Dear Dan,
Sorry very new to this custom rules. So is this the correct
version now. Is there any special convention on how to set the rule id off
course it cant be overlapping with existing rule ids ? Where to put the url
get.php ?
<rule id=“311011” level=“5”>
<if_sid>31106</if_sid>
<srcip>10.212.134.200</srcip>
<description></description>
</rule>
On Mon, Dec 16, 2013 at 10:58 PM, dan (ddp) <[email protected]> wrote:
> On Mon, Dec 16, 2013 at 9:52 AM, frwa onto <[email protected]> wrote:
> > Dear Dan,
> > Sorry for obfuscation. The select statement from the log
> is as
> > following
> >
> > SELECT+%2A+FROM+%60tblTemp1%60+order+by+temp1ID+desc+limit+0%2C10 . So it
> > match the Select, From. But I have put the limit yet it still lock me
> down?
> >
> > I have read about custom rule here
> > http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf . So must I first
> create
> > a group and then put in it? I am not too sure can be like below I just
> put
> > 311011 and is it to be stored in local_rules.xml?
> >
> >
> > <rule id=“311011” level=“5”>
>
> You probably don't want this at level 5. You want to ignore this
> traffic right? If so, drop the level (0-1 is probably best).
>
> > <if_sid>311011</if_sid>
>
> You shouldn't if_sid yourself. This basically says "if rule 311011 is
> triggered, use this alert instead." Since 311011 will never trigger
> (because 311011 will never trigger (because 311011 will never trigger
> (because 311011 will never trigger (because 311011 will never
> trigger...)))), 311011 will never trigger.
> You want "<if_sid>31106</if_sid>
>
> > <srcip>10.212.134.200</srcip>
> > <description></description>
> > </rule>
> >
> > Regards,
> > Frwa.
> >
> >
> > On Fri, Dec 13, 2013 at 9:32 PM, dan (ddp) <[email protected]> wrote:
> >>
> >> On Fri, Dec 13, 2013 at 8:00 AM, frwa onto <[email protected]> wrote:
> >> > Dear Dan,
> >> > You was right I saw this in my alerts.log. Actually I
> know
> >> > what is the problem happens when I query for huge data for simple few
> >> > hundred data its fine. So why this behaviour trigger this event?
> >> >
> >> > ** Alert 1386438523.563: - web,accesslog,attack,
> >> > 2013 Dec 08 01:48:43 localhost->/var/log/httpd/access_log
> >> > Rule: 31106 (level 6) -> 'A web attack returned code 200 (success).'
> >> > Src IP: 10.212.134.200
> >> > 10.212.134.200 - - [08/Dec/2013:01:48:42 +0800] "GET
> >> >
> >> >
> /*****/get.php?db1=****&****=****&sql_query=SELE******&show_query=1&token=*****
> >> > HTTP/1.1" 200 78927
> >> > "http://******/*****/*****.php?****=********=*****&token=**********";
> >> > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
> >> > Gecko)
> >> > Chrome/31.0.1650.63 Safari/537.36"
> >> >
> >>
> >> I'm going to assume the "*"s in the above log message are bad attempts
> >> at obfuscating the log message. Hopefully they aren't important in
> >> tracking this down.
> >>
> >> So I explained how to figure things out in my last message, but you
> >> don't pay much attention. So I'll break it down for anyone who does
> >> care.
> >>
> >> Rule 31103 has the following match parameters:
> >> <url>=select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url>
> >> <url>union+|where+|null,null|xp_cmdshell</url>
> >>
> >> Each item (separated by the "|") is a different possible match. It's
> >> hard to tell for sure (again, the obfuscation is horrendous), but I
> >> think "sql_query=SELE******" from the log message may be a "SELECT[
> >> +]" This matches the <url> above (the first option being "select " and
> >> the second being "select+"). Without any other evidence I'll say
> >> that's a match. At a quick glance, 3110[45] don't look like they'll
> >> match this log message.
> >>
> >> So to keep this from happening in the future, I'd probably write a
> >> custom rule that looks for:
> >> if_sid 31103
> >> srcip IP_BEING_BANNED
> >> url get.php
> >>
> >>
> >> >
> >> >
> >> > On Thu, Dec 12, 2013 at 9:20 PM, dan (ddp) <[email protected]> wrote:
> >> >>
> >> >> On Thu, Dec 12, 2013 at 8:04 AM, frwa onto <[email protected]>
> wrote:
> >> >> > Dear Dan,
> >> >> > Ok I went into web_rules.xml and saw its says A web
> >> >> > attack
> >> >> > returned code 200 (success) . So what could be the problem I am
> just
> >> >> > accessing data from my phpmyadmin what is the attack no description
> >> >> > on
> >> >> > this?
> >> >> >
> >> >>
> >> >> That's basically what you have to track down. Take a look at the
> alert
> >> >> in alerts.log, it should contain the log message that triggered that
> >> >> alert.
> >> >> Rule 31106 looks at 3 other alerts, plus a 200 response from the web
> >> >> server. Looking at 31103 (the first if_sid in 31106) you can see that
> >> >> it looks for possible SQL injection attacks. Does any of the <url>
> >> >> snippets exist in the log message that triggered the alert? If not,
> do
> >> >> the same exercise with 31104 and 31105. When you've found the alert
> >> >> that triggered 31106, it might be easier to create a rule to "white
> >> >> list" your system (you could probably do this with 31106 as well, but
> >> >> I like to stop the chain earlier if possible).
> >> >>
> >> >> I'll only do so much of your work before I require a contract.
> >> >>
> >> >> > Regards,
> >> >> > Frwa.
> >> >> >
> >> >> > On Tuesday, December 10, 2013 10:29:09 PM UTC+8, dan (ddpbsd)
> wrote:
> >> >> >>
> >> >> >> On Tue, Dec 10, 2013 at 9:25 AM, frwa onto <[email protected]>
> >> >> >> wrote:
> >> >> >> > Dear Dan,
> >> >> >> > Even if I am logged with other email is the same
> >> >> >> > scenario
> >> >> >> > I
> >> >> >> > get locked. Its more got to do with phpmyadmin. Could it be
> that I
> >> >> >> > am
> >> >> >> > doing
> >> >> >> > big select statement causing this behavior? Is it possible to
> >> >> >> > pause
> >> >> >> > the
> >> >> >> > active response for temporary ? How can I further investigate
> the
> >> >> >> > cause?
> >> >> >> >
> >> >> >>
> >> >> >> Look at the alerts (rule ID 31106 specifically). They will provide
> >> >> >> more information about what is happening.
> >> >> >>
> >> >> >> > Regards,
> >> >> >> > Frwa.
> >> >> >> >
> >> >> >> > On Tuesday, December 10, 2013 10:11:49 PM UTC+8, dan (ddpbsd)
> >> >> >> > wrote:
> >> >> >> >>
> >> >> >> >> On Tue, Dec 10, 2013 at 9:08 AM, frwa onto <[email protected]>
> >> >> >> >> wrote:
> >> >> >> >> > Dear Christian,
> >> >> >> >> > Thank you for sharing your experience
> too.
> >> >> >> >> > Hopefully
> >> >> >> >> > some one can exactly confirm what is the main cause of this
> >> >> >> >> > behavior?
> >> >> >> >> > I
> >> >> >> >> > am
> >> >> >> >> > not sure if I off the active response should help?
> >> >> >> >> >
> >> >> >> >>
> >> >> >> >> If the IP address being blocked in the active response log is
> >> >> >> >> your
> >> >> >> >> IP
> >> >> >> >> address, then that is what is causing you to lose your ssh
> >> >> >> >> connection.
> >> >> >> >>
> >> >> >> >> > Regards,
> >> >> >> >> > Frwa.
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> > On Tuesday, December 10, 2013 1:29:53 PM UTC+8, Christian
> Beer
> >> >> >> >> > wrote:
> >> >> >> >> >>
> >> >> >> >> >> I also had this problem some time ago. Make sure you either
> >> >> >> >> >> whitelist
> >> >> >> >> >> your IP (if it doesn't change) or disable ossec before using
> >> >> >> >> >> phpmyadmin.
> >> >> >> >> >> As it is now, some actions are detected by ossec as
> malicious
> >> >> >> >> >> SQLInjection attacks and thus trigger the rule 31106. The
> >> >> >> >> >> firewall-drop
> >> >> >> >> >> is triggered by the 31106 rule and thus you ssh freezes. I
> >> >> >> >> >> found
> >> >> >> >> >> (and
> >> >> >> >> >> didn't really investigate) no other way to whitelist the
> >> >> >> >> >> phpmyadmin
> >> >> >> >> >> installation.
> >> >> >> >> >>
> >> >> >> >> >> Regards
> >> >> >> >> >> Christian
> >> >> >> >> >>
> >> >> >> >> >> Am 10.12.2013 03:54, schrieb frwa onto:
> >> >> >> >> >> > Dear Dan,
> >> >> >> >> >> > This log is showing " 2013/12/08 01:48:43
> >> >> >> >> >> > ossec-execd:
> >> >> >> >> >> > INFO:
> >> >> >> >> >> > Active response command not present:
> >> >> >> >> >> >> '/var/ossec/active-response/bin/restart-ossec.cmd'. Not
> >> >> >> >> >> >> using
> >> >> >> >> >> >> it
> >> >> >> >> >> >> on
> >> >> >> >> >> >> this
> >> >> >> >> >> >> system. " That active response is not present right so
> then
> >> >> >> >> >> >> why
> >> >> >> >> >> >> does
> >> >> >> >> >> >> is
> >> >> >> >> >> > deny the host. In fact that is my local ip where I am
> >> >> >> >> >> > accessing
> >> >> >> >> >> > the
> >> >> >> >> >> > server
> >> >> >> >> >> > locally not from eternal. I only do is that using
> phmyadmin
> >> >> >> >> >> > to
> >> >> >> >> >> > access
> >> >> >> >> >> > my
> >> >> >> >> >> > db
> >> >> >> >> >> > and I always get denied and my ssh is broken? Does ossec
> >> >> >> >> >> > sniff
> >> >> >> >> >> > it
> >> >> >> >> >> > as
> >> >> >> >> >> > an
> >> >> >> >> >> > attack is it?
> >> >> >> >> >> >
> >> >> >> >> >> > Regards,
> >> >> >> >> >> > Frwa.
> >> >> >> >> >> >
> >> >> >> >> >> > On Sunday, December 8, 2013 3:24:39 PM UTC+8, frwa onto
> >> >> >> >> >> > wrote:
> >> >> >> >> >> >>
> >> >> >> >> >> >> I have centos 6.5(Final) running. Lately I notice
> whenever
> >> >> >> >> >> >> I
> >> >> >> >> >> >> do
> >> >> >> >> >> >> anything
> >> >> >> >> >> >> in mysql after few minutes my ssh gets freeze. I dont
> know
> >> >> >> >> >> >> what
> >> >> >> >> >> >> is
> >> >> >> >> >> >> happening so looking to my /var/log/secure nothing is
> >> >> >> >> >> >> pointing
> >> >> >> >> >> >> there
> >> >> >> >> >> >> then I
> >> >> >> >> >> >> look into my ossec logs and I notice these lines.
> >> >> >> >> >> >>
> >> >> >> >> >> >> In my /var/ossec/log/ossec-log I see this
> >> >> >> >> >> >>
> >> >> >> >> >> >> 2013/12/07 20:50:27 ossec-syscheckd: INFO: Ending
> syscheck
> >> >> >> >> >> >> scan.
> >> >> >> >> >> >> 2013/12/08 01:48:43 ossec-execd: INFO: Active response
> >> >> >> >> >> >> command
> >> >> >> >> >> >> not
> >> >> >> >> >> >> present:
> >> >> >> >> >> >> '/var/ossec/active-response/bin/restart-ossec.cmd'.
> >> >> >> >> >> >> Not
> >> >> >> >> >> >> using
> >> >> >> >> >> >> it
> >> >> >> >> >> >> on this system.
> >> >> >> >> >> >> 2013/12/08 14:20:27 ossec-rootcheck: INFO: Starting
> >> >> >> >> >> >> rootcheck
> >> >> >> >> >> >> scan.
> >> >> >> >> >> >> 2013/12/08 14:31:27 ossec-rootcheck: INFO: Ending
> rootcheck
> >> >> >> >> >> >> scan.
> >> >> >> >> >> >>
> >> >> >> >> >> >> But in my /var/ossec/log/active-responses.log I see this
> >> >> >> >> >> >>
> >> >> >> >> >> >> Sun Dec 8 15:14:25 MYT 2013
> >> >> >> >> >> >> /var/ossec/active-response/bin/host-deny.sh
> >> >> >> >> >> >> delete - 10.212.134.200 1386486234.11964 31106
> >> >> >> >> >> >> Sun Dec 8 15:14:25 MYT 2013
> >> >> >> >> >> >> /var/ossec/active-response/bin/firewall-drop.sh delete -
> >> >> >> >> >> >> 10.212.134.200
> >> >> >> >> >> >> 1386486234.11964 31106
> >> >> >> >> >> >>
> >> >> >> >> >> >> What can I do about this?
> >> >> >> >> >> >>
> >> >> >> >> >> >
> >> >> >> >> >>
> >> >> >> >> > --
> >> >> >> >> >
> >> >> >> >> > ---
> >> >> >> >> > You received this message because you are subscribed to the
> >> >> >> >> > Google
> >> >> >> >> > Groups
> >> >> >> >> > "ossec-list" group.
> >> >> >> >> > To unsubscribe from this group and stop receiving emails from
> >> >> >> >> > it,
> >> >> >> >> > send
> >> >> >> >> > an
> >> >> >> >> > email to [email protected].
> >> >> >> >> > For more options, visit
> >> >> >> >> > https://groups.google.com/groups/opt_out.
> >> >> >> >
> >> >> >> > --
> >> >> >> >
> >> >> >> > ---
> >> >> >> > You received this message because you are subscribed to the
> Google
> >> >> >> > Groups
> >> >> >> > "ossec-list" group.
> >> >> >> > To unsubscribe from this group and stop receiving emails from
> it,
> >> >> >> > send
> >> >> >> > an
> >> >> >> > email to [email protected].
> >> >> >> > For more options, visit
> https://groups.google.com/groups/opt_out.
> >> >> >
> >> >> > --
> >> >> >
> >> >> > ---
> >> >> > You received this message because you are subscribed to the Google
> >> >> > Groups
> >> >> > "ossec-list" group.
> >> >> > To unsubscribe from this group and stop receiving emails from it,
> >> >> > send
> >> >> > an
> >> >> > email to [email protected].
> >> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >> >>
> >> >> --
> >> >>
> >> >> ---
> >> >> You received this message because you are subscribed to a topic in
> the
> >> >> Google Groups "ossec-list" group.
> >> >> To unsubscribe from this topic, visit
> >> >> https://groups.google.com/d/topic/ossec-list/WDRGoRYLjp0/unsubscribe
> .
> >> >> To unsubscribe from this group and all its topics, send an email to
> >> >> [email protected].
> >> >>
> >> >> For more options, visit https://groups.google.com/groups/opt_out.
> >> >
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it, send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to a topic in the
> >> Google Groups "ossec-list" group.
> >> To unsubscribe from this topic, visit
> >> https://groups.google.com/d/topic/ossec-list/WDRGoRYLjp0/unsubscribe.
> >> To unsubscribe from this group and all its topics, send an email to
> >> [email protected].
> >> For more options, visit https://groups.google.com/groups/opt_out.
> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/WDRGoRYLjp0/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
