On Thu, Dec 12, 2013 at 8:04 AM, frwa onto <[email protected]> wrote: > Dear Dan, > Ok I went into web_rules.xml and saw its says A web attack > returned code 200 (success) . So what could be the problem I am just > accessing data from my phpmyadmin what is the attack no description on this? >
That's basically what you have to track down. Take a look at the alert in alerts.log, it should contain the log message that triggered that alert. Rule 31106 looks at 3 other alerts, plus a 200 response from the web server. Looking at 31103 (the first if_sid in 31106) you can see that it looks for possible SQL injection attacks. Does any of the <url> snippets exist in the log message that triggered the alert? If not, do the same exercise with 31104 and 31105. When you've found the alert that triggered 31106, it might be easier to create a rule to "white list" your system (you could probably do this with 31106 as well, but I like to stop the chain earlier if possible). I'll only do so much of your work before I require a contract. > Regards, > Frwa. > > On Tuesday, December 10, 2013 10:29:09 PM UTC+8, dan (ddpbsd) wrote: >> >> On Tue, Dec 10, 2013 at 9:25 AM, frwa onto <[email protected]> wrote: >> > Dear Dan, >> > Even if I am logged with other email is the same scenario >> > I >> > get locked. Its more got to do with phpmyadmin. Could it be that I am >> > doing >> > big select statement causing this behavior? Is it possible to pause the >> > active response for temporary ? How can I further investigate the cause? >> > >> >> Look at the alerts (rule ID 31106 specifically). They will provide >> more information about what is happening. >> >> > Regards, >> > Frwa. >> > >> > On Tuesday, December 10, 2013 10:11:49 PM UTC+8, dan (ddpbsd) wrote: >> >> >> >> On Tue, Dec 10, 2013 at 9:08 AM, frwa onto <[email protected]> wrote: >> >> > Dear Christian, >> >> > Thank you for sharing your experience too. >> >> > Hopefully >> >> > some one can exactly confirm what is the main cause of this behavior? >> >> > I >> >> > am >> >> > not sure if I off the active response should help? >> >> > >> >> >> >> If the IP address being blocked in the active response log is your IP >> >> address, then that is what is causing you to lose your ssh connection. >> >> >> >> > Regards, >> >> > Frwa. >> >> > >> >> > >> >> > On Tuesday, December 10, 2013 1:29:53 PM UTC+8, Christian Beer wrote: >> >> >> >> >> >> I also had this problem some time ago. Make sure you either >> >> >> whitelist >> >> >> your IP (if it doesn't change) or disable ossec before using >> >> >> phpmyadmin. >> >> >> As it is now, some actions are detected by ossec as malicious >> >> >> SQLInjection attacks and thus trigger the rule 31106. The >> >> >> firewall-drop >> >> >> is triggered by the 31106 rule and thus you ssh freezes. I found >> >> >> (and >> >> >> didn't really investigate) no other way to whitelist the phpmyadmin >> >> >> installation. >> >> >> >> >> >> Regards >> >> >> Christian >> >> >> >> >> >> Am 10.12.2013 03:54, schrieb frwa onto: >> >> >> > Dear Dan, >> >> >> > This log is showing " 2013/12/08 01:48:43 >> >> >> > ossec-execd: >> >> >> > INFO: >> >> >> > Active response command not present: >> >> >> >> '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it >> >> >> >> on >> >> >> >> this >> >> >> >> system. " That active response is not present right so then why >> >> >> >> does >> >> >> >> is >> >> >> > deny the host. In fact that is my local ip where I am accessing >> >> >> > the >> >> >> > server >> >> >> > locally not from eternal. I only do is that using phmyadmin to >> >> >> > access >> >> >> > my >> >> >> > db >> >> >> > and I always get denied and my ssh is broken? Does ossec sniff it >> >> >> > as >> >> >> > an >> >> >> > attack is it? >> >> >> > >> >> >> > Regards, >> >> >> > Frwa. >> >> >> > >> >> >> > On Sunday, December 8, 2013 3:24:39 PM UTC+8, frwa onto wrote: >> >> >> >> >> >> >> >> I have centos 6.5(Final) running. Lately I notice whenever I do >> >> >> >> anything >> >> >> >> in mysql after few minutes my ssh gets freeze. I dont know what >> >> >> >> is >> >> >> >> happening so looking to my /var/log/secure nothing is pointing >> >> >> >> there >> >> >> >> then I >> >> >> >> look into my ossec logs and I notice these lines. >> >> >> >> >> >> >> >> In my /var/ossec/log/ossec-log I see this >> >> >> >> >> >> >> >> 2013/12/07 20:50:27 ossec-syscheckd: INFO: Ending syscheck scan. >> >> >> >> 2013/12/08 01:48:43 ossec-execd: INFO: Active response command >> >> >> >> not >> >> >> >> present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not >> >> >> >> using >> >> >> >> it >> >> >> >> on this system. >> >> >> >> 2013/12/08 14:20:27 ossec-rootcheck: INFO: Starting rootcheck >> >> >> >> scan. >> >> >> >> 2013/12/08 14:31:27 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> >> >> >> >> >> >> But in my /var/ossec/log/active-responses.log I see this >> >> >> >> >> >> >> >> Sun Dec 8 15:14:25 MYT 2013 >> >> >> >> /var/ossec/active-response/bin/host-deny.sh >> >> >> >> delete - 10.212.134.200 1386486234.11964 31106 >> >> >> >> Sun Dec 8 15:14:25 MYT 2013 >> >> >> >> /var/ossec/active-response/bin/firewall-drop.sh delete - >> >> >> >> 10.212.134.200 >> >> >> >> 1386486234.11964 31106 >> >> >> >> >> >> >> >> What can I do about this? >> >> >> >> >> >> >> > >> >> >> >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
