On Fri, Dec 13, 2013 at 8:00 AM, frwa onto <[email protected]> wrote:
> Dear Dan,
> You was right I saw this in my alerts.log. Actually I know
> what is the problem happens when I query for huge data for simple few
> hundred data its fine. So why this behaviour trigger this event?
>
> ** Alert 1386438523.563: - web,accesslog,attack,
> 2013 Dec 08 01:48:43 localhost->/var/log/httpd/access_log
> Rule: 31106 (level 6) -> 'A web attack returned code 200 (success).'
> Src IP: 10.212.134.200
> 10.212.134.200 - - [08/Dec/2013:01:48:42 +0800] "GET
> /*****/get.php?db1=****&****=****&sql_query=SELE******&show_query=1&token=*****
> HTTP/1.1" 200 78927
> "http://******/*****/*****.php?****=********=*****&token=**********";
> "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/31.0.1650.63 Safari/537.36"
>
I'm going to assume the "*"s in the above log message are bad attempts
at obfuscating the log message. Hopefully they aren't important in
tracking this down.
So I explained how to figure things out in my last message, but you
don't pay much attention. So I'll break it down for anyone who does
care.
Rule 31103 has the following match parameters:
<url>=select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url>
<url>union+|where+|null,null|xp_cmdshell</url>
Each item (separated by the "|") is a different possible match. It's
hard to tell for sure (again, the obfuscation is horrendous), but I
think "sql_query=SELE******" from the log message may be a "SELECT[
+]" This matches the <url> above (the first option being "select " and
the second being "select+"). Without any other evidence I'll say
that's a match. At a quick glance, 3110[45] don't look like they'll
match this log message.
So to keep this from happening in the future, I'd probably write a
custom rule that looks for:
if_sid 31103
srcip IP_BEING_BANNED
url get.php
>
>
> On Thu, Dec 12, 2013 at 9:20 PM, dan (ddp) <[email protected]> wrote:
>>
>> On Thu, Dec 12, 2013 at 8:04 AM, frwa onto <[email protected]> wrote:
>> > Dear Dan,
>> > Ok I went into web_rules.xml and saw its says A web attack
>> > returned code 200 (success) . So what could be the problem I am just
>> > accessing data from my phpmyadmin what is the attack no description on
>> > this?
>> >
>>
>> That's basically what you have to track down. Take a look at the alert
>> in alerts.log, it should contain the log message that triggered that
>> alert.
>> Rule 31106 looks at 3 other alerts, plus a 200 response from the web
>> server. Looking at 31103 (the first if_sid in 31106) you can see that
>> it looks for possible SQL injection attacks. Does any of the <url>
>> snippets exist in the log message that triggered the alert? If not, do
>> the same exercise with 31104 and 31105. When you've found the alert
>> that triggered 31106, it might be easier to create a rule to "white
>> list" your system (you could probably do this with 31106 as well, but
>> I like to stop the chain earlier if possible).
>>
>> I'll only do so much of your work before I require a contract.
>>
>> > Regards,
>> > Frwa.
>> >
>> > On Tuesday, December 10, 2013 10:29:09 PM UTC+8, dan (ddpbsd) wrote:
>> >>
>> >> On Tue, Dec 10, 2013 at 9:25 AM, frwa onto <[email protected]> wrote:
>> >> > Dear Dan,
>> >> > Even if I am logged with other email is the same
>> >> > scenario
>> >> > I
>> >> > get locked. Its more got to do with phpmyadmin. Could it be that I am
>> >> > doing
>> >> > big select statement causing this behavior? Is it possible to pause
>> >> > the
>> >> > active response for temporary ? How can I further investigate the
>> >> > cause?
>> >> >
>> >>
>> >> Look at the alerts (rule ID 31106 specifically). They will provide
>> >> more information about what is happening.
>> >>
>> >> > Regards,
>> >> > Frwa.
>> >> >
>> >> > On Tuesday, December 10, 2013 10:11:49 PM UTC+8, dan (ddpbsd) wrote:
>> >> >>
>> >> >> On Tue, Dec 10, 2013 at 9:08 AM, frwa onto <[email protected]>
>> >> >> wrote:
>> >> >> > Dear Christian,
>> >> >> > Thank you for sharing your experience too.
>> >> >> > Hopefully
>> >> >> > some one can exactly confirm what is the main cause of this
>> >> >> > behavior?
>> >> >> > I
>> >> >> > am
>> >> >> > not sure if I off the active response should help?
>> >> >> >
>> >> >>
>> >> >> If the IP address being blocked in the active response log is your
>> >> >> IP
>> >> >> address, then that is what is causing you to lose your ssh
>> >> >> connection.
>> >> >>
>> >> >> > Regards,
>> >> >> > Frwa.
>> >> >> >
>> >> >> >
>> >> >> > On Tuesday, December 10, 2013 1:29:53 PM UTC+8, Christian Beer
>> >> >> > wrote:
>> >> >> >>
>> >> >> >> I also had this problem some time ago. Make sure you either
>> >> >> >> whitelist
>> >> >> >> your IP (if it doesn't change) or disable ossec before using
>> >> >> >> phpmyadmin.
>> >> >> >> As it is now, some actions are detected by ossec as malicious
>> >> >> >> SQLInjection attacks and thus trigger the rule 31106. The
>> >> >> >> firewall-drop
>> >> >> >> is triggered by the 31106 rule and thus you ssh freezes. I found
>> >> >> >> (and
>> >> >> >> didn't really investigate) no other way to whitelist the
>> >> >> >> phpmyadmin
>> >> >> >> installation.
>> >> >> >>
>> >> >> >> Regards
>> >> >> >> Christian
>> >> >> >>
>> >> >> >> Am 10.12.2013 03:54, schrieb frwa onto:
>> >> >> >> > Dear Dan,
>> >> >> >> > This log is showing " 2013/12/08 01:48:43
>> >> >> >> > ossec-execd:
>> >> >> >> > INFO:
>> >> >> >> > Active response command not present:
>> >> >> >> >> '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using
>> >> >> >> >> it
>> >> >> >> >> on
>> >> >> >> >> this
>> >> >> >> >> system. " That active response is not present right so then
>> >> >> >> >> why
>> >> >> >> >> does
>> >> >> >> >> is
>> >> >> >> > deny the host. In fact that is my local ip where I am accessing
>> >> >> >> > the
>> >> >> >> > server
>> >> >> >> > locally not from eternal. I only do is that using phmyadmin to
>> >> >> >> > access
>> >> >> >> > my
>> >> >> >> > db
>> >> >> >> > and I always get denied and my ssh is broken? Does ossec sniff
>> >> >> >> > it
>> >> >> >> > as
>> >> >> >> > an
>> >> >> >> > attack is it?
>> >> >> >> >
>> >> >> >> > Regards,
>> >> >> >> > Frwa.
>> >> >> >> >
>> >> >> >> > On Sunday, December 8, 2013 3:24:39 PM UTC+8, frwa onto wrote:
>> >> >> >> >>
>> >> >> >> >> I have centos 6.5(Final) running. Lately I notice whenever I
>> >> >> >> >> do
>> >> >> >> >> anything
>> >> >> >> >> in mysql after few minutes my ssh gets freeze. I dont know
>> >> >> >> >> what
>> >> >> >> >> is
>> >> >> >> >> happening so looking to my /var/log/secure nothing is pointing
>> >> >> >> >> there
>> >> >> >> >> then I
>> >> >> >> >> look into my ossec logs and I notice these lines.
>> >> >> >> >>
>> >> >> >> >> In my /var/ossec/log/ossec-log I see this
>> >> >> >> >>
>> >> >> >> >> 2013/12/07 20:50:27 ossec-syscheckd: INFO: Ending syscheck
>> >> >> >> >> scan.
>> >> >> >> >> 2013/12/08 01:48:43 ossec-execd: INFO: Active response command
>> >> >> >> >> not
>> >> >> >> >> present: '/var/ossec/active-response/bin/restart-ossec.cmd'.
>> >> >> >> >> Not
>> >> >> >> >> using
>> >> >> >> >> it
>> >> >> >> >> on this system.
>> >> >> >> >> 2013/12/08 14:20:27 ossec-rootcheck: INFO: Starting rootcheck
>> >> >> >> >> scan.
>> >> >> >> >> 2013/12/08 14:31:27 ossec-rootcheck: INFO: Ending rootcheck
>> >> >> >> >> scan.
>> >> >> >> >>
>> >> >> >> >> But in my /var/ossec/log/active-responses.log I see this
>> >> >> >> >>
>> >> >> >> >> Sun Dec 8 15:14:25 MYT 2013
>> >> >> >> >> /var/ossec/active-response/bin/host-deny.sh
>> >> >> >> >> delete - 10.212.134.200 1386486234.11964 31106
>> >> >> >> >> Sun Dec 8 15:14:25 MYT 2013
>> >> >> >> >> /var/ossec/active-response/bin/firewall-drop.sh delete -
>> >> >> >> >> 10.212.134.200
>> >> >> >> >> 1386486234.11964 31106
>> >> >> >> >>
>> >> >> >> >> What can I do about this?
>> >> >> >> >>
>> >> >> >> >
>> >> >> >>
>> >> >> > --
>> >> >> >
>> >> >> > ---
>> >> >> > You received this message because you are subscribed to the Google
>> >> >> > Groups
>> >> >> > "ossec-list" group.
>> >> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> >> > send
>> >> >> > an
>> >> >> > email to [email protected].
>> >> >> > For more options, visit https://groups.google.com/groups/opt_out.
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> > send
>> >> > an
>> >> > email to [email protected].
>> >> > For more options, visit https://groups.google.com/groups/opt_out.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/groups/opt_out.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/WDRGoRYLjp0/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> [email protected].
>>
>> For more options, visit https://groups.google.com/groups/opt_out.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
