On Mon, Feb 9, 2015 at 2:53 PM, Ricardo Galossi <[email protected]> wrote:
> Hi Dan,
> The logs are in attach.
>
Ok, it looks like active response is being triggered by rule 31151:
Mon Feb 9 15:10:03 BRST 2015
/var/ossec/active-response/bin/host-deny.sh add - 172.16.10.87
1423501803.36643 31151
Using ossec-logtest, and pasting the log message in a few times, does
trigger 31151:
172.16.10.87 - - [09/Feb/2015:15:10:03 -0200] "GET
/wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" "Mozilla/5.00
(Nikto/2.1.6) (Evasions:None) (Test:map_codes)"
**Phase 1: Completed pre-decoding.
full event: '172.16.10.87 - - [09/Feb/2015:15:10:03 -0200] "GET
/wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" "Mozilla/5.00
(Nikto/2.1.6) (Evasions:None) (Test:map_codes)"'
hostname: 'arrakis'
program_name: '(null)'
log: '172.16.10.87 - - [09/Feb/2015:15:10:03 -0200] "GET
/wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" "Mozilla/5.00
(Nikto/2.1.6) (Evasions:None) (Test:map_codes)"'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '172.16.10.87'
url: '/wordpress/KwJ55hQv.asmx'
id: '403'
**Phase 3: Completed filtering (rules).
Rule id: '31151'
Level: '10'
Description: 'Multiple web server 400 error codes from same source ip.'
**Alert to be generated.
Since you didn't provide your AR configuration I'll have to assume
it's the default. Based on that, we get back to earlier questions:
Is ossec-execd running on the agent?
Is the firewall enabled on the system?
> Em segunda-feira, 9 de fevereiro de 2015 17:20:05 UTC-2, dan (ddpbsd)
> escreveu:
>>
>> On Mon, Feb 9, 2015 at 2:14 PM, Ricardo Galossi <[email protected]>
>> wrote:
>> > Hi Dan,
>> > I see. As soon as I get home I'll send the log files. Do you want only
>> > the
>> > alert.log or something else?
>> >
>>
>> I'd love to see the apache log messages that work in OSSEC 2.7 but not in
>> 2.8.
>>
>> > Em segunda-feira, 9 de fevereiro de 2015 17:00:38 UTC-2, dan (ddpbsd)
>> > escreveu:
>> >>
>> >> On Mon, Feb 9, 2015 at 1:39 PM, Ricardo Galossi <[email protected]>
>> >> wrote:
>> >> > Hi guys,
>> >> > I made some tests here with ossec 2.7. When I try to scan the target,
>> >> > the
>> >> > modsec delivery a 403 error page, so, ossec read the apache
>> >> > access.log
>> >> > file
>> >> > and match the rule with ID 31151 from web_rules.xml and block the
>> >> > attacker's
>> >> > IP on iptables. Follow the rule below:
>> >> >
>> >> > <rule level="10" id="31151" timeframe="90" frequency="12">
>> >> > <if_matched_sid>31101</if_matched_sid>
>> >> > <same_source_ip/>
>> >> > <description>Multiple web server 400 error codes </description>
>> >> > <description>from same source ip.</description>
>> >> > <group>web_scan,recon,</group>
>> >> > </rule>
>> >> >
>> >> > The question is, why doesn't happen the same thing on ossec 2.8.1?
>> >> > There is some problem if I used the version 2.7?
>> >> >
>> >>
>> >> It's hard to tell without log samples.
>> >>
>> >> > Em segunda-feira, 9 de fevereiro de 2015 15:47:31 UTC-2, Ricardo
>> >> > Galossi
>> >> > escreveu:
>> >> >>
>> >> >> Hi Dan,
>> >> >> Thank you for your attention. I'm at work now, and I'm not able to
>> >> >> access
>> >> >> my VPS from here, but tonight when I leave the company I'll send you
>> >> >> the log
>> >> >> file.
>> >> >>
>> >> >> Em segunda-feira, 9 de fevereiro de 2015 15:42:46 UTC-2, dan
>> >> >> (ddpbsd)
>> >> >> escreveu:
>> >> >>>
>> >> >>> On Mon, Feb 9, 2015 at 12:39 PM, Ricardo Galossi
>> >> >>> <[email protected]> wrote:
>> >> >>> > Hi Rodrigo,
>> >> >>> > I've seen the file syslog_rules.xml to see the rule with ID 1002,
>> >> >>> > I
>> >> >>> > understood the rule perfectly. As you said I've changed the field
>> >> >>> > <match> of
>> >> >>> > rules with ID 30200 and 30201 for "ModSecurity: Access denied".
>> >> >>> > I've
>> >> >>> > also
>> >> >>> > changed the level of drop in my ossec.conf to level 2. Although,
>> >> >>> > unfortunately it doesn't solve my problem. It's like apache rules
>> >> >>> > doesn't
>> >> >>> > match with any log record, just the rule ID 1002 from
>> >> >>> > syslog_rules.
>> >> >>> >
>> >> >>>
>> >> >>> Can you provide a log sample?
>> >> >>>
>> >> >>>
>> >> >>> > On the other hand, I made a laboratory with ossec 2.7 and it
>> >> >>> > works
>> >> >>> > perfectly. I made a scan with Nikto and ossec blocked normally.
>> >> >>> >
>> >> >>> > Em segunda-feira, 9 de fevereiro de 2015 09:00:41 UTC-2, Rodrigo
>> >> >>> > Montoro
>> >> >>> > (Sp0oKeR) escreveu:
>> >> >>> >>
>> >> >>> >> Hi there!
>> >> >>> >>
>> >> >>> >> Rule 1002 is triggering because "error" word in the alert and
>> >> >>> >> no
>> >> >>> >> specific
>> >> >>> >> decoder for this alert
>> >> >>> >>
>> >> >>> >>
>> >> >>> >> #./ossec-logtest
>> >> >>> >>
>> >> >>> >> 2015/02/09 10:26:45 ossec-testrule: INFO: Reading local decoder
>> >> >>> >> file.
>> >> >>> >> 2015/02/09 10:26:45 ossec-testrule: INFO: Started (pid: 28969).
>> >> >>> >> ossec-testrule: Type one log per line.
>> >> >>> >>
>> >> >>> >> [Mon Feb 09 00:11:26.954264 2015] [:error] [pid 4242] [client
>> >> >>> >> 37.128.148.180] ModSecurity: Access denied with code 403 (phase
>> >> >>> >> 1).
>> >> >>> >> Match of
>> >> >>> >> "rx ^0$" against "REQUEST_HEADERS:Content-Length" required.
>> >> >>> >> [file
>> >> >>> >>
>> >> >>> >>
>> >> >>> >>
>> >> >>> >> "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"]
>> >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing
>> >> >>> >> Content,
>> >> >>> >> but
>> >> >>> >> Missing Content-Type header"] [severity "NOTICE"] [ver
>> >> >>> >> "OWASP_CRS/2.2.9"]
>> >> >>> >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"]
>> >> >>> >> [uri
>> >> >>> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]
>> >> >>> >>
>> >> >>> >>
>> >> >>> >> **Phase 1: Completed pre-decoding.
>> >> >>> >> full event: '[Mon Feb 09 00:11:26.954264 2015] [:error]
>> >> >>> >> [pid
>> >> >>> >> 4242]
>> >> >>> >> [client 37.128.148.180] ModSecurity: Access denied with code 403
>> >> >>> >> (phase 1).
>> >> >>> >> Match of "rx ^0$" against "REQUEST_HEADERS:Content-Length"
>> >> >>> >> required.
>> >> >>> >> [file
>> >> >>> >>
>> >> >>> >>
>> >> >>> >>
>> >> >>> >> "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"]
>> >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing
>> >> >>> >> Content,
>> >> >>> >> but
>> >> >>> >> Missing Content-Type header"] [severity "NOTICE"] [ver
>> >> >>> >> "OWASP_CRS/2.2.9"]
>> >> >>> >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"]
>> >> >>> >> [uri
>> >> >>> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]'
>> >> >>> >> hostname: 'spookerlabs'
>> >> >>> >> program_name: '(null)'
>> >> >>> >> log: '[Mon Feb 09 00:11:26.954264 2015] [:error] [pid
>> >> >>> >> 4242]
>> >> >>> >> [client
>> >> >>> >> 37.128.148.180] ModSecurity: Access denied with code 403 (phase
>> >> >>> >> 1).
>> >> >>> >> Match of
>> >> >>> >> "rx ^0$" against "REQUEST_HEADERS:Content-Length" required.
>> >> >>> >> [file
>> >> >>> >>
>> >> >>> >>
>> >> >>> >>
>> >> >>> >> "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"]
>> >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing
>> >> >>> >> Content,
>> >> >>> >> but
>> >> >>> >> Missing Content-Type header"] [severity "NOTICE"] [ver
>> >> >>> >> "OWASP_CRS/2.2.9"]
>> >> >>> >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"]
>> >> >>> >> [uri
>> >> >>> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]'
>> >> >>> >>
>> >> >>> >> **Phase 2: Completed decoding.
>> >> >>> >> No decoder matched.
>> >> >>> >>
>> >> >>> >> **Phase 3: Completed filtering (rules).
>> >> >>> >> Rule id: '1002'
>> >> >>> >> Level: '2'
>> >> >>> >> Description: 'Unknown problem somewhere in the system.'
>> >> >>> >> **Alert to be generated.
>> >> >>> >>
>> >> >>> >>
>> >> >>> >> Rule 1002
>> >> >>> >>
>> >> >>> >> <var name="BAD_WORDS">core_dumped|failure|error|attack|bad
>> >> >>> >> |illegal
>> >> >>> >> |denied|refused|unauthorized|fatal|failed|Segmentation
>> >> >>> >> Fault|Corrupted</var>
>> >> >>> >>
>> >> >>> >> <rule id="1002" level="2">
>> >> >>> >> <match>$BAD_WORDS</match>
>> >> >>> >> <options>alert_by_email</options>
>> >> >>> >> <description>Unknown problem somewhere in the
>> >> >>> >> system.</description>
>> >> >>> >> </rule>
>> >> >>> >>
>> >> >>> >>
>> >> >>> >> Since this rule is level 2 it's not going to trigger an active
>> >> >>> >> response
>> >> >>> >> since your config said to alert only level 5 or higher.
>> >> >>> >>
>> >> >>> >> More info here
>> >> >>> >> http://ossec-docs.readthedocs.org/en/latest/manual/ar/
>> >> >>> >>
>> >> >>> >> Looking into Modsecurity rules, there are 2 under apache rules
>> >> >>> >>
>> >> >>> >> <rule id="30200" level="6" noalert="1">
>> >> >>> >> <match>^mod_security-message: </match>
>> >> >>> >> <description>Modsecurity alert.</description>
>> >> >>> >> </rule>
>> >> >>> >>
>> >> >>> >> <rule id="30201" level="6">
>> >> >>> >> <if_sid>30200</if_sid>
>> >> >>> >> <match>^mod_security-message: Access denied </match>
>> >> >>> >> <description>Modsecurity access denied.</description>
>> >> >>> >> <group>access_denied,</group>
>> >> >>> >> </rule>
>> >> >>> >>
>> >> >>> >> But I think need to update to ModSecurity: Access denied instead
>> >> >>> >> of
>> >> >>> >> mod_security-message: Access denied.
>> >> >>> >>
>> >> >>> >> Do you have a raw log different from error ? is this a common
>> >> >>> >> modsec
>> >> >>> >> error
>> >> >>> >> log ? Maybe need to create a decoder for that.
>> >> >>> >>
>> >> >>> >> Hope it helps.
>> >> >>> >>
>> >> >>> >> On Mon, Feb 9, 2015 at 2:07 AM, Ricardo Galossi
>> >> >>> >> <[email protected]>
>> >> >>> >> wrote:
>> >> >>> >>>
>> >> >>> >>> Hello Rodrigo,
>> >> >>> >>> Thank you so much for answer me. So, some time ago I've had an
>> >> >>> >>> installation of ossec with the same configuration, the ossec
>> >> >>> >>> read
>> >> >>> >>> the
>> >> >>> >>> error.log of apache and blocked the attacks on iptables with
>> >> >>> >>> the
>> >> >>> >>> active
>> >> >>> >>> response. I really don't know if something has changed in the
>> >> >>> >>> last
>> >> >>> >>> version
>> >> >>> >>> of ossec, but it does't block any kind of attack (ssh brute
>> >> >>> >>> force,
>> >> >>> >>> http
>> >> >>> >>> attacks, etc). Follow below in attach my ossec.conf and some
>> >> >>> >>> alerts
>> >> >>> >>> of
>> >> >>> >>> alert.conf. My active-responses.log is empty.
>> >> >>> >>> When I executed the command (cat
>> >> >>> >>> /var/chroot/var/log/apache2/error.log |
>> >> >>> >>> /var/ossec/bin/ossec-logtest -a | /var/ossec/bin/ossec-reportd)
>> >> >>> >>> I
>> >> >>> >>> received
>> >> >>> >>> the following message:
>> >> >>> >>>
>> >> >>> >>> 2015/02/09 01:03:00 ossec-reportd: INFO: Started (pid: 5038).
>> >> >>> >>> 2015/02/09 01:03:00 ossec-testrule: INFO: Reading local decoder
>> >> >>> >>> file.
>> >> >>> >>> 2015/02/09 01:03:00 ossec-testrule: INFO: Started (pid: 5037).
>> >> >>> >>> 2015/02/09 01:03:06 ossec-reportd: INFO: Report completed.
>> >> >>> >>> Creating
>> >> >>> >>> output...
>> >> >>> >>>
>> >> >>> >>> Report completed. ==
>> >> >>> >>> ------------------------------------------------
>> >> >>> >>> ->Processed alerts: 3940
>> >> >>> >>> ->Post-filtering alerts: 3940
>> >> >>> >>> ->First alert: 2015 Feb 09 01:03:00
>> >> >>> >>> ->Last alert: 2015 Feb 09 01:03:01
>> >> >>> >>>
>> >> >>> >>>
>> >> >>> >>> Top entries for 'Level':
>> >> >>> >>> ------------------------------------------------
>> >> >>> >>> Severity 6
>> >> >>> >>> |3864 |
>> >> >>> >>> Severity 13
>> >> >>> >>> |76 |
>> >> >>> >>>
>> >> >>> >>>
>> >> >>> >>> Top entries for 'Group':
>> >> >>> >>> ------------------------------------------------
>> >> >>> >>> errors
>> >> >>> >>> |3940 |
>> >> >>> >>> syslog
>> >> >>> >>> |3940 |
>> >> >>> >>>
>> >> >>> >>> Top entries for 'Location':
>> >> >>> >>> ------------------------------------------------
>> >> >>> >>> ubuntu->stdin
>> >> >>> >>> |3940 |
>> >> >>> >>>
>> >> >>> >>>
>> >> >>> >>> Top entries for 'Rule':
>> >> >>> >>> ------------------------------------------------
>> >> >>> >>> 1002 - Unknown problem somewhere in the system.
>> >> >>> >>> |3864 |
>> >> >>> >>> 1003 - Non standard syslog message (size too large).
>> >> >>> >>> |76 |
>> >> >>> >>>
>> >> >>> >>> Thank you for your help.
>> >> >>> >>>
>> >> >>> >>>
>> >> >>> >>> Em domingo, 8 de fevereiro de 2015 22:25:22 UTC-2, Rodrigo
>> >> >>> >>> Montoro
>> >> >>> >>> (Sp0oKeR) escreveu:
>> >> >>> >>>>
>> >> >>> >>>> Hi Ricardo,
>> >> >>> >>>>
>> >> >>> >>>> I think modsec isn't apache format, could you share some alert
>> >> >>> >>>> samples
>> >> >>> >>>> from your log file ?
>> >> >>> >>>>
>> >> >>> >>>> A good way to test if ossec will work with your log format is
>> >> >>> >>>> using
>> >> >>> >>>> logtest
>> >> >>> >>>>
>> >> >>> >>>>
>> >> >>> >>>>
>> >> >>> >>>> http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html
>> >> >>> >>>>
>> >> >>> >>>> About active-response, how is configured your ossec.conf ?
>> >> >>> >>>> could
>> >> >>> >>>> you
>> >> >>> >>>> share ? Anyway OSSEC won't block any attack, only take some
>> >> >>> >>>> action
>> >> >>> >>>> from some
>> >> >>> >>>> attack. Looking into /var/ossec/log/ you could see under
>> >> >>> >>>> active-response
>> >> >>> >>>> log.
>> >> >>> >>>>
>> >> >>> >>>> Let me know if this helps.
>> >> >>> >>>>
>> >> >>> >>>> Thanks
>> >> >>> >>>>
>> >> >>> >>>> On Sun, Feb 8, 2015 at 9:11 PM, Ricardo Galossi
>> >> >>> >>>> <[email protected]>
>> >> >>> >>>> wrote:
>> >> >>> >>>>>
>> >> >>> >>>>> Hi there guys,
>> >> >>> >>>>> I'm facing a problem with ossec, I hope you can help me. I've
>> >> >>> >>>>> configured my ossec to monitoring apache and modsecurity's
>> >> >>> >>>>> log
>> >> >>> >>>>> of
>> >> >>> >>>>> my chroot.
>> >> >>> >>>>> I put the lines below on ossec.conf:
>> >> >>> >>>>>
>> >> >>> >>>>> <localfile>
>> >> >>> >>>>> <log_format>apache</log_format>
>> >> >>> >>>>>
>> >> >>> >>>>>
>> >> >>> >>>>> <location>/var/chroot/var/log/apache2/modsec_audit.log</location>
>> >> >>> >>>>> </localfile>
>> >> >>> >>>>>
>> >> >>> >>>>> <localfile>
>> >> >>> >>>>> <log_format>apache</log_format>
>> >> >>> >>>>> <location>/var/chroot/var/log/apache2/error.log</location>
>> >> >>> >>>>> </localfile>
>> >> >>> >>>>>
>> >> >>> >>>>> The problem is that ossec doesn't block any attack. I
>> >> >>> >>>>> received
>> >> >>> >>>>> the
>> >> >>> >>>>> ossec's logs normally, but every log has the same ID, like
>> >> >>> >>>>> this:
>> >> >>> >>>>>
>> >> >>> >>>>> Received From: Ubuntu->/var/chroot/var/log/apache2/error.log
>> >> >>> >>>>> Rule: 1002 fired (level 6) -> "Unknown problem somewhere in
>> >> >>> >>>>> the
>> >> >>> >>>>> system."
>> >> >>> >>>>> Portion of the log(s):
>> >> >>> >>>>>
>> >> >>> >>>>> Thank you for your attention.
>> >> >>> >>>>>
>> >> >>> >>>>>
>> >> >>> >>>>> --
>> >> >>> >>>>>
>> >> >>> >>>>> ---
>> >> >>> >>>>> You received this message because you are subscribed to the
>> >> >>> >>>>> Google
>> >> >>> >>>>> Groups "ossec-list" group.
>> >> >>> >>>>> To unsubscribe from this group and stop receiving emails from
>> >> >>> >>>>> it,
>> >> >>> >>>>> send
>> >> >>> >>>>> an email to [email protected].
>> >> >>> >>>>> For more options, visit https://groups.google.com/d/optout.
>> >> >>> >>>>
>> >> >>> >>>>
>> >> >>> >>>>
>> >> >>> >>>>
>> >> >>> >>>> --
>> >> >>> >>>> Rodrigo Montoro (Sp0oKeR)
>> >> >>> >>>> http://spookerlabs.blogspot.com
>> >> >>> >>>> http://www.twitter.com/spookerlabs
>> >> >>> >>>> http://www.linkedin.com/in/spooker
>> >> >>> >>>
>> >> >>> >>> --
>> >> >>> >>>
>> >> >>> >>> ---
>> >> >>> >>> You received this message because you are subscribed to the
>> >> >>> >>> Google
>> >> >>> >>> Groups
>> >> >>> >>> "ossec-list" group.
>> >> >>> >>> To unsubscribe from this group and stop receiving emails from
>> >> >>> >>> it,
>> >> >>> >>> send an
>> >> >>> >>> email to [email protected].
>> >> >>> >>> For more options, visit https://groups.google.com/d/optout.
>> >> >>> >>
>> >> >>> >>
>> >> >>> >>
>> >> >>> >>
>> >> >>> >> --
>> >> >>> >> Rodrigo Montoro (Sp0oKeR)
>> >> >>> >> http://spookerlabs.blogspot.com
>> >> >>> >> http://www.twitter.com/spookerlabs
>> >> >>> >> http://www.linkedin.com/in/spooker
>> >> >>> >
>> >> >>> > --
>> >> >>> >
>> >> >>> > ---
>> >> >>> > You received this message because you are subscribed to the
>> >> >>> > Google
>> >> >>> > Groups
>> >> >>> > "ossec-list" group.
>> >> >>> > To unsubscribe from this group and stop receiving emails from it,
>> >> >>> > send
>> >> >>> > an
>> >> >>> > email to [email protected].
>> >> >>> > For more options, visit https://groups.google.com/d/optout.
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> > send
>> >> > an
>> >> > email to [email protected].
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
