Hi Dan, Thank you for your attention. I'm at work now, and I'm not able to access my VPS from here, but tonight when I leave the company I'll send you the log file.
Em segunda-feira, 9 de fevereiro de 2015 15:42:46 UTC-2, dan (ddpbsd) escreveu: > > On Mon, Feb 9, 2015 at 12:39 PM, Ricardo Galossi > <[email protected] <javascript:>> wrote: > > Hi Rodrigo, > > I've seen the file syslog_rules.xml to see the rule with ID 1002, I > > understood the rule perfectly. As you said I've changed the field > <match> of > > rules with ID 30200 and 30201 for "ModSecurity: Access denied". I've > also > > changed the level of drop in my ossec.conf to level 2. Although, > > unfortunately it doesn't solve my problem. It's like apache rules > doesn't > > match with any log record, just the rule ID 1002 from syslog_rules. > > > > Can you provide a log sample? > > > > On the other hand, I made a laboratory with ossec 2.7 and it works > > perfectly. I made a scan with Nikto and ossec blocked normally. > > > > Em segunda-feira, 9 de fevereiro de 2015 09:00:41 UTC-2, Rodrigo Montoro > > (Sp0oKeR) escreveu: > >> > >> Hi there! > >> > >> Rule 1002 is triggering because "error" word in the alert and no > specific > >> decoder for this alert > >> > >> > >> #./ossec-logtest > >> > >> 2015/02/09 10:26:45 ossec-testrule: INFO: Reading local decoder file. > >> 2015/02/09 10:26:45 ossec-testrule: INFO: Started (pid: 28969). > >> ossec-testrule: Type one log per line. > >> > >> [Mon Feb 09 00:11:26.954264 2015] [:error] [pid 4242] [client > >> 37.128.148.180] ModSecurity: Access denied with code 403 (phase 1). > Match of > >> "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. [file > >> > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > > >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing Content, > but > >> Missing Content-Type header"] [severity "NOTICE"] [ver > "OWASP_CRS/2.2.9"] > >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] [uri > >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"] > >> > >> > >> **Phase 1: Completed pre-decoding. > >> full event: '[Mon Feb 09 00:11:26.954264 2015] [:error] [pid > 4242] > >> [client 37.128.148.180] ModSecurity: Access denied with code 403 (phase > 1). > >> Match of "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. > [file > >> > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > > >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing Content, > but > >> Missing Content-Type header"] [severity "NOTICE"] [ver > "OWASP_CRS/2.2.9"] > >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] [uri > >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]' > >> hostname: 'spookerlabs' > >> program_name: '(null)' > >> log: '[Mon Feb 09 00:11:26.954264 2015] [:error] [pid 4242] > [client > >> 37.128.148.180] ModSecurity: Access denied with code 403 (phase 1). > Match of > >> "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. [file > >> > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > > >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing Content, > but > >> Missing Content-Type header"] [severity "NOTICE"] [ver > "OWASP_CRS/2.2.9"] > >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] [uri > >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]' > >> > >> **Phase 2: Completed decoding. > >> No decoder matched. > >> > >> **Phase 3: Completed filtering (rules). > >> Rule id: '1002' > >> Level: '2' > >> Description: 'Unknown problem somewhere in the system.' > >> **Alert to be generated. > >> > >> > >> Rule 1002 > >> > >> <var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal > >> |denied|refused|unauthorized|fatal|failed|Segmentation > Fault|Corrupted</var> > >> > >> <rule id="1002" level="2"> > >> <match>$BAD_WORDS</match> > >> <options>alert_by_email</options> > >> <description>Unknown problem somewhere in the system.</description> > >> </rule> > >> > >> > >> Since this rule is level 2 it's not going to trigger an active response > >> since your config said to alert only level 5 or higher. > >> > >> More info here http://ossec-docs.readthedocs.org/en/latest/manual/ar/ > >> > >> Looking into Modsecurity rules, there are 2 under apache rules > >> > >> <rule id="30200" level="6" noalert="1"> > >> <match>^mod_security-message: </match> > >> <description>Modsecurity alert.</description> > >> </rule> > >> > >> <rule id="30201" level="6"> > >> <if_sid>30200</if_sid> > >> <match>^mod_security-message: Access denied </match> > >> <description>Modsecurity access denied.</description> > >> <group>access_denied,</group> > >> </rule> > >> > >> But I think need to update to ModSecurity: Access denied instead of > >> mod_security-message: Access denied. > >> > >> Do you have a raw log different from error ? is this a common modsec > error > >> log ? Maybe need to create a decoder for that. > >> > >> Hope it helps. > >> > >> On Mon, Feb 9, 2015 at 2:07 AM, Ricardo Galossi <[email protected]> > >> wrote: > >>> > >>> Hello Rodrigo, > >>> Thank you so much for answer me. So, some time ago I've had an > >>> installation of ossec with the same configuration, the ossec read the > >>> error.log of apache and blocked the attacks on iptables with the > active > >>> response. I really don't know if something has changed in the last > version > >>> of ossec, but it does't block any kind of attack (ssh brute force, > http > >>> attacks, etc). Follow below in attach my ossec.conf and some alerts of > >>> alert.conf. My active-responses.log is empty. > >>> When I executed the command (cat /var/chroot/var/log/apache2/error.log > | > >>> /var/ossec/bin/ossec-logtest -a | /var/ossec/bin/ossec-reportd) I > received > >>> the following message: > >>> > >>> 2015/02/09 01:03:00 ossec-reportd: INFO: Started (pid: 5038). > >>> 2015/02/09 01:03:00 ossec-testrule: INFO: Reading local decoder file. > >>> 2015/02/09 01:03:00 ossec-testrule: INFO: Started (pid: 5037). > >>> 2015/02/09 01:03:06 ossec-reportd: INFO: Report completed. Creating > >>> output... > >>> > >>> Report completed. == > >>> ------------------------------------------------ > >>> ->Processed alerts: 3940 > >>> ->Post-filtering alerts: 3940 > >>> ->First alert: 2015 Feb 09 01:03:00 > >>> ->Last alert: 2015 Feb 09 01:03:01 > >>> > >>> > >>> Top entries for 'Level': > >>> ------------------------------------------------ > >>> Severity 6 > >>> |3864 | > >>> Severity 13 > >>> |76 | > >>> > >>> > >>> Top entries for 'Group': > >>> ------------------------------------------------ > >>> errors > >>> |3940 | > >>> syslog > >>> |3940 | > >>> > >>> Top entries for 'Location': > >>> ------------------------------------------------ > >>> ubuntu->stdin > >>> |3940 | > >>> > >>> > >>> Top entries for 'Rule': > >>> ------------------------------------------------ > >>> 1002 - Unknown problem somewhere in the system. > >>> |3864 | > >>> 1003 - Non standard syslog message (size too large). > >>> |76 | > >>> > >>> Thank you for your help. > >>> > >>> > >>> Em domingo, 8 de fevereiro de 2015 22:25:22 UTC-2, Rodrigo Montoro > >>> (Sp0oKeR) escreveu: > >>>> > >>>> Hi Ricardo, > >>>> > >>>> I think modsec isn't apache format, could you share some alert > samples > >>>> from your log file ? > >>>> > >>>> A good way to test if ossec will work with your log format is using > >>>> logtest > >>>> > http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html > >>>> > >>>> About active-response, how is configured your ossec.conf ? could you > >>>> share ? Anyway OSSEC won't block any attack, only take some action > from some > >>>> attack. Looking into /var/ossec/log/ you could see under > active-response > >>>> log. > >>>> > >>>> Let me know if this helps. > >>>> > >>>> Thanks > >>>> > >>>> On Sun, Feb 8, 2015 at 9:11 PM, Ricardo Galossi <[email protected]> > > >>>> wrote: > >>>>> > >>>>> Hi there guys, > >>>>> I'm facing a problem with ossec, I hope you can help me. I've > >>>>> configured my ossec to monitoring apache and modsecurity's log of my > chroot. > >>>>> I put the lines below on ossec.conf: > >>>>> > >>>>> <localfile> > >>>>> <log_format>apache</log_format> > >>>>> <location>/var/chroot/var/log/apache2/modsec_audit.log</location> > >>>>> </localfile> > >>>>> > >>>>> <localfile> > >>>>> <log_format>apache</log_format> > >>>>> <location>/var/chroot/var/log/apache2/error.log</location> > >>>>> </localfile> > >>>>> > >>>>> The problem is that ossec doesn't block any attack. I received the > >>>>> ossec's logs normally, but every log has the same ID, like this: > >>>>> > >>>>> Received From: Ubuntu->/var/chroot/var/log/apache2/error.log > >>>>> Rule: 1002 fired (level 6) -> "Unknown problem somewhere in the > >>>>> system." > >>>>> Portion of the log(s): > >>>>> > >>>>> Thank you for your attention. > >>>>> > >>>>> > >>>>> -- > >>>>> > >>>>> --- > >>>>> You received this message because you are subscribed to the Google > >>>>> Groups "ossec-list" group. > >>>>> To unsubscribe from this group and stop receiving emails from it, > send > >>>>> an email to [email protected]. > >>>>> For more options, visit https://groups.google.com/d/optout. > >>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> Rodrigo Montoro (Sp0oKeR) > >>>> http://spookerlabs.blogspot.com > >>>> http://www.twitter.com/spookerlabs > >>>> http://www.linkedin.com/in/spooker > >>> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to the Google > Groups > >>> "ossec-list" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an > >>> email to [email protected]. > >>> For more options, visit https://groups.google.com/d/optout. > >> > >> > >> > >> > >> -- > >> Rodrigo Montoro (Sp0oKeR) > >> http://spookerlabs.blogspot.com > >> http://www.twitter.com/spookerlabs > >> http://www.linkedin.com/in/spooker > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
