Dear Dan,
Sorry for obfuscation. The select statement from the log is
as following
SELECT+%2A+FROM+%60tblTemp1%60+order+by+temp1ID+desc+limit+0%2C10 . So it
match the Select, From. But I have put the limit yet it still lock me down?
I have read about custom rule here
http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf . So must I first create
a group and then put in it? I am not too sure can be like below I just put
311011 and is it to be stored in local_rules.xml?
<rule id=“311011” level=“5”>
<if_sid>311011</if_sid>
<srcip>10.212.134.200</srcip>
<description></description>
</rule>
Regards,
Frwa.
On Fri, Dec 13, 2013 at 9:32 PM, dan (ddp) <[email protected]> wrote:
> On Fri, Dec 13, 2013 at 8:00 AM, frwa onto <[email protected]> wrote:
> > Dear Dan,
> > You was right I saw this in my alerts.log. Actually I know
> > what is the problem happens when I query for huge data for simple few
> > hundred data its fine. So why this behaviour trigger this event?
> >
> > ** Alert 1386438523.563: - web,accesslog,attack,
> > 2013 Dec 08 01:48:43 localhost->/var/log/httpd/access_log
> > Rule: 31106 (level 6) -> 'A web attack returned code 200 (success).'
> > Src IP: 10.212.134.200
> > 10.212.134.200 - - [08/Dec/2013:01:48:42 +0800] "GET
> >
> /*****/get.php?db1=****&****=****&sql_query=SELE******&show_query=1&token=*****
> > HTTP/1.1" 200 78927
> > "http://******/*****/*****.php?****=********=*****&token=**********";
> > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
> Gecko)
> > Chrome/31.0.1650.63 Safari/537.36"
> >
>
> I'm going to assume the "*"s in the above log message are bad attempts
> at obfuscating the log message. Hopefully they aren't important in
> tracking this down.
>
> So I explained how to figure things out in my last message, but you
> don't pay much attention. So I'll break it down for anyone who does
> care.
>
> Rule 31103 has the following match parameters:
> <url>=select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url>
> <url>union+|where+|null,null|xp_cmdshell</url>
>
> Each item (separated by the "|") is a different possible match. It's
> hard to tell for sure (again, the obfuscation is horrendous), but I
> think "sql_query=SELE******" from the log message may be a "SELECT[
> +]" This matches the <url> above (the first option being "select " and
> the second being "select+"). Without any other evidence I'll say
> that's a match. At a quick glance, 3110[45] don't look like they'll
> match this log message.
>
> So to keep this from happening in the future, I'd probably write a
> custom rule that looks for:
> if_sid 31103
> srcip IP_BEING_BANNED
> url get.php
>
>
> >
> >
> > On Thu, Dec 12, 2013 at 9:20 PM, dan (ddp) <[email protected]> wrote:
> >>
> >> On Thu, Dec 12, 2013 at 8:04 AM, frwa onto <[email protected]> wrote:
> >> > Dear Dan,
> >> > Ok I went into web_rules.xml and saw its says A web
> attack
> >> > returned code 200 (success) . So what could be the problem I am just
> >> > accessing data from my phpmyadmin what is the attack no description on
> >> > this?
> >> >
> >>
> >> That's basically what you have to track down. Take a look at the alert
> >> in alerts.log, it should contain the log message that triggered that
> >> alert.
> >> Rule 31106 looks at 3 other alerts, plus a 200 response from the web
> >> server. Looking at 31103 (the first if_sid in 31106) you can see that
> >> it looks for possible SQL injection attacks. Does any of the <url>
> >> snippets exist in the log message that triggered the alert? If not, do
> >> the same exercise with 31104 and 31105. When you've found the alert
> >> that triggered 31106, it might be easier to create a rule to "white
> >> list" your system (you could probably do this with 31106 as well, but
> >> I like to stop the chain earlier if possible).
> >>
> >> I'll only do so much of your work before I require a contract.
> >>
> >> > Regards,
> >> > Frwa.
> >> >
> >> > On Tuesday, December 10, 2013 10:29:09 PM UTC+8, dan (ddpbsd) wrote:
> >> >>
> >> >> On Tue, Dec 10, 2013 at 9:25 AM, frwa onto <[email protected]>
> wrote:
> >> >> > Dear Dan,
> >> >> > Even if I am logged with other email is the same
> >> >> > scenario
> >> >> > I
> >> >> > get locked. Its more got to do with phpmyadmin. Could it be that I
> am
> >> >> > doing
> >> >> > big select statement causing this behavior? Is it possible to pause
> >> >> > the
> >> >> > active response for temporary ? How can I further investigate the
> >> >> > cause?
> >> >> >
> >> >>
> >> >> Look at the alerts (rule ID 31106 specifically). They will provide
> >> >> more information about what is happening.
> >> >>
> >> >> > Regards,
> >> >> > Frwa.
> >> >> >
> >> >> > On Tuesday, December 10, 2013 10:11:49 PM UTC+8, dan (ddpbsd)
> wrote:
> >> >> >>
> >> >> >> On Tue, Dec 10, 2013 at 9:08 AM, frwa onto <[email protected]>
> >> >> >> wrote:
> >> >> >> > Dear Christian,
> >> >> >> > Thank you for sharing your experience too.
> >> >> >> > Hopefully
> >> >> >> > some one can exactly confirm what is the main cause of this
> >> >> >> > behavior?
> >> >> >> > I
> >> >> >> > am
> >> >> >> > not sure if I off the active response should help?
> >> >> >> >
> >> >> >>
> >> >> >> If the IP address being blocked in the active response log is your
> >> >> >> IP
> >> >> >> address, then that is what is causing you to lose your ssh
> >> >> >> connection.
> >> >> >>
> >> >> >> > Regards,
> >> >> >> > Frwa.
> >> >> >> >
> >> >> >> >
> >> >> >> > On Tuesday, December 10, 2013 1:29:53 PM UTC+8, Christian Beer
> >> >> >> > wrote:
> >> >> >> >>
> >> >> >> >> I also had this problem some time ago. Make sure you either
> >> >> >> >> whitelist
> >> >> >> >> your IP (if it doesn't change) or disable ossec before using
> >> >> >> >> phpmyadmin.
> >> >> >> >> As it is now, some actions are detected by ossec as malicious
> >> >> >> >> SQLInjection attacks and thus trigger the rule 31106. The
> >> >> >> >> firewall-drop
> >> >> >> >> is triggered by the 31106 rule and thus you ssh freezes. I
> found
> >> >> >> >> (and
> >> >> >> >> didn't really investigate) no other way to whitelist the
> >> >> >> >> phpmyadmin
> >> >> >> >> installation.
> >> >> >> >>
> >> >> >> >> Regards
> >> >> >> >> Christian
> >> >> >> >>
> >> >> >> >> Am 10.12.2013 03:54, schrieb frwa onto:
> >> >> >> >> > Dear Dan,
> >> >> >> >> > This log is showing " 2013/12/08 01:48:43
> >> >> >> >> > ossec-execd:
> >> >> >> >> > INFO:
> >> >> >> >> > Active response command not present:
> >> >> >> >> >> '/var/ossec/active-response/bin/restart-ossec.cmd'. Not
> using
> >> >> >> >> >> it
> >> >> >> >> >> on
> >> >> >> >> >> this
> >> >> >> >> >> system. " That active response is not present right so then
> >> >> >> >> >> why
> >> >> >> >> >> does
> >> >> >> >> >> is
> >> >> >> >> > deny the host. In fact that is my local ip where I am
> accessing
> >> >> >> >> > the
> >> >> >> >> > server
> >> >> >> >> > locally not from eternal. I only do is that using phmyadmin
> to
> >> >> >> >> > access
> >> >> >> >> > my
> >> >> >> >> > db
> >> >> >> >> > and I always get denied and my ssh is broken? Does ossec
> sniff
> >> >> >> >> > it
> >> >> >> >> > as
> >> >> >> >> > an
> >> >> >> >> > attack is it?
> >> >> >> >> >
> >> >> >> >> > Regards,
> >> >> >> >> > Frwa.
> >> >> >> >> >
> >> >> >> >> > On Sunday, December 8, 2013 3:24:39 PM UTC+8, frwa onto
> wrote:
> >> >> >> >> >>
> >> >> >> >> >> I have centos 6.5(Final) running. Lately I notice whenever I
> >> >> >> >> >> do
> >> >> >> >> >> anything
> >> >> >> >> >> in mysql after few minutes my ssh gets freeze. I dont know
> >> >> >> >> >> what
> >> >> >> >> >> is
> >> >> >> >> >> happening so looking to my /var/log/secure nothing is
> pointing
> >> >> >> >> >> there
> >> >> >> >> >> then I
> >> >> >> >> >> look into my ossec logs and I notice these lines.
> >> >> >> >> >>
> >> >> >> >> >> In my /var/ossec/log/ossec-log I see this
> >> >> >> >> >>
> >> >> >> >> >> 2013/12/07 20:50:27 ossec-syscheckd: INFO: Ending syscheck
> >> >> >> >> >> scan.
> >> >> >> >> >> 2013/12/08 01:48:43 ossec-execd: INFO: Active response
> command
> >> >> >> >> >> not
> >> >> >> >> >> present: '/var/ossec/active-response/bin/restart-ossec.cmd'.
> >> >> >> >> >> Not
> >> >> >> >> >> using
> >> >> >> >> >> it
> >> >> >> >> >> on this system.
> >> >> >> >> >> 2013/12/08 14:20:27 ossec-rootcheck: INFO: Starting
> rootcheck
> >> >> >> >> >> scan.
> >> >> >> >> >> 2013/12/08 14:31:27 ossec-rootcheck: INFO: Ending rootcheck
> >> >> >> >> >> scan.
> >> >> >> >> >>
> >> >> >> >> >> But in my /var/ossec/log/active-responses.log I see this
> >> >> >> >> >>
> >> >> >> >> >> Sun Dec 8 15:14:25 MYT 2013
> >> >> >> >> >> /var/ossec/active-response/bin/host-deny.sh
> >> >> >> >> >> delete - 10.212.134.200 1386486234.11964 31106
> >> >> >> >> >> Sun Dec 8 15:14:25 MYT 2013
> >> >> >> >> >> /var/ossec/active-response/bin/firewall-drop.sh delete -
> >> >> >> >> >> 10.212.134.200
> >> >> >> >> >> 1386486234.11964 31106
> >> >> >> >> >>
> >> >> >> >> >> What can I do about this?
> >> >> >> >> >>
> >> >> >> >> >
> >> >> >> >>
> >> >> >> > --
> >> >> >> >
> >> >> >> > ---
> >> >> >> > You received this message because you are subscribed to the
> Google
> >> >> >> > Groups
> >> >> >> > "ossec-list" group.
> >> >> >> > To unsubscribe from this group and stop receiving emails from
> it,
> >> >> >> > send
> >> >> >> > an
> >> >> >> > email to [email protected].
> >> >> >> > For more options, visit
> https://groups.google.com/groups/opt_out.
> >> >> >
> >> >> > --
> >> >> >
> >> >> > ---
> >> >> > You received this message because you are subscribed to the Google
> >> >> > Groups
> >> >> > "ossec-list" group.
> >> >> > To unsubscribe from this group and stop receiving emails from it,
> >> >> > send
> >> >> > an
> >> >> > email to [email protected].
> >> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it, send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to a topic in the
> >> Google Groups "ossec-list" group.
> >> To unsubscribe from this topic, visit
> >> https://groups.google.com/d/topic/ossec-list/WDRGoRYLjp0/unsubscribe.
> >> To unsubscribe from this group and all its topics, send an email to
> >> [email protected].
> >>
> >> For more options, visit https://groups.google.com/groups/opt_out.
> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/WDRGoRYLjp0/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
