On Wed, Dec 18, 2013 at 8:27 AM, frwa onto <[email protected]> wrote: > Dear Dan, > Sorry very new to this custom rules. So is this the correct > version now. Is there any special convention on how to set the rule id off > course it cant be overlapping with existing rule ids ? Where to put the url > get.php ? >
I think we recommend rule IDs larger than 100000 for custom rules. I think you can use <url>get.php</url>, but if that doesn't work try <match>get.php</match> > <rule id=“311011” level=“5”> > <if_sid>31106</if_sid> > <srcip>10.212.134.200</srcip> > <description></description> > </rule> > > > On Mon, Dec 16, 2013 at 10:58 PM, dan (ddp) <[email protected]> wrote: >> >> On Mon, Dec 16, 2013 at 9:52 AM, frwa onto <[email protected]> wrote: >> > Dear Dan, >> > Sorry for obfuscation. The select statement from the log >> > is as >> > following >> > >> > SELECT+%2A+FROM+%60tblTemp1%60+order+by+temp1ID+desc+limit+0%2C10 . So >> > it >> > match the Select, From. But I have put the limit yet it still lock me >> > down? >> > >> > I have read about custom rule here >> > http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf . So must I first >> > create >> > a group and then put in it? I am not too sure can be like below I just >> > put >> > 311011 and is it to be stored in local_rules.xml? >> > >> > >> > <rule id=“311011” level=“5”> >> >> You probably don't want this at level 5. You want to ignore this >> traffic right? If so, drop the level (0-1 is probably best). >> >> > <if_sid>311011</if_sid> >> >> You shouldn't if_sid yourself. This basically says "if rule 311011 is >> triggered, use this alert instead." Since 311011 will never trigger >> (because 311011 will never trigger (because 311011 will never trigger >> (because 311011 will never trigger (because 311011 will never >> trigger...)))), 311011 will never trigger. >> You want "<if_sid>31106</if_sid> >> >> > <srcip>10.212.134.200</srcip> >> > <description></description> >> > </rule> >> > >> > Regards, >> > Frwa. >> > >> > >> > On Fri, Dec 13, 2013 at 9:32 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> On Fri, Dec 13, 2013 at 8:00 AM, frwa onto <[email protected]> wrote: >> >> > Dear Dan, >> >> > You was right I saw this in my alerts.log. Actually I >> >> > know >> >> > what is the problem happens when I query for huge data for simple few >> >> > hundred data its fine. So why this behaviour trigger this event? >> >> > >> >> > ** Alert 1386438523.563: - web,accesslog,attack, >> >> > 2013 Dec 08 01:48:43 localhost->/var/log/httpd/access_log >> >> > Rule: 31106 (level 6) -> 'A web attack returned code 200 (success).' >> >> > Src IP: 10.212.134.200 >> >> > 10.212.134.200 - - [08/Dec/2013:01:48:42 +0800] "GET >> >> > >> >> > >> >> > /*****/get.php?db1=****&****=****&sql_query=SELE******&show_query=1&token=***** >> >> > HTTP/1.1" 200 78927 >> >> > "http://******/*****/*****.php?****=********=*****&token=**********"; >> >> > "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like >> >> > Gecko) >> >> > Chrome/31.0.1650.63 Safari/537.36" >> >> > >> >> >> >> I'm going to assume the "*"s in the above log message are bad attempts >> >> at obfuscating the log message. Hopefully they aren't important in >> >> tracking this down. >> >> >> >> So I explained how to figure things out in my last message, but you >> >> don't pay much attention. So I'll break it down for anyone who does >> >> care. >> >> >> >> Rule 31103 has the following match parameters: >> >> >> >> <url>=select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url> >> >> <url>union+|where+|null,null|xp_cmdshell</url> >> >> >> >> Each item (separated by the "|") is a different possible match. It's >> >> hard to tell for sure (again, the obfuscation is horrendous), but I >> >> think "sql_query=SELE******" from the log message may be a "SELECT[ >> >> +]" This matches the <url> above (the first option being "select " and >> >> the second being "select+"). Without any other evidence I'll say >> >> that's a match. At a quick glance, 3110[45] don't look like they'll >> >> match this log message. >> >> >> >> So to keep this from happening in the future, I'd probably write a >> >> custom rule that looks for: >> >> if_sid 31103 >> >> srcip IP_BEING_BANNED >> >> url get.php >> >> >> >> >> >> > >> >> > >> >> > On Thu, Dec 12, 2013 at 9:20 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> >> >> On Thu, Dec 12, 2013 at 8:04 AM, frwa onto <[email protected]> >> >> >> wrote: >> >> >> > Dear Dan, >> >> >> > Ok I went into web_rules.xml and saw its says A web >> >> >> > attack >> >> >> > returned code 200 (success) . So what could be the problem I am >> >> >> > just >> >> >> > accessing data from my phpmyadmin what is the attack no >> >> >> > description >> >> >> > on >> >> >> > this? >> >> >> > >> >> >> >> >> >> That's basically what you have to track down. Take a look at the >> >> >> alert >> >> >> in alerts.log, it should contain the log message that triggered that >> >> >> alert. >> >> >> Rule 31106 looks at 3 other alerts, plus a 200 response from the web >> >> >> server. Looking at 31103 (the first if_sid in 31106) you can see >> >> >> that >> >> >> it looks for possible SQL injection attacks. Does any of the <url> >> >> >> snippets exist in the log message that triggered the alert? If not, >> >> >> do >> >> >> the same exercise with 31104 and 31105. When you've found the alert >> >> >> that triggered 31106, it might be easier to create a rule to "white >> >> >> list" your system (you could probably do this with 31106 as well, >> >> >> but >> >> >> I like to stop the chain earlier if possible). >> >> >> >> >> >> I'll only do so much of your work before I require a contract. >> >> >> >> >> >> > Regards, >> >> >> > Frwa. >> >> >> > >> >> >> > On Tuesday, December 10, 2013 10:29:09 PM UTC+8, dan (ddpbsd) >> >> >> > wrote: >> >> >> >> >> >> >> >> On Tue, Dec 10, 2013 at 9:25 AM, frwa onto <[email protected]> >> >> >> >> wrote: >> >> >> >> > Dear Dan, >> >> >> >> > Even if I am logged with other email is the same >> >> >> >> > scenario >> >> >> >> > I >> >> >> >> > get locked. Its more got to do with phpmyadmin. Could it be >> >> >> >> > that I >> >> >> >> > am >> >> >> >> > doing >> >> >> >> > big select statement causing this behavior? Is it possible to >> >> >> >> > pause >> >> >> >> > the >> >> >> >> > active response for temporary ? How can I further investigate >> >> >> >> > the >> >> >> >> > cause? >> >> >> >> > >> >> >> >> >> >> >> >> Look at the alerts (rule ID 31106 specifically). They will >> >> >> >> provide >> >> >> >> more information about what is happening. >> >> >> >> >> >> >> >> > Regards, >> >> >> >> > Frwa. >> >> >> >> > >> >> >> >> > On Tuesday, December 10, 2013 10:11:49 PM UTC+8, dan (ddpbsd) >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> On Tue, Dec 10, 2013 at 9:08 AM, frwa onto <[email protected]> >> >> >> >> >> wrote: >> >> >> >> >> > Dear Christian, >> >> >> >> >> > Thank you for sharing your experience >> >> >> >> >> > too. >> >> >> >> >> > Hopefully >> >> >> >> >> > some one can exactly confirm what is the main cause of this >> >> >> >> >> > behavior? >> >> >> >> >> > I >> >> >> >> >> > am >> >> >> >> >> > not sure if I off the active response should help? >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> If the IP address being blocked in the active response log is >> >> >> >> >> your >> >> >> >> >> IP >> >> >> >> >> address, then that is what is causing you to lose your ssh >> >> >> >> >> connection. >> >> >> >> >> >> >> >> >> >> > Regards, >> >> >> >> >> > Frwa. >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > On Tuesday, December 10, 2013 1:29:53 PM UTC+8, Christian >> >> >> >> >> > Beer >> >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> >> >> I also had this problem some time ago. Make sure you either >> >> >> >> >> >> whitelist >> >> >> >> >> >> your IP (if it doesn't change) or disable ossec before >> >> >> >> >> >> using >> >> >> >> >> >> phpmyadmin. >> >> >> >> >> >> As it is now, some actions are detected by ossec as >> >> >> >> >> >> malicious >> >> >> >> >> >> SQLInjection attacks and thus trigger the rule 31106. The >> >> >> >> >> >> firewall-drop >> >> >> >> >> >> is triggered by the 31106 rule and thus you ssh freezes. I >> >> >> >> >> >> found >> >> >> >> >> >> (and >> >> >> >> >> >> didn't really investigate) no other way to whitelist the >> >> >> >> >> >> phpmyadmin >> >> >> >> >> >> installation. >> >> >> >> >> >> >> >> >> >> >> >> Regards >> >> >> >> >> >> Christian >> >> >> >> >> >> >> >> >> >> >> >> Am 10.12.2013 03:54, schrieb frwa onto: >> >> >> >> >> >> > Dear Dan, >> >> >> >> >> >> > This log is showing " 2013/12/08 01:48:43 >> >> >> >> >> >> > ossec-execd: >> >> >> >> >> >> > INFO: >> >> >> >> >> >> > Active response command not present: >> >> >> >> >> >> >> '/var/ossec/active-response/bin/restart-ossec.cmd'. Not >> >> >> >> >> >> >> using >> >> >> >> >> >> >> it >> >> >> >> >> >> >> on >> >> >> >> >> >> >> this >> >> >> >> >> >> >> system. " That active response is not present right so >> >> >> >> >> >> >> then >> >> >> >> >> >> >> why >> >> >> >> >> >> >> does >> >> >> >> >> >> >> is >> >> >> >> >> >> > deny the host. In fact that is my local ip where I am >> >> >> >> >> >> > accessing >> >> >> >> >> >> > the >> >> >> >> >> >> > server >> >> >> >> >> >> > locally not from eternal. I only do is that using >> >> >> >> >> >> > phmyadmin >> >> >> >> >> >> > to >> >> >> >> >> >> > access >> >> >> >> >> >> > my >> >> >> >> >> >> > db >> >> >> >> >> >> > and I always get denied and my ssh is broken? Does ossec >> >> >> >> >> >> > sniff >> >> >> >> >> >> > it >> >> >> >> >> >> > as >> >> >> >> >> >> > an >> >> >> >> >> >> > attack is it? >> >> >> >> >> >> > >> >> >> >> >> >> > Regards, >> >> >> >> >> >> > Frwa. >> >> >> >> >> >> > >> >> >> >> >> >> > On Sunday, December 8, 2013 3:24:39 PM UTC+8, frwa onto >> >> >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> >> >> >> >> I have centos 6.5(Final) running. Lately I notice >> >> >> >> >> >> >> whenever >> >> >> >> >> >> >> I >> >> >> >> >> >> >> do >> >> >> >> >> >> >> anything >> >> >> >> >> >> >> in mysql after few minutes my ssh gets freeze. I dont >> >> >> >> >> >> >> know >> >> >> >> >> >> >> what >> >> >> >> >> >> >> is >> >> >> >> >> >> >> happening so looking to my /var/log/secure nothing is >> >> >> >> >> >> >> pointing >> >> >> >> >> >> >> there >> >> >> >> >> >> >> then I >> >> >> >> >> >> >> look into my ossec logs and I notice these lines. >> >> >> >> >> >> >> >> >> >> >> >> >> >> In my /var/ossec/log/ossec-log I see this >> >> >> >> >> >> >> >> >> >> >> >> >> >> 2013/12/07 20:50:27 ossec-syscheckd: INFO: Ending >> >> >> >> >> >> >> syscheck >> >> >> >> >> >> >> scan. >> >> >> >> >> >> >> 2013/12/08 01:48:43 ossec-execd: INFO: Active response >> >> >> >> >> >> >> command >> >> >> >> >> >> >> not >> >> >> >> >> >> >> present: >> >> >> >> >> >> >> '/var/ossec/active-response/bin/restart-ossec.cmd'. >> >> >> >> >> >> >> Not >> >> >> >> >> >> >> using >> >> >> >> >> >> >> it >> >> >> >> >> >> >> on this system. >> >> >> >> >> >> >> 2013/12/08 14:20:27 ossec-rootcheck: INFO: Starting >> >> >> >> >> >> >> rootcheck >> >> >> >> >> >> >> scan. >> >> >> >> >> >> >> 2013/12/08 14:31:27 ossec-rootcheck: INFO: Ending >> >> >> >> >> >> >> rootcheck >> >> >> >> >> >> >> scan. >> >> >> >> >> >> >> >> >> >> >> >> >> >> But in my /var/ossec/log/active-responses.log I see this >> >> >> >> >> >> >> >> >> >> >> >> >> >> Sun Dec 8 15:14:25 MYT 2013 >> >> >> >> >> >> >> /var/ossec/active-response/bin/host-deny.sh >> >> >> >> >> >> >> delete - 10.212.134.200 1386486234.11964 31106 >> >> >> >> >> >> >> Sun Dec 8 15:14:25 MYT 2013 >> >> >> >> >> >> >> /var/ossec/active-response/bin/firewall-drop.sh delete - >> >> >> >> >> >> >> 10.212.134.200 >> >> >> >> >> >> >> 1386486234.11964 31106 >> >> >> >> >> >> >> >> >> >> >> >> >> >> What can I do about this? >> >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> > -- >> >> >> >> >> > >> >> >> >> >> > --- >> >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> >> > Google >> >> >> >> >> > Groups >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >> >> >> >> >> > from >> >> >> >> >> > it, >> >> >> >> >> > send >> >> >> >> >> > an >> >> >> >> >> > email to [email protected]. >> >> >> >> >> > For more options, visit >> >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to [email protected]. >> >> >> >> > For more options, visit >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> >> >> -- >> >> >> >> >> >> --- >> >> >> You received this message because you are subscribed to a topic in >> >> >> the >> >> >> Google Groups "ossec-list" group. >> >> >> To unsubscribe from this topic, visit >> >> >> >> >> >> https://groups.google.com/d/topic/ossec-list/WDRGoRYLjp0/unsubscribe. >> >> >> To unsubscribe from this group and all its topics, send an email to >> >> >> [email protected]. >> >> >> >> >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to a topic in the >> >> Google Groups "ossec-list" group. >> >> To unsubscribe from this topic, visit >> >> https://groups.google.com/d/topic/ossec-list/WDRGoRYLjp0/unsubscribe. >> >> To unsubscribe from this group and all its topics, send an email to >> >> [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/WDRGoRYLjp0/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
