Hi guys, I made some tests here with ossec 2.7. When I try to scan the target, the modsec delivery a 403 error page, so, ossec read the apache access.log file and match the rule with ID 31151 from web_rules.xml and block the attacker's IP on iptables. Follow the rule below:
<rule level="10" id="31151" timeframe="90" frequency="12"> <if_matched_sid>31101</if_matched_sid> <same_source_ip/> <description>Multiple web server 400 error codes </description> <description>from same source ip.</description> <group>web_scan,recon,</group> </rule> The question is, why doesn't happen the same thing on ossec 2.8.1? There is some problem if I used the version 2.7? Em segunda-feira, 9 de fevereiro de 2015 15:47:31 UTC-2, Ricardo Galossi escreveu: > > Hi Dan, > Thank you for your attention. I'm at work now, and I'm not able to access > my VPS from here, but tonight when I leave the company I'll send you the > log file. > > Em segunda-feira, 9 de fevereiro de 2015 15:42:46 UTC-2, dan (ddpbsd) > escreveu: >> >> On Mon, Feb 9, 2015 at 12:39 PM, Ricardo Galossi >> <[email protected]> wrote: >> > Hi Rodrigo, >> > I've seen the file syslog_rules.xml to see the rule with ID 1002, I >> > understood the rule perfectly. As you said I've changed the field >> <match> of >> > rules with ID 30200 and 30201 for "ModSecurity: Access denied". I've >> also >> > changed the level of drop in my ossec.conf to level 2. Although, >> > unfortunately it doesn't solve my problem. It's like apache rules >> doesn't >> > match with any log record, just the rule ID 1002 from syslog_rules. >> > >> >> Can you provide a log sample? >> >> >> > On the other hand, I made a laboratory with ossec 2.7 and it works >> > perfectly. I made a scan with Nikto and ossec blocked normally. >> > >> > Em segunda-feira, 9 de fevereiro de 2015 09:00:41 UTC-2, Rodrigo >> Montoro >> > (Sp0oKeR) escreveu: >> >> >> >> Hi there! >> >> >> >> Rule 1002 is triggering because "error" word in the alert and no >> specific >> >> decoder for this alert >> >> >> >> >> >> #./ossec-logtest >> >> >> >> 2015/02/09 10:26:45 ossec-testrule: INFO: Reading local decoder file. >> >> 2015/02/09 10:26:45 ossec-testrule: INFO: Started (pid: 28969). >> >> ossec-testrule: Type one log per line. >> >> >> >> [Mon Feb 09 00:11:26.954264 2015] [:error] [pid 4242] [client >> >> 37.128.148.180] ModSecurity: Access denied with code 403 (phase 1). >> Match of >> >> "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. [file >> >> >> "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] >> >> >> >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing Content, >> but >> >> Missing Content-Type header"] [severity "NOTICE"] [ver >> "OWASP_CRS/2.2.9"] >> >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] [uri >> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"] >> >> >> >> >> >> **Phase 1: Completed pre-decoding. >> >> full event: '[Mon Feb 09 00:11:26.954264 2015] [:error] [pid >> 4242] >> >> [client 37.128.148.180] ModSecurity: Access denied with code 403 >> (phase 1). >> >> Match of "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. >> [file >> >> >> "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] >> >> >> >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing Content, >> but >> >> Missing Content-Type header"] [severity "NOTICE"] [ver >> "OWASP_CRS/2.2.9"] >> >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] [uri >> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]' >> >> hostname: 'spookerlabs' >> >> program_name: '(null)' >> >> log: '[Mon Feb 09 00:11:26.954264 2015] [:error] [pid 4242] >> [client >> >> 37.128.148.180] ModSecurity: Access denied with code 403 (phase 1). >> Match of >> >> "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. [file >> >> >> "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] >> >> >> >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing Content, >> but >> >> Missing Content-Type header"] [severity "NOTICE"] [ver >> "OWASP_CRS/2.2.9"] >> >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] [uri >> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]' >> >> >> >> **Phase 2: Completed decoding. >> >> No decoder matched. >> >> >> >> **Phase 3: Completed filtering (rules). >> >> Rule id: '1002' >> >> Level: '2' >> >> Description: 'Unknown problem somewhere in the system.' >> >> **Alert to be generated. >> >> >> >> >> >> Rule 1002 >> >> >> >> <var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal >> >> |denied|refused|unauthorized|fatal|failed|Segmentation >> Fault|Corrupted</var> >> >> >> >> <rule id="1002" level="2"> >> >> <match>$BAD_WORDS</match> >> >> <options>alert_by_email</options> >> >> <description>Unknown problem somewhere in the >> system.</description> >> >> </rule> >> >> >> >> >> >> Since this rule is level 2 it's not going to trigger an active >> response >> >> since your config said to alert only level 5 or higher. >> >> >> >> More info here http://ossec-docs.readthedocs.org/en/latest/manual/ar/ >> >> >> >> Looking into Modsecurity rules, there are 2 under apache rules >> >> >> >> <rule id="30200" level="6" noalert="1"> >> >> <match>^mod_security-message: </match> >> >> <description>Modsecurity alert.</description> >> >> </rule> >> >> >> >> <rule id="30201" level="6"> >> >> <if_sid>30200</if_sid> >> >> <match>^mod_security-message: Access denied </match> >> >> <description>Modsecurity access denied.</description> >> >> <group>access_denied,</group> >> >> </rule> >> >> >> >> But I think need to update to ModSecurity: Access denied instead of >> >> mod_security-message: Access denied. >> >> >> >> Do you have a raw log different from error ? is this a common modsec >> error >> >> log ? Maybe need to create a decoder for that. >> >> >> >> Hope it helps. >> >> >> >> On Mon, Feb 9, 2015 at 2:07 AM, Ricardo Galossi <[email protected]> >> >> wrote: >> >>> >> >>> Hello Rodrigo, >> >>> Thank you so much for answer me. So, some time ago I've had an >> >>> installation of ossec with the same configuration, the ossec read the >> >>> error.log of apache and blocked the attacks on iptables with the >> active >> >>> response. I really don't know if something has changed in the last >> version >> >>> of ossec, but it does't block any kind of attack (ssh brute force, >> http >> >>> attacks, etc). Follow below in attach my ossec.conf and some alerts >> of >> >>> alert.conf. My active-responses.log is empty. >> >>> When I executed the command (cat >> /var/chroot/var/log/apache2/error.log | >> >>> /var/ossec/bin/ossec-logtest -a | /var/ossec/bin/ossec-reportd) I >> received >> >>> the following message: >> >>> >> >>> 2015/02/09 01:03:00 ossec-reportd: INFO: Started (pid: 5038). >> >>> 2015/02/09 01:03:00 ossec-testrule: INFO: Reading local decoder file. >> >>> 2015/02/09 01:03:00 ossec-testrule: INFO: Started (pid: 5037). >> >>> 2015/02/09 01:03:06 ossec-reportd: INFO: Report completed. Creating >> >>> output... >> >>> >> >>> Report completed. == >> >>> ------------------------------------------------ >> >>> ->Processed alerts: 3940 >> >>> ->Post-filtering alerts: 3940 >> >>> ->First alert: 2015 Feb 09 01:03:00 >> >>> ->Last alert: 2015 Feb 09 01:03:01 >> >>> >> >>> >> >>> Top entries for 'Level': >> >>> ------------------------------------------------ >> >>> Severity 6 >> >>> |3864 | >> >>> Severity 13 >> >>> |76 | >> >>> >> >>> >> >>> Top entries for 'Group': >> >>> ------------------------------------------------ >> >>> errors >> >>> |3940 | >> >>> syslog >> >>> |3940 | >> >>> >> >>> Top entries for 'Location': >> >>> ------------------------------------------------ >> >>> ubuntu->stdin >> >>> |3940 | >> >>> >> >>> >> >>> Top entries for 'Rule': >> >>> ------------------------------------------------ >> >>> 1002 - Unknown problem somewhere in the system. >> >>> |3864 | >> >>> 1003 - Non standard syslog message (size too large). >> >>> |76 | >> >>> >> >>> Thank you for your help. >> >>> >> >>> >> >>> Em domingo, 8 de fevereiro de 2015 22:25:22 UTC-2, Rodrigo Montoro >> >>> (Sp0oKeR) escreveu: >> >>>> >> >>>> Hi Ricardo, >> >>>> >> >>>> I think modsec isn't apache format, could you share some alert >> samples >> >>>> from your log file ? >> >>>> >> >>>> A good way to test if ossec will work with your log format is using >> >>>> logtest >> >>>> >> http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html >> >>>> >> >>>> About active-response, how is configured your ossec.conf ? could you >> >>>> share ? Anyway OSSEC won't block any attack, only take some action >> from some >> >>>> attack. Looking into /var/ossec/log/ you could see under >> active-response >> >>>> log. >> >>>> >> >>>> Let me know if this helps. >> >>>> >> >>>> Thanks >> >>>> >> >>>> On Sun, Feb 8, 2015 at 9:11 PM, Ricardo Galossi <[email protected]> >> >> >>>> wrote: >> >>>>> >> >>>>> Hi there guys, >> >>>>> I'm facing a problem with ossec, I hope you can help me. I've >> >>>>> configured my ossec to monitoring apache and modsecurity's log of >> my chroot. >> >>>>> I put the lines below on ossec.conf: >> >>>>> >> >>>>> <localfile> >> >>>>> <log_format>apache</log_format> >> >>>>> <location>/var/chroot/var/log/apache2/modsec_audit.log</location> >> >>>>> </localfile> >> >>>>> >> >>>>> <localfile> >> >>>>> <log_format>apache</log_format> >> >>>>> <location>/var/chroot/var/log/apache2/error.log</location> >> >>>>> </localfile> >> >>>>> >> >>>>> The problem is that ossec doesn't block any attack. I received the >> >>>>> ossec's logs normally, but every log has the same ID, like this: >> >>>>> >> >>>>> Received From: Ubuntu->/var/chroot/var/log/apache2/error.log >> >>>>> Rule: 1002 fired (level 6) -> "Unknown problem somewhere in the >> >>>>> system." >> >>>>> Portion of the log(s): >> >>>>> >> >>>>> Thank you for your attention. >> >>>>> >> >>>>> >> >>>>> -- >> >>>>> >> >>>>> --- >> >>>>> You received this message because you are subscribed to the Google >> >>>>> Groups "ossec-list" group. >> >>>>> To unsubscribe from this group and stop receiving emails from it, >> send >> >>>>> an email to [email protected]. >> >>>>> For more options, visit https://groups.google.com/d/optout. >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> -- >> >>>> Rodrigo Montoro (Sp0oKeR) >> >>>> http://spookerlabs.blogspot.com >> >>>> http://www.twitter.com/spookerlabs >> >>>> http://www.linkedin.com/in/spooker >> >>> >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to the Google >> Groups >> >>> "ossec-list" group. >> >>> To unsubscribe from this group and stop receiving emails from it, >> send an >> >>> email to [email protected]. >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> >> >> >> >> -- >> >> Rodrigo Montoro (Sp0oKeR) >> >> http://spookerlabs.blogspot.com >> >> http://www.twitter.com/spookerlabs >> >> http://www.linkedin.com/in/spooker >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
