Hello Rodrigo, Thank you so much for answer me. So, some time ago I've had an installation of ossec with the same configuration, the ossec read the error.log of apache and blocked the attacks on iptables with the active response. I really don't know if something has changed in the last version of ossec, but it does't block any kind of attack (ssh brute force, http attacks, etc). Follow below in attach my ossec.conf and some alerts of alert.conf. My active-responses.log is empty. When I executed the command (cat /var/chroot/var/log/apache2/error.log | /var/ossec/bin/ossec-logtest -a | /var/ossec/bin/ossec-reportd) I received the following message:
2015/02/09 01:03:00 ossec-reportd: INFO: Started (pid: 5038). 2015/02/09 01:03:00 ossec-testrule: INFO: Reading local decoder file. 2015/02/09 01:03:00 ossec-testrule: INFO: Started (pid: 5037). 2015/02/09 01:03:06 ossec-reportd: INFO: Report completed. Creating output... Report completed. == ------------------------------------------------ ->Processed alerts: 3940 ->Post-filtering alerts: 3940 ->First alert: 2015 Feb 09 01:03:00 ->Last alert: 2015 Feb 09 01:03:01 Top entries for 'Level': ------------------------------------------------ Severity 6 |3864 | Severity 13 |76 | Top entries for 'Group': ------------------------------------------------ errors |3940 | syslog |3940 | Top entries for 'Location': ------------------------------------------------ ubuntu->stdin |3940 | Top entries for 'Rule': ------------------------------------------------ 1002 - Unknown problem somewhere in the system. |3864 | 1003 - Non standard syslog message (size too large). |76 | Thank you for your help. Em domingo, 8 de fevereiro de 2015 22:25:22 UTC-2, Rodrigo Montoro (Sp0oKeR) escreveu: > > Hi Ricardo, > > I think modsec isn't apache format, could you share some alert samples > from your log file ? > > A good way to test if ossec will work with your log format is using > logtest > http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html > <http://www.google.com/url?q=http%3A%2F%2Fossec-docs.readthedocs.org%2Fen%2Flatest%2Fprograms%2Fossec-logtest.html&sa=D&sntz=1&usg=AFQjCNESCLXtid-ZUXnYi0JxAELDZnTFwA> > > About active-response, how is configured your ossec.conf ? could you share > ? Anyway OSSEC won't block any attack, only take some action from some > attack. Looking into /var/ossec/log/ you could see under active-response > log. > > Let me know if this helps. > > Thanks > > On Sun, Feb 8, 2015 at 9:11 PM, Ricardo Galossi <[email protected] > <javascript:>> wrote: > >> Hi there guys, >> I'm facing a problem with ossec, I hope you can help me. I've configured >> my ossec to monitoring apache and modsecurity's log of my chroot. I put the >> lines below on ossec.conf: >> >> <localfile> >> <log_format>apache</log_format> >> <location>/var/chroot/var/log/apache2/modsec_audit.log</location> >> </localfile> >> >> <localfile> >> <log_format>apache</log_format> >> <location>/var/chroot/var/log/apache2/error.log</location> >> </localfile> >> >> The problem is that ossec doesn't block any attack. I received the >> ossec's logs normally, but every log has the same ID, like this: >> >> Received From: Ubuntu->/var/chroot/var/log/apache2/error.log >> Rule: 1002 fired (level 6) -> "Unknown problem somewhere in the system." >> Portion of the log(s): >> >> Thank you for your attention. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Rodrigo Montoro (Sp0oKeR) > http://spookerlabs.blogspot.com > http://www.twitter.com/spookerlabs > http://www.linkedin.com/in/spooker > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
alert.log
Description: Binary data
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>alt2.gmail-smtp-in.l.google.com.</smtp_server>
<email_from>ossecm@ubuntu</email_from>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>cimserver_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>dovecot_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<include>trend-osce_rules.xml</include>
<include>ms-se_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>zeus_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>vmware_rules.xml</include>
<include>ms_dhcp_rules.xml</include>
<include>asterisk_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>openbsd_rules.xml</include>
<include>clam_av_rules.xml</include>
<include>dropbear_rules.xml</include>
<include>local_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
</rootcheck>
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>8.8.4.4</white_list>
<white_list>8.8.8.8</white_list>
<white_list>209.244.0.3</white_list>
</global>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>5</email_alert_level>
</alerts>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>5</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>5</level>
<timeout>600</timeout>
</active-response>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
<localfile>
<log_format>snort-full</log_format>
<location>/var/log/snort/alert</location>
</localfile>
<localfile>
<log_format>command</log_format>
<command>df -h</command>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 5</command>
</localfile>
<localfile>
<log_format>mysql_log</log_format>
<command>/var/chroot/var/log/mysql/error.log</command>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/chroot/var/log/apache2/modsec_audit.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/chroot/var/log/apache2/error.log</location>
</localfile>
</ossec_config>
