwa onto <[email protected]> wrote:
> >> > Dear Dan,
> >> > The log message is from the httpd error log. Here is
> the
> >> > part
> >> > of the log where I notice.
> >> >
> >> > [Sun Oct 13 12:33:29 2013] [error] [client 103.246.38.196] Directory
> >> > index
> >> > forbidden by Options directive: /var/www/html/*******/
> >> > [Sun Oct 13 12:33:30 2013] [error] [client 103.246.38.196] File does
> not
> >> > exist: /var/www/html/images
> >> > [Sun Oct 13 12:33:30 2013] [error] [client 103.246.38.196] Directory
> >> > index
> >> > forbidden by Options directive: /var/www/html/******/images/
> >> >
> >>
> >> The rules that match these log messages won't trigger an email or
> >> anything. So you'll have to create better rules for them.
> >>
> >> /tmp/xxx contains the log messages above.
> >>
> >> # cat /tmp/xxx | /var/ossec/bin/ossec-logtest
> >> 2013/11/07 10:23:20 ossec-testrule: INFO: Reading local decoder file.
> >> 2013/11/07 10:23:21 ossec-testrule: INFO: Started (pid: 16416).
> >> ossec-testrule: Type one log per line.
> >>
> >>
> >>
> >> **Phase 1: Completed pre-decoding.
> >> full event: '[Sun Oct 13 12:33:29 2013] [error] [client
> >> 103.246.38.196] Directory index forbidden by Options directive:
> >> /var/www/html/*******/'
> >> hostname: 'arrakis'
> >> program_name: '(null)'
> >> log: '[error] [client 103.246.38.196] Directory index forbidden
> >> by Options directive: /var/www/html/*******/'
> >>
> >> **Phase 2: Completed decoding.
> >> decoder: 'apache-errorlog'
> >> srcip: '103.246.38.196'
> >>
> >> **Phase 3: Completed filtering (rules).
> >> Rule id: '30101'
> >> Level: '0'
> >> Description: 'Apache error messages grouped.'
> >>
> >>
> >> **Phase 1: Completed pre-decoding.
> >> full event: '[Sun Oct 13 12:33:30 2013] [error] [client
> >> 103.246.38.196] File does not exist: /var/www/html/images'
> >> hostname: 'arrakis'
> >> program_name: '(null)'
> >> log: '[error] [client 103.246.38.196] File does not exist:
> >> /var/www/html/images'
> >>
> >> **Phase 2: Completed decoding.
> >> decoder: 'apache-errorlog'
> >> srcip: '103.246.38.196'
> >>
> >> **Phase 3: Completed filtering (rules).
> >> Rule id: '30112'
> >> Level: '0'
> >> Description: 'Attempt to access an non-existent file (those are
> >> reported on the access.log).'
> >>
> >>
> >>
> >> > What should I look for the ossec.log for the syscheckd ? What is the
> >> > command
> >> > to turning the debug for syscheckd ?
> >> >
> >>
> >> Kill ossec-syscheckd, then run `/var/ossec/bin/ossec-syscheckd -d`
> >>
> >> >
> >> > On Wed, Nov 6, 2013 at 11:45 PM, dan (ddp) <[email protected]> wrote:
> >> >>
> >> >> On Wed, Nov 6, 2013 at 10:39 AM, frwa onto <[email protected]>
> wrote:
> >> >> > Dear Dan,
> >> >> > Which log sample you prefer to have the apache error
> >> >> > log
> >> >> > or
> >> >>
> >> >> Which log messasge do you want to trigger an alert? That is the
> >> >> important one here, right? In your original message you mentioned a
> >> >> log message containing "Directory index forbidden by Options
> >> >> directive:," but did not include the entire log message. I assume
> this
> >> >> is the log message you want an alert on?
> >> >>
> >> >> > the ossec log ? Are the rules need tweaking too? How can I be sure
> >> >> > the
> >> >> > rootkit is running any log to check on it?
> >> >> >
> >> >>
> >> >> Check the ossec.log. If there is no mention of it, try turning on
> >> >> debug for syscheckd.
> >> >>
> >> >> >
> >> >> > On Wed, Nov 6, 2013 at 10:58 PM, dan (ddp) <[email protected]>
> wrote:
> >> >> >>
> >> >> >> On Wed, Nov 6, 2013 at 9:54 AM, frwa onto <[email protected]>
> >> >> >> wrote:
> >> >> >> > Dear Dan,
> >> >> >> > If I look into my ossec.conf I can see this both
> >> >> >> > these
> >> >> >> > apache_rules.xml and web_appsec_rules.xml and I can see it
> >> >> >> > monitors
> >> >> >> > the
> >> >> >> > /var/log/httpd/error_log. What else do I need to check on ? Is
> >> >> >> > monitoring
> >> >> >> > just fine or must I still create rules sorry I am newbie into
> >> >> >> > this.
> >> >> >> > Besides
> >> >> >>
> >> >> >> You didn't provide a log sample, so I cannot determine whether the
> >> >> >> log
> >> >> >> will be identified by OSSEC or not.
> >> >> >>
> >> >> >> > that when will the rootkit check will be done on a period basic
> or
> >> >> >> > launch
> >> >> >> > manually ?
> >> >> >> >
> >> >> >>
> >> >> >> It should scan periodically.
> >> >> >>
> >> >> >> > On Wednesday, November 6, 2013 12:29:02 AM UTC+8, dan (ddpbsd)
> >> >> >> > wrote:
> >> >> >> >>
> >> >> >> >> On Sun, Nov 3, 2013 at 12:51 PM, frwa onto <[email protected]>
> >> >> >> >> wrote:
> >> >> >> >> > Dear All,
> >> >> >> >> > I am new to ossec. I am still learning how it
> works
> >> >> >> >> > just
> >> >> >> >> > wondering can it detect scraper activities because I have
> >> >> >> >> > banned
> >> >> >> >> > directory
> >> >> >> >> > traversing but I notice yet the scrapper manage to get to
> some
> >> >> >> >> > of
> >> >> >> >> > the
> >> >> >> >> > directories but got this error Directory index forbidden by
> >> >> >> >> > Options
> >> >> >> >> > directive:
> >> >> >> >> >
> >> >> >> >>
> >> >> >> >> Are these logs being monitored by OSSEC? You should be able to
> >> >> >> >> create
> >> >> >> >> a rule looking for the log message.
> >> >> >> >>
> >> >> >> >> > --
> >> >> >> >> >
> >> >> >> >> > ---
> >> >> >> >> > You received this message because you are subscribed to the
> >> >> >> >> > Google
> >> >> >> >> > Groups
> >> >> >> >> > "ossec-list" group.
> >> >> >> >> > To unsubscribe from this group and stop receiving emails from
> >> >> >> >> > it,
> >> >> >> >> > send
> >> >> >> >> > an
> >> >> >> >> > email to [email protected].
> >> >> >> >> > For more options, visit
> >> >> >> >> > https://groups.google.com/groups/opt_out.
> >> >> >> >
> >> >> >> > --
> >> >> >> >
> >> >> >> > ---
> >> >> >> > You received this message because you are subscribed to the
> Google
> >> >> >> > Groups
> >> >> >> > "ossec-list" group.
> >> >> >> > To unsubscribe from this group and stop receiving emails from
> it,
> >> >> >> > send
> >> >> >> > an
> >> >> >> > email to [email protected].
> >> >> >> > For more options, visit
> https://groups.google.com/groups/opt_out.
> >> >> >>
> >> >> >> --
> >> >> >>
> >> >> >> ---
> >> >> >> You received this message because you are subscribed to a topic in
> >> >> >> the
> >> >> >> Google Groups "ossec-list" group.
> >> >> >> To unsubscribe from this topic, visit
> >> >> >>
> >> >> >>
> https://groups.google.com/d/topic/ossec-list/O551cLvYKrs/unsubscribe.
> >> >> >> To unsubscribe from this group and all its topics, send an email
> to
> >> >> >> [email protected].
> >> >> >>
> >> >> >> For more options, visit https://groups.google.com/groups/opt_out.
> >> >> >
> >> >> >
> >> >> > --
> >> >> >
> >> >> > ---
> >> >> > You received this message because you are subscribed to the Google
> >> >> > Groups
> >> >> > "ossec-list" group.
> >> >> > To unsubscribe from this group and stop receiving emails from it,
> >> >> > send
> >> >> > an
> >> >> > email to [email protected].
> >> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >> >>
> >> >> --
> >> >>
> >> >> ---
> >> >> You received this message because you are subscribed to a topic in
> the
> >> >> Google Groups "ossec-list" group.
> >> >> To unsubscribe from this topic, visit
> >> >> https://groups.google.com/d/topic/ossec-list/O551cLvYKrs/unsubscribe
> .
> >> >> To unsubscribe from this group and all its topics, send an email to
> >> >> [email protected].
> >> >> For more options, visit https://groups.google.com/groups/opt_out.
> >> >
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it, send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to a topic in the
> >> Google Groups "ossec-list" group.
> >> To unsubscribe from this topic, visit
> >> https://groups.google.com/d/topic/ossec-list/O551cLvYKrs/unsubscribe.
> >> To unsubscribe from this group and all its topics, send an email to
> >> [email protected].
> >> For more options, visit https://groups.google.com/groups/opt_out.
> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/O551cLvYKrs/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
