On Thu, Nov 7, 2013 at 1:46 PM, frwa onto <[email protected]> wrote: > Dear Dan, > Thank you for your guidance I am really learning a lots of new > things in ossec now. So I can increase that rule and restart ossec. How will > I know exactly where this 30112 rule is stored ? Thank you once again. >
The rules are kept in the rules files, which are in /var/ossec/rules (on a default install) > > On Fri, Nov 8, 2013 at 2:40 AM, dan (ddp) <[email protected]> wrote: >> >> On Thu, Nov 7, 2013 at 1:35 PM, frwa onto <[email protected]> wrote: >> > Dear Dan, >> > Ok so to test it you created a file called xxx and you >> > let >> > the ossec engine to run through it to decode the message rite. Please >> >> Essentially, yes. >> >> > correct me if my understanding is wrong here. Do you think for the two >> > rules >> > Rule id: '30101' and '30112' should I increase the Level: '0' for the >> > email >> > trigger as I have set now to 5 for email triggering? >> > >> >> 30101 is very generic. I would not increase the level of that rule, >> only use it as a parent rule for more specific rules. >> If 30112 is something you want to be notified of, you should increase the >> level. >> >> > >> > On Fri, Nov 8, 2013 at 2:26 AM, dan (ddp) <[email protected]> wrote: >> >> >> >> On Thu, Nov 7, 2013 at 1:22 PM, frwa onto <[email protected]> wrote: >> >> > Dear Dan, >> >> > So meaning that the existing apache rules wont trigger >> >> > this as >> >> > an alert is it ? How to create new rules and are we allowed to add >> >> > existing >> >> >> >> I provided the output from ossec-logtest. That output tells you >> >> exactly what OSSEC does with the log messages you provided. >> >> >> >> > rules? Does it need any compilation or just some xml documents? You >> >> > added >> >> >> >> Just xml documents. You'll have to restart the ossec processes on the >> >> server after modifying the rules. >> >> >> >> > these what are these actually >> >> >> >> Those are not rules, that is the output from ossec-logtest >> >> >> >> > *Phase 1: Completed pre-decoding. >> >> > full event: '[Sun Oct 13 12:33:29 2013] [error] [client >> >> > 103.246.38.196] Directory index forbidden by Options directive: >> >> > /var/www/html/*******/' >> >> > hostname: 'arrakis' >> >> > program_name: '(null)' >> >> > log: '[error] [client 103.246.38.196] Directory index >> >> > forbidden >> >> > by Options directive: /var/www/html/*******/' >> >> > >> >> > **Phase 2: Completed decoding. >> >> > decoder: 'apache-errorlog' >> >> > srcip: '103.246.38.196' >> >> > >> >> > **Phase 3: Completed filtering (rules). >> >> > Rule id: '30101' >> >> > Level: '0' >> >> > Description: 'Apache error messages grouped.' >> >> > >> >> > >> >> > On Thu, Nov 7, 2013 at 11:24 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> >> >> On Thu, Nov 7, 2013 at 10:20 AM, frwa onto <[email protected]> >> >> >> wrote: >> >> >> > Dear Dan, >> >> >> > The log message is from the httpd error log. Here >> >> >> > is >> >> >> > the >> >> >> > part >> >> >> > of the log where I notice. >> >> >> > >> >> >> > [Sun Oct 13 12:33:29 2013] [error] [client 103.246.38.196] >> >> >> > Directory >> >> >> > index >> >> >> > forbidden by Options directive: /var/www/html/*******/ >> >> >> > [Sun Oct 13 12:33:30 2013] [error] [client 103.246.38.196] File >> >> >> > does >> >> >> > not >> >> >> > exist: /var/www/html/images >> >> >> > [Sun Oct 13 12:33:30 2013] [error] [client 103.246.38.196] >> >> >> > Directory >> >> >> > index >> >> >> > forbidden by Options directive: /var/www/html/******/images/ >> >> >> > >> >> >> >> >> >> The rules that match these log messages won't trigger an email or >> >> >> anything. So you'll have to create better rules for them. >> >> >> >> >> >> /tmp/xxx contains the log messages above. >> >> >> >> >> >> # cat /tmp/xxx | /var/ossec/bin/ossec-logtest >> >> >> 2013/11/07 10:23:20 ossec-testrule: INFO: Reading local decoder >> >> >> file. >> >> >> 2013/11/07 10:23:21 ossec-testrule: INFO: Started (pid: 16416). >> >> >> ossec-testrule: Type one log per line. >> >> >> >> >> >> >> >> >> >> >> >> **Phase 1: Completed pre-decoding. >> >> >> full event: '[Sun Oct 13 12:33:29 2013] [error] [client >> >> >> 103.246.38.196] Directory index forbidden by Options directive: >> >> >> /var/www/html/*******/' >> >> >> hostname: 'arrakis' >> >> >> program_name: '(null)' >> >> >> log: '[error] [client 103.246.38.196] Directory index >> >> >> forbidden >> >> >> by Options directive: /var/www/html/*******/' >> >> >> >> >> >> **Phase 2: Completed decoding. >> >> >> decoder: 'apache-errorlog' >> >> >> srcip: '103.246.38.196' >> >> >> >> >> >> **Phase 3: Completed filtering (rules). >> >> >> Rule id: '30101' >> >> >> Level: '0' >> >> >> Description: 'Apache error messages grouped.' >> >> >> >> >> >> >> >> >> **Phase 1: Completed pre-decoding. >> >> >> full event: '[Sun Oct 13 12:33:30 2013] [error] [client >> >> >> 103.246.38.196] File does not exist: /var/www/html/images' >> >> >> hostname: 'arrakis' >> >> >> program_name: '(null)' >> >> >> log: '[error] [client 103.246.38.196] File does not exist: >> >> >> /var/www/html/images' >> >> >> >> >> >> **Phase 2: Completed decoding. >> >> >> decoder: 'apache-errorlog' >> >> >> srcip: '103.246.38.196' >> >> >> >> >> >> **Phase 3: Completed filtering (rules). >> >> >> Rule id: '30112' >> >> >> Level: '0' >> >> >> Description: 'Attempt to access an non-existent file (those >> >> >> are >> >> >> reported on the access.log).' >> >> >> >> >> >> >> >> >> >> >> >> > What should I look for the ossec.log for the syscheckd ? What is >> >> >> > the >> >> >> > command >> >> >> > to turning the debug for syscheckd ? >> >> >> > >> >> >> >> >> >> Kill ossec-syscheckd, then run `/var/ossec/bin/ossec-syscheckd -d` >> >> >> >> >> >> > >> >> >> > On Wed, Nov 6, 2013 at 11:45 PM, dan (ddp) <[email protected]> >> >> >> > wrote: >> >> >> >> >> >> >> >> On Wed, Nov 6, 2013 at 10:39 AM, frwa onto <[email protected]> >> >> >> >> wrote: >> >> >> >> > Dear Dan, >> >> >> >> > Which log sample you prefer to have the apache >> >> >> >> > error >> >> >> >> > log >> >> >> >> > or >> >> >> >> >> >> >> >> Which log messasge do you want to trigger an alert? That is the >> >> >> >> important one here, right? In your original message you mentioned >> >> >> >> a >> >> >> >> log message containing "Directory index forbidden by Options >> >> >> >> directive:," but did not include the entire log message. I assume >> >> >> >> this >> >> >> >> is the log message you want an alert on? >> >> >> >> >> >> >> >> > the ossec log ? Are the rules need tweaking too? How can I be >> >> >> >> > sure >> >> >> >> > the >> >> >> >> > rootkit is running any log to check on it? >> >> >> >> > >> >> >> >> >> >> >> >> Check the ossec.log. If there is no mention of it, try turning on >> >> >> >> debug for syscheckd. >> >> >> >> >> >> >> >> > >> >> >> >> > On Wed, Nov 6, 2013 at 10:58 PM, dan (ddp) <[email protected]> >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> On Wed, Nov 6, 2013 at 9:54 AM, frwa onto <[email protected]> >> >> >> >> >> wrote: >> >> >> >> >> > Dear Dan, >> >> >> >> >> > If I look into my ossec.conf I can see this >> >> >> >> >> > both >> >> >> >> >> > these >> >> >> >> >> > apache_rules.xml and web_appsec_rules.xml and I can see it >> >> >> >> >> > monitors >> >> >> >> >> > the >> >> >> >> >> > /var/log/httpd/error_log. What else do I need to check on ? >> >> >> >> >> > Is >> >> >> >> >> > monitoring >> >> >> >> >> > just fine or must I still create rules sorry I am newbie >> >> >> >> >> > into >> >> >> >> >> > this. >> >> >> >> >> > Besides >> >> >> >> >> >> >> >> >> >> You didn't provide a log sample, so I cannot determine whether >> >> >> >> >> the >> >> >> >> >> log >> >> >> >> >> will be identified by OSSEC or not. >> >> >> >> >> >> >> >> >> >> > that when will the rootkit check will be done on a period >> >> >> >> >> > basic >> >> >> >> >> > or >> >> >> >> >> > launch >> >> >> >> >> > manually ? >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> It should scan periodically. >> >> >> >> >> >> >> >> >> >> > On Wednesday, November 6, 2013 12:29:02 AM UTC+8, dan >> >> >> >> >> > (ddpbsd) >> >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> >> >> On Sun, Nov 3, 2013 at 12:51 PM, frwa onto >> >> >> >> >> >> <[email protected]> >> >> >> >> >> >> wrote: >> >> >> >> >> >> > Dear All, >> >> >> >> >> >> > I am new to ossec. I am still learning how it >> >> >> >> >> >> > works >> >> >> >> >> >> > just >> >> >> >> >> >> > wondering can it detect scraper activities because I have >> >> >> >> >> >> > banned >> >> >> >> >> >> > directory >> >> >> >> >> >> > traversing but I notice yet the scrapper manage to get to >> >> >> >> >> >> > some >> >> >> >> >> >> > of >> >> >> >> >> >> > the >> >> >> >> >> >> > directories but got this error Directory index forbidden >> >> >> >> >> >> > by >> >> >> >> >> >> > Options >> >> >> >> >> >> > directive: >> >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> Are these logs being monitored by OSSEC? You should be able >> >> >> >> >> >> to >> >> >> >> >> >> create >> >> >> >> >> >> a rule looking for the log message. >> >> >> >> >> >> >> >> >> >> >> >> > -- >> >> >> >> >> >> > >> >> >> >> >> >> > --- >> >> >> >> >> >> > You received this message because you are subscribed to >> >> >> >> >> >> > the >> >> >> >> >> >> > Google >> >> >> >> >> >> > Groups >> >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >> >> >> >> >> >> > from >> >> >> >> >> >> > it, >> >> >> >> >> >> > send >> >> >> >> >> >> > an >> >> >> >> >> >> > email to [email protected]. >> >> >> >> >> >> > For more options, visit >> >> >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> >> > >> >> >> >> >> > -- >> >> >> >> >> > >> >> >> >> >> > --- >> >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> >> > Google >> >> >> >> >> > Groups >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >> >> >> >> >> > from >> >> >> >> >> > it, >> >> >> >> >> > send >> >> >> >> >> > an >> >> >> >> >> > email to [email protected]. >> >> >> >> >> > For more options, visit >> >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> >> >> >> >> >> >> -- >> >> >> >> >> >> >> >> >> >> --- >> >> >> >> >> You received this message because you are subscribed to a >> >> >> >> >> topic >> >> >> >> >> in >> >> >> >> >> the >> >> >> >> >> Google Groups "ossec-list" group. >> >> >> >> >> To unsubscribe from this topic, visit >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> https://groups.google.com/d/topic/ossec-list/O551cLvYKrs/unsubscribe. >> >> >> >> >> To unsubscribe from this group and all its topics, send an >> >> >> >> >> email >> >> >> >> >> to >> >> >> >> >> [email protected]. >> >> >> >> >> >> >> >> >> >> For more options, visit >> >> >> >> >> https://groups.google.com/groups/opt_out. >> >> >> >> > >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to [email protected]. >> >> >> >> > For more options, visit >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> >> >> >> >> -- >> >> >> >> >> >> >> >> --- >> >> >> >> You received this message because you are subscribed to a topic >> >> >> >> in >> >> >> >> the >> >> >> >> Google Groups "ossec-list" group. >> >> >> >> To unsubscribe from this topic, visit >> >> >> >> >> >> >> >> >> >> >> >> https://groups.google.com/d/topic/ossec-list/O551cLvYKrs/unsubscribe. >> >> >> >> To unsubscribe from this group and all its topics, send an email >> >> >> >> to >> >> >> >> [email protected]. >> >> >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> >> >> -- >> >> >> >> >> >> --- >> >> >> You received this message because you are subscribed to a topic in >> >> >> the >> >> >> Google Groups "ossec-list" group. >> >> >> To unsubscribe from this topic, visit >> >> >> >> >> >> https://groups.google.com/d/topic/ossec-list/O551cLvYKrs/unsubscribe. >> >> >> To unsubscribe from this group and all its topics, send an email to >> >> >> [email protected]. >> >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to a topic in the >> >> Google Groups "ossec-list" group. >> >> To unsubscribe from this topic, visit >> >> https://groups.google.com/d/topic/ossec-list/O551cLvYKrs/unsubscribe. >> >> To unsubscribe from this group and all its topics, send an email to >> >> [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/O551cLvYKrs/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
