Hi Dan, I see. As soon as I get home I'll send the log files. Do you want only the alert.log or something else?
Em segunda-feira, 9 de fevereiro de 2015 17:00:38 UTC-2, dan (ddpbsd) escreveu: > > On Mon, Feb 9, 2015 at 1:39 PM, Ricardo Galossi <[email protected] > <javascript:>> wrote: > > Hi guys, > > I made some tests here with ossec 2.7. When I try to scan the target, > the > > modsec delivery a 403 error page, so, ossec read the apache access.log > file > > and match the rule with ID 31151 from web_rules.xml and block the > attacker's > > IP on iptables. Follow the rule below: > > > > <rule level="10" id="31151" timeframe="90" frequency="12"> > > <if_matched_sid>31101</if_matched_sid> > > <same_source_ip/> > > <description>Multiple web server 400 error codes </description> > > <description>from same source ip.</description> > > <group>web_scan,recon,</group> > > </rule> > > > > The question is, why doesn't happen the same thing on ossec 2.8.1? > > There is some problem if I used the version 2.7? > > > > It's hard to tell without log samples. > > > Em segunda-feira, 9 de fevereiro de 2015 15:47:31 UTC-2, Ricardo Galossi > > escreveu: > >> > >> Hi Dan, > >> Thank you for your attention. I'm at work now, and I'm not able to > access > >> my VPS from here, but tonight when I leave the company I'll send you > the log > >> file. > >> > >> Em segunda-feira, 9 de fevereiro de 2015 15:42:46 UTC-2, dan (ddpbsd) > >> escreveu: > >>> > >>> On Mon, Feb 9, 2015 at 12:39 PM, Ricardo Galossi > >>> <[email protected]> wrote: > >>> > Hi Rodrigo, > >>> > I've seen the file syslog_rules.xml to see the rule with ID 1002, I > >>> > understood the rule perfectly. As you said I've changed the field > >>> > <match> of > >>> > rules with ID 30200 and 30201 for "ModSecurity: Access denied". I've > >>> > also > >>> > changed the level of drop in my ossec.conf to level 2. Although, > >>> > unfortunately it doesn't solve my problem. It's like apache rules > >>> > doesn't > >>> > match with any log record, just the rule ID 1002 from syslog_rules. > >>> > > >>> > >>> Can you provide a log sample? > >>> > >>> > >>> > On the other hand, I made a laboratory with ossec 2.7 and it works > >>> > perfectly. I made a scan with Nikto and ossec blocked normally. > >>> > > >>> > Em segunda-feira, 9 de fevereiro de 2015 09:00:41 UTC-2, Rodrigo > >>> > Montoro > >>> > (Sp0oKeR) escreveu: > >>> >> > >>> >> Hi there! > >>> >> > >>> >> Rule 1002 is triggering because "error" word in the alert and no > >>> >> specific > >>> >> decoder for this alert > >>> >> > >>> >> > >>> >> #./ossec-logtest > >>> >> > >>> >> 2015/02/09 10:26:45 ossec-testrule: INFO: Reading local decoder > file. > >>> >> 2015/02/09 10:26:45 ossec-testrule: INFO: Started (pid: 28969). > >>> >> ossec-testrule: Type one log per line. > >>> >> > >>> >> [Mon Feb 09 00:11:26.954264 2015] [:error] [pid 4242] [client > >>> >> 37.128.148.180] ModSecurity: Access denied with code 403 (phase 1). > >>> >> Match of > >>> >> "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. [file > >>> >> > >>> >> > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > > >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing > Content, > >>> >> but > >>> >> Missing Content-Type header"] [severity "NOTICE"] [ver > >>> >> "OWASP_CRS/2.2.9"] > >>> >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] [uri > >>> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"] > >>> >> > >>> >> > >>> >> **Phase 1: Completed pre-decoding. > >>> >> full event: '[Mon Feb 09 00:11:26.954264 2015] [:error] [pid > >>> >> 4242] > >>> >> [client 37.128.148.180] ModSecurity: Access denied with code 403 > >>> >> (phase 1). > >>> >> Match of "rx ^0$" against "REQUEST_HEADERS:Content-Length" > required. > >>> >> [file > >>> >> > >>> >> > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > > >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing > Content, > >>> >> but > >>> >> Missing Content-Type header"] [severity "NOTICE"] [ver > >>> >> "OWASP_CRS/2.2.9"] > >>> >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] [uri > >>> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]' > >>> >> hostname: 'spookerlabs' > >>> >> program_name: '(null)' > >>> >> log: '[Mon Feb 09 00:11:26.954264 2015] [:error] [pid 4242] > >>> >> [client > >>> >> 37.128.148.180] ModSecurity: Access denied with code 403 (phase 1). > >>> >> Match of > >>> >> "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. [file > >>> >> > >>> >> > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > > >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing > Content, > >>> >> but > >>> >> Missing Content-Type header"] [severity "NOTICE"] [ver > >>> >> "OWASP_CRS/2.2.9"] > >>> >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] [uri > >>> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]' > >>> >> > >>> >> **Phase 2: Completed decoding. > >>> >> No decoder matched. > >>> >> > >>> >> **Phase 3: Completed filtering (rules). > >>> >> Rule id: '1002' > >>> >> Level: '2' > >>> >> Description: 'Unknown problem somewhere in the system.' > >>> >> **Alert to be generated. > >>> >> > >>> >> > >>> >> Rule 1002 > >>> >> > >>> >> <var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal > >>> >> |denied|refused|unauthorized|fatal|failed|Segmentation > >>> >> Fault|Corrupted</var> > >>> >> > >>> >> <rule id="1002" level="2"> > >>> >> <match>$BAD_WORDS</match> > >>> >> <options>alert_by_email</options> > >>> >> <description>Unknown problem somewhere in the > >>> >> system.</description> > >>> >> </rule> > >>> >> > >>> >> > >>> >> Since this rule is level 2 it's not going to trigger an active > >>> >> response > >>> >> since your config said to alert only level 5 or higher. > >>> >> > >>> >> More info here > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ > >>> >> > >>> >> Looking into Modsecurity rules, there are 2 under apache rules > >>> >> > >>> >> <rule id="30200" level="6" noalert="1"> > >>> >> <match>^mod_security-message: </match> > >>> >> <description>Modsecurity alert.</description> > >>> >> </rule> > >>> >> > >>> >> <rule id="30201" level="6"> > >>> >> <if_sid>30200</if_sid> > >>> >> <match>^mod_security-message: Access denied </match> > >>> >> <description>Modsecurity access denied.</description> > >>> >> <group>access_denied,</group> > >>> >> </rule> > >>> >> > >>> >> But I think need to update to ModSecurity: Access denied instead of > >>> >> mod_security-message: Access denied. > >>> >> > >>> >> Do you have a raw log different from error ? is this a common > modsec > >>> >> error > >>> >> log ? Maybe need to create a decoder for that. > >>> >> > >>> >> Hope it helps. > >>> >> > >>> >> On Mon, Feb 9, 2015 at 2:07 AM, Ricardo Galossi < > [email protected]> > >>> >> wrote: > >>> >>> > >>> >>> Hello Rodrigo, > >>> >>> Thank you so much for answer me. So, some time ago I've had an > >>> >>> installation of ossec with the same configuration, the ossec read > the > >>> >>> error.log of apache and blocked the attacks on iptables with the > >>> >>> active > >>> >>> response. I really don't know if something has changed in the last > >>> >>> version > >>> >>> of ossec, but it does't block any kind of attack (ssh brute force, > >>> >>> http > >>> >>> attacks, etc). Follow below in attach my ossec.conf and some > alerts > >>> >>> of > >>> >>> alert.conf. My active-responses.log is empty. > >>> >>> When I executed the command (cat > >>> >>> /var/chroot/var/log/apache2/error.log | > >>> >>> /var/ossec/bin/ossec-logtest -a | /var/ossec/bin/ossec-reportd) I > >>> >>> received > >>> >>> the following message: > >>> >>> > >>> >>> 2015/02/09 01:03:00 ossec-reportd: INFO: Started (pid: 5038). > >>> >>> 2015/02/09 01:03:00 ossec-testrule: INFO: Reading local decoder > file. > >>> >>> 2015/02/09 01:03:00 ossec-testrule: INFO: Started (pid: 5037). > >>> >>> 2015/02/09 01:03:06 ossec-reportd: INFO: Report completed. > Creating > >>> >>> output... > >>> >>> > >>> >>> Report completed. == > >>> >>> ------------------------------------------------ > >>> >>> ->Processed alerts: 3940 > >>> >>> ->Post-filtering alerts: 3940 > >>> >>> ->First alert: 2015 Feb 09 01:03:00 > >>> >>> ->Last alert: 2015 Feb 09 01:03:01 > >>> >>> > >>> >>> > >>> >>> Top entries for 'Level': > >>> >>> ------------------------------------------------ > >>> >>> Severity 6 > >>> >>> |3864 | > >>> >>> Severity 13 > >>> >>> |76 | > >>> >>> > >>> >>> > >>> >>> Top entries for 'Group': > >>> >>> ------------------------------------------------ > >>> >>> errors > >>> >>> |3940 | > >>> >>> syslog > >>> >>> |3940 | > >>> >>> > >>> >>> Top entries for 'Location': > >>> >>> ------------------------------------------------ > >>> >>> ubuntu->stdin > >>> >>> |3940 | > >>> >>> > >>> >>> > >>> >>> Top entries for 'Rule': > >>> >>> ------------------------------------------------ > >>> >>> 1002 - Unknown problem somewhere in the system. > >>> >>> |3864 | > >>> >>> 1003 - Non standard syslog message (size too large). > >>> >>> |76 | > >>> >>> > >>> >>> Thank you for your help. > >>> >>> > >>> >>> > >>> >>> Em domingo, 8 de fevereiro de 2015 22:25:22 UTC-2, Rodrigo Montoro > >>> >>> (Sp0oKeR) escreveu: > >>> >>>> > >>> >>>> Hi Ricardo, > >>> >>>> > >>> >>>> I think modsec isn't apache format, could you share some alert > >>> >>>> samples > >>> >>>> from your log file ? > >>> >>>> > >>> >>>> A good way to test if ossec will work with your log format is > using > >>> >>>> logtest > >>> >>>> > >>> >>>> > http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html > >>> >>>> > >>> >>>> About active-response, how is configured your ossec.conf ? could > you > >>> >>>> share ? Anyway OSSEC won't block any attack, only take some > action > >>> >>>> from some > >>> >>>> attack. Looking into /var/ossec/log/ you could see under > >>> >>>> active-response > >>> >>>> log. > >>> >>>> > >>> >>>> Let me know if this helps. > >>> >>>> > >>> >>>> Thanks > >>> >>>> > >>> >>>> On Sun, Feb 8, 2015 at 9:11 PM, Ricardo Galossi > >>> >>>> <[email protected]> > >>> >>>> wrote: > >>> >>>>> > >>> >>>>> Hi there guys, > >>> >>>>> I'm facing a problem with ossec, I hope you can help me. I've > >>> >>>>> configured my ossec to monitoring apache and modsecurity's log > of > >>> >>>>> my chroot. > >>> >>>>> I put the lines below on ossec.conf: > >>> >>>>> > >>> >>>>> <localfile> > >>> >>>>> <log_format>apache</log_format> > >>> >>>>> > <location>/var/chroot/var/log/apache2/modsec_audit.log</location> > >>> >>>>> </localfile> > >>> >>>>> > >>> >>>>> <localfile> > >>> >>>>> <log_format>apache</log_format> > >>> >>>>> <location>/var/chroot/var/log/apache2/error.log</location> > >>> >>>>> </localfile> > >>> >>>>> > >>> >>>>> The problem is that ossec doesn't block any attack. I received > the > >>> >>>>> ossec's logs normally, but every log has the same ID, like this: > >>> >>>>> > >>> >>>>> Received From: Ubuntu->/var/chroot/var/log/apache2/error.log > >>> >>>>> Rule: 1002 fired (level 6) -> "Unknown problem somewhere in the > >>> >>>>> system." > >>> >>>>> Portion of the log(s): > >>> >>>>> > >>> >>>>> Thank you for your attention. > >>> >>>>> > >>> >>>>> > >>> >>>>> -- > >>> >>>>> > >>> >>>>> --- > >>> >>>>> You received this message because you are subscribed to the > Google > >>> >>>>> Groups "ossec-list" group. > >>> >>>>> To unsubscribe from this group and stop receiving emails from > it, > >>> >>>>> send > >>> >>>>> an email to [email protected]. > >>> >>>>> For more options, visit https://groups.google.com/d/optout. > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> -- > >>> >>>> Rodrigo Montoro (Sp0oKeR) > >>> >>>> http://spookerlabs.blogspot.com > >>> >>>> http://www.twitter.com/spookerlabs > >>> >>>> http://www.linkedin.com/in/spooker > >>> >>> > >>> >>> -- > >>> >>> > >>> >>> --- > >>> >>> You received this message because you are subscribed to the Google > >>> >>> Groups > >>> >>> "ossec-list" group. > >>> >>> To unsubscribe from this group and stop receiving emails from it, > >>> >>> send an > >>> >>> email to [email protected]. > >>> >>> For more options, visit https://groups.google.com/d/optout. > >>> >> > >>> >> > >>> >> > >>> >> > >>> >> -- > >>> >> Rodrigo Montoro (Sp0oKeR) > >>> >> http://spookerlabs.blogspot.com > >>> >> http://www.twitter.com/spookerlabs > >>> >> http://www.linkedin.com/in/spooker > >>> > > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > >>> > Groups > >>> > "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send > >>> > an > >>> > email to [email protected]. > >>> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
