Hi there!
Rule 1002 is triggering because "error" word in the alert and no specific
decoder for this alert
#./ossec-logtest
2015/02/09 10:26:45 ossec-testrule: INFO: Reading local decoder file.
2015/02/09 10:26:45 ossec-testrule: INFO: Started (pid: 28969).
ossec-testrule: Type one log per line.
[Mon Feb 09 00:11:26.954264 2015] [:error] [pid 4242] [client
37.128.148.180] ModSecurity: Access denied with code 403 (phase 1). Match
of "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. [file
"/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"]
[line "84"] [id "960904"] [rev "2"] [msg "Request Containing Content, but
Missing Content-Type header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"]
[maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] [uri
"/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]
**Phase 1: Completed pre-decoding.
full event: '[Mon Feb 09 00:11:26.954264 2015] [:error] [pid 4242]
[client 37.128.148.180] ModSecurity: Access denied with code 403 (phase 1).
Match of "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. [file
"/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"]
[line "84"] [id "960904"] [rev "2"] [msg "Request Containing Content, but
Missing Content-Type header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"]
[maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] [uri
"/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]'
hostname: 'spookerlabs'
program_name: '(null)'
log: '[Mon Feb 09 00:11:26.954264 2015] [:error] [pid 4242] [client
37.128.148.180] ModSecurity: Access denied with code 403 (phase 1). Match
of "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. [file
"/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"]
[line "84"] [id "960904"] [rev "2"] [msg "Request Containing Content, but
Missing Content-Type header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"]
[maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] [uri
"/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
Rule 1002
<var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal
|denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
<rule id="1002" level="2">
<match>$BAD_WORDS</match>
<options>alert_by_email</options>
<description>Unknown problem somewhere in the system.</description>
</rule>
Since this rule is level 2 it's not going to trigger an active response
since your config said to alert only level 5 or higher.
More info here http://ossec-docs.readthedocs.org/en/latest/manual/ar/
Looking into Modsecurity rules, there are 2 under apache rules
<rule id="30200" level="6" noalert="1">
<match>^mod_security-message: </match>
<description>Modsecurity alert.</description>
</rule>
<rule id="30201" level="6">
<if_sid>30200</if_sid>
<match>^mod_security-message: Access denied </match>
<description>Modsecurity access denied.</description>
<group>access_denied,</group>
</rule>
But I think need to update to ModSecurity: Access denied instead of
mod_security-message: Access denied.
Do you have a raw log different from error ? is this a common modsec error
log ? Maybe need to create a decoder for that.
Hope it helps.
On Mon, Feb 9, 2015 at 2:07 AM, Ricardo Galossi <[email protected]>
wrote:
> Hello Rodrigo,
> Thank you so much for answer me. So, some time ago I've had an
> installation of ossec with the same configuration, the ossec read the
> error.log of apache and blocked the attacks on iptables with the active
> response. I really don't know if something has changed in the last version
> of ossec, but it does't block any kind of attack (ssh brute force, http
> attacks, etc). Follow below in attach my ossec.conf and some alerts of
> alert.conf. My active-responses.log is empty.
> When I executed the command (cat /var/chroot/var/log/apache2/error.log |
> /var/ossec/bin/ossec-logtest -a | /var/ossec/bin/ossec-reportd) I received
> the following message:
>
> 2015/02/09 01:03:00 ossec-reportd: INFO: Started (pid: 5038).
> 2015/02/09 01:03:00 ossec-testrule: INFO: Reading local decoder file.
> 2015/02/09 01:03:00 ossec-testrule: INFO: Started (pid: 5037).
> 2015/02/09 01:03:06 ossec-reportd: INFO: Report completed. Creating
> output...
>
> Report completed. ==
> ------------------------------------------------
> ->Processed alerts: 3940
> ->Post-filtering alerts: 3940
> ->First alert: 2015 Feb 09 01:03:00
> ->Last alert: 2015 Feb 09 01:03:01
>
>
> Top entries for 'Level':
> ------------------------------------------------
> Severity 6
> |3864 |
> Severity 13
> |76 |
>
>
> Top entries for 'Group':
> ------------------------------------------------
> errors
> |3940 |
> syslog
> |3940 |
>
> Top entries for 'Location':
> ------------------------------------------------
> ubuntu->stdin
> |3940 |
>
>
> Top entries for 'Rule':
> ------------------------------------------------
> 1002 - Unknown problem somewhere in the system.
> |3864 |
> 1003 - Non standard syslog message (size too large).
> |76 |
>
> Thank you for your help.
>
>
> Em domingo, 8 de fevereiro de 2015 22:25:22 UTC-2, Rodrigo Montoro
> (Sp0oKeR) escreveu:
>>
>> Hi Ricardo,
>>
>> I think modsec isn't apache format, could you share some alert samples
>> from your log file ?
>>
>> A good way to test if ossec will work with your log format is using
>> logtest http://ossec-docs.readthedocs.org/en/latest/programs/ossec-
>> logtest.html
>> <http://www.google.com/url?q=http%3A%2F%2Fossec-docs.readthedocs.org%2Fen%2Flatest%2Fprograms%2Fossec-logtest.html&sa=D&sntz=1&usg=AFQjCNESCLXtid-ZUXnYi0JxAELDZnTFwA>
>>
>> About active-response, how is configured your ossec.conf ? could you
>> share ? Anyway OSSEC won't block any attack, only take some action from
>> some attack. Looking into /var/ossec/log/ you could see under
>> active-response log.
>>
>> Let me know if this helps.
>>
>> Thanks
>>
>> On Sun, Feb 8, 2015 at 9:11 PM, Ricardo Galossi <[email protected]>
>> wrote:
>>
>>> Hi there guys,
>>> I'm facing a problem with ossec, I hope you can help me. I've configured
>>> my ossec to monitoring apache and modsecurity's log of my chroot. I put the
>>> lines below on ossec.conf:
>>>
>>> <localfile>
>>> <log_format>apache</log_format>
>>> <location>/var/chroot/var/log/apache2/modsec_audit.log</location>
>>> </localfile>
>>>
>>> <localfile>
>>> <log_format>apache</log_format>
>>> <location>/var/chroot/var/log/apache2/error.log</location>
>>> </localfile>
>>>
>>> The problem is that ossec doesn't block any attack. I received the
>>> ossec's logs normally, but every log has the same ID, like this:
>>>
>>> Received From: Ubuntu->/var/chroot/var/log/apache2/error.log
>>> Rule: 1002 fired (level 6) -> "Unknown problem somewhere in the system."
>>> Portion of the log(s):
>>>
>>> Thank you for your attention.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
>>
>> --
>> Rodrigo Montoro (Sp0oKeR)
>> http://spookerlabs.blogspot.com
>> http://www.twitter.com/spookerlabs
>> http://www.linkedin.com/in/spooker
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
Rodrigo Montoro (Sp0oKeR)
http://spookerlabs.blogspot.com
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
