Apache 2.4 style log messages are only supported in the master branch on github.com/ossec/ossec-hids or the upcoming 2.9 release.
It would be nice if you could provide some log messages of ModSecurity so we can try this out in the dev version. Regards Christian Am 12.02.2015 um 00:03 schrieb Ricardo Galossi: > Hi Dan, > I'm so sorry for my delay, I was really busy yesterday. So, I've > attached the output ossec-logtest in both versions of ossec 2.7 and > 2.8.1. The version 2.8.1 don't match with no one high level rules. I'm a > beginner ossec user, but I've taken a look on decoder.xml file and got a > doubt on apache decoder. The log example of this decoder is "[error] > [client 64.94.163.159] Client sent malformed Host header", however, this > style of log is from apache 2.2, on the other hand, the new version of > apache, 2.4, has a different log style, example "[:error] [pid 6629] > [client 172.16.10.57] ModSecurity: Warning. Operator EQ matched 0 at > REQUEST_HEADERS". I don't understand too much about decoder, because > that, I don't know if it could influence on the matching of the rule. > > Thank you so much for help me. > > Em terça-feira, 10 de fevereiro de 2015 10:24:14 UTC-2, dan (ddpbsd) > escreveu: > > On Mon, Feb 9, 2015 at 3:42 PM, Ricardo Galossi > <[email protected]> wrote: > > Hi Dan, > > I installed ossec as "local". Yeah, the AR configuration is > default. The > > daemon ossec-execd is running normally and the firewall is enable. > I made > > testes with both versions of ossec 2.7 and 2.8.1 within the same VPS. > > However, only the version 2.7 block the attacker based on the rule > ID 31151. > > > > If you want I can send you the logs of ossec 2.8.1. > > > > Thank you for your attention. > > > > Run ossec-logtest, and paste the log message I used in it multiple > times. Let's see if 31151 or whatever fires (and see if the output > differs from what I saw with post 2.8.1). > I'm hoping to have a chance to try active responses tonight. > > > > Em segunda-feira, 9 de fevereiro de 2015 18:23:09 UTC-2, dan (ddpbsd) > > escreveu: > >> > >> On Mon, Feb 9, 2015 at 2:53 PM, Ricardo Galossi > <[email protected]> > >> wrote: > >> > Hi Dan, > >> > The logs are in attach. > >> > > >> > >> Ok, it looks like active response is being triggered by rule 31151: > >> Mon Feb 9 15:10:03 BRST 2015 > >> /var/ossec/active-response/bin/host-deny.sh add - 172.16.10.87 > >> 1423501803.36643 31151 > >> > >> Using ossec-logtest, and pasting the log message in a few times, > does > >> trigger 31151: > >> 172.16.10.87 - - [09/Feb/2015:15:10:03 -0200] "GET > >> /wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" "Mozilla/5.00 > >> (Nikto/2.1.6) (Evasions:None) (Test:map_codes)" > >> > >> > >> **Phase 1: Completed pre-decoding. > >> full event: '172.16.10.87 - - [09/Feb/2015:15:10:03 -0200] > "GET > >> /wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" "Mozilla/5.00 > >> (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"' > >> hostname: 'arrakis' > >> program_name: '(null)' > >> log: '172.16.10.87 - - [09/Feb/2015:15:10:03 -0200] "GET > >> /wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" "Mozilla/5.00 > >> (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'web-accesslog' > >> srcip: '172.16.10.87' > >> url: '/wordpress/KwJ55hQv.asmx' > >> id: '403' > >> > >> **Phase 3: Completed filtering (rules). > >> Rule id: '31151' > >> Level: '10' > >> Description: 'Multiple web server 400 error codes from > same source > >> ip.' > >> **Alert to be generated. > >> > >> Since you didn't provide your AR configuration I'll have to assume > >> it's the default. Based on that, we get back to earlier questions: > >> Is ossec-execd running on the agent? > >> Is the firewall enabled on the system? > >> > >> > Em segunda-feira, 9 de fevereiro de 2015 17:20:05 UTC-2, dan > (ddpbsd) > >> > escreveu: > >> >> > >> >> On Mon, Feb 9, 2015 at 2:14 PM, Ricardo Galossi > <[email protected]> > >> >> wrote: > >> >> > Hi Dan, > >> >> > I see. As soon as I get home I'll send the log files. Do you > want > >> >> > only > >> >> > the > >> >> > alert.log or something else? > >> >> > > >> >> > >> >> I'd love to see the apache log messages that work in OSSEC 2.7 > but not > >> >> in > >> >> 2.8. > >> >> > >> >> > Em segunda-feira, 9 de fevereiro de 2015 17:00:38 UTC-2, dan > (ddpbsd) > >> >> > escreveu: > >> >> >> > >> >> >> On Mon, Feb 9, 2015 at 1:39 PM, Ricardo Galossi > >> >> >> <[email protected]> > >> >> >> wrote: > >> >> >> > Hi guys, > >> >> >> > I made some tests here with ossec 2.7. When I try to scan > the > >> >> >> > target, > >> >> >> > the > >> >> >> > modsec delivery a 403 error page, so, ossec read the apache > >> >> >> > access.log > >> >> >> > file > >> >> >> > and match the rule with ID 31151 from web_rules.xml and > block the > >> >> >> > attacker's > >> >> >> > IP on iptables. Follow the rule below: > >> >> >> > > >> >> >> > <rule level="10" id="31151" timeframe="90" frequency="12"> > >> >> >> > <if_matched_sid>31101</if_matched_sid> > >> >> >> > <same_source_ip/> > >> >> >> > <description>Multiple web server 400 error codes > </description> > >> >> >> > <description>from same source ip.</description> > >> >> >> > <group>web_scan,recon,</group> > >> >> >> > </rule> > >> >> >> > > >> >> >> > The question is, why doesn't happen the same thing on > ossec 2.8.1? > >> >> >> > There is some problem if I used the version 2.7? > >> >> >> > > >> >> >> > >> >> >> It's hard to tell without log samples. > >> >> >> > >> >> >> > Em segunda-feira, 9 de fevereiro de 2015 15:47:31 UTC-2, > Ricardo > >> >> >> > Galossi > >> >> >> > escreveu: > >> >> >> >> > >> >> >> >> Hi Dan, > >> >> >> >> Thank you for your attention. I'm at work now, and I'm > not able > >> >> >> >> to > >> >> >> >> access > >> >> >> >> my VPS from here, but tonight when I leave the company > I'll send > >> >> >> >> you > >> >> >> >> the log > >> >> >> >> file. > >> >> >> >> > >> >> >> >> Em segunda-feira, 9 de fevereiro de 2015 15:42:46 UTC-2, > dan > >> >> >> >> (ddpbsd) > >> >> >> >> escreveu: > >> >> >> >>> > >> >> >> >>> On Mon, Feb 9, 2015 at 12:39 PM, Ricardo Galossi > >> >> >> >>> <[email protected]> wrote: > >> >> >> >>> > Hi Rodrigo, > >> >> >> >>> > I've seen the file syslog_rules.xml to see the rule > with ID > >> >> >> >>> > 1002, > >> >> >> >>> > I > >> >> >> >>> > understood the rule perfectly. As you said I've > changed the > >> >> >> >>> > field > >> >> >> >>> > <match> of > >> >> >> >>> > rules with ID 30200 and 30201 for "ModSecurity: Access > >> >> >> >>> > denied". > >> >> >> >>> > I've > >> >> >> >>> > also > >> >> >> >>> > changed the level of drop in my ossec.conf to level 2. > >> >> >> >>> > Although, > >> >> >> >>> > unfortunately it doesn't solve my problem. It's like > apache > >> >> >> >>> > rules > >> >> >> >>> > doesn't > >> >> >> >>> > match with any log record, just the rule ID 1002 from > >> >> >> >>> > syslog_rules. > >> >> >> >>> > > >> >> >> >>> > >> >> >> >>> Can you provide a log sample? > >> >> >> >>> > >> >> >> >>> > >> >> >> >>> > On the other hand, I made a laboratory with ossec 2.7 > and it > >> >> >> >>> > works > >> >> >> >>> > perfectly. I made a scan with Nikto and ossec blocked > >> >> >> >>> > normally. > >> >> >> >>> > > >> >> >> >>> > Em segunda-feira, 9 de fevereiro de 2015 09:00:41 UTC-2, > >> >> >> >>> > Rodrigo > >> >> >> >>> > Montoro > >> >> >> >>> > (Sp0oKeR) escreveu: > >> >> >> >>> >> > >> >> >> >>> >> Hi there! > >> >> >> >>> >> > >> >> >> >>> >> Rule 1002 is triggering because "error" word in the > alert > >> >> >> >>> >> and > >> >> >> >>> >> no > >> >> >> >>> >> specific > >> >> >> >>> >> decoder for this alert > >> >> >> >>> >> > >> >> >> >>> >> > >> >> >> >>> >> #./ossec-logtest > >> >> >> >>> >> > >> >> >> >>> >> 2015/02/09 10:26:45 ossec-testrule: INFO: Reading local > >> >> >> >>> >> decoder > >> >> >> >>> >> file. > >> >> >> >>> >> 2015/02/09 10:26:45 ossec-testrule: INFO: Started (pid: > >> >> >> >>> >> 28969). > >> >> >> >>> >> ossec-testrule: Type one log per line. > >> >> >> >>> >> > >> >> >> >>> >> [Mon Feb 09 00:11:26.954264 2015] [:error] [pid > 4242] [client > >> >> >> >>> >> 37.128.148.180] ModSecurity: Access denied with code > 403 > >> >> >> >>> >> (phase > >> >> >> >>> >> 1). > >> >> >> >>> >> Match of > >> >> >> >>> >> "rx ^0$" against "REQUEST_HEADERS:Content-Length" > required. > >> >> >> >>> >> [file > >> >> >> >>> >> > >> >> >> >>> >> > >> >> >> >>> >> > >> >> >> >>> >> > >> >> >> >>> >> > > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > >> >> >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request > Containing > >> >> >> >>> >> Content, > >> >> >> >>> >> but > >> >> >> >>> >> Missing Content-Type header"] [severity "NOTICE"] [ver > >> >> >> >>> >> "OWASP_CRS/2.2.9"] > >> >> >> >>> >> [maturity "9"] [accuracy "9"] [hostname > "www.ubuntu.com.br <http://www.ubuntu.com.br>"] > >> >> >> >>> >> [uri > >> >> >> >>> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"] > >> >> >> >>> >> > >> >> >> >>> >> > >> >> >> >>> >> **Phase 1: Completed pre-decoding. > >> >> >> >>> >> full event: '[Mon Feb 09 00:11:26.954264 2015] > >> >> >> >>> >> [:error] > >> >> >> >>> >> [pid > >> >> >> >>> >> 4242] > >> >> >> >>> >> [client 37.128.148.180] ModSecurity: Access denied > with code > >> >> >> >>> >> 403 > >> >> >> >>> >> (phase 1). > >> >> >> >>> >> Match of "rx ^0$" against > "REQUEST_HEADERS:Content-Length" > >> >> >> >>> >> required. > >> >> >> >>> >> [file > >> >> >> >>> >> > >> >> >> >>> >> > >> >> >> >>> >> > >> >> >> >>> >> > >> >> >> >>> >> > > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > >> >> >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request > Containing > >> >> >> >>> >> Content, > >> >> >> >>> >> but > >> >> >> >>> >> Missing Content-Type header"] [severity "NOTICE"] [ver > >> >> >> >>> >> "OWASP_CRS/2.2.9"] > >> >> >> >>> >> [maturity "9"] [accuracy "9"] [hostname > "www.ubuntu.com.br <http://www.ubuntu.com.br>"] > >> >> >> >>> >> [uri > >> >> >> >>> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]' > >> >> >> >>> >> hostname: 'spookerlabs' > >> >> >> >>> >> program_name: '(null)' > >> >> >> >>> >> log: '[Mon Feb 09 00:11:26.954264 2015] > [:error] [pid > >> >> >> >>> >> 4242] > >> >> >> >>> >> [client > >> >> >> >>> >> 37.128.148.180] ModSecurity: Access denied with code > 403 > >> >> >> >>> >> (phase > >> >> >> >>> >> 1). > >> >> >> >>> >> Match of > >> >> >> >>> >> "rx ^0$" against "REQUEST_HEADERS:Content-Length" > required. > >> >> >> >>> >> [file > >> >> >> >>> >> > >> >> >> >>> >> > >> >> >> >>> >> > >> >> >> >>> >> > >> >> >> >>> >> > > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > >> >> >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request > Containing > >> >> >> >>> >> Content, > >> >> >> >>> >> but > >> >> >> >>> >> Missing Content-Type header"] [severity "NOTICE"] [ver > >> >> >> >>> >> "OWASP_CRS/2.2.9"] > >> >> >> >>> >> [maturity "9"] [accuracy "9"] [hostname > "www.ubuntu.com.br <http://www.ubuntu.com.br>"] > >> >> >> >>> >> [uri > >> >> >> >>> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]' > >> >> >> >>> >> > >> >> >> >>> >> **Phase 2: Completed decoding. > >> >> >> >>> >> No decoder matched. > >> >> >> >>> >> > >> >> >> >>> >> **Phase 3: Completed filtering (rules). > >> >> >> >>> >> Rule id: '1002' > >> >> >> >>> >> Level: '2' > >> >> >> >>> >> Description: 'Unknown problem somewhere in the > >> >> >> >>> >> system.' > >> >> >> >>> >> **Alert to be generated. > >> >> >> >>> >> > >> >> >> >>> >> > >> >> >> >>> >> Rule 1002 > >> >> >> >>> >> > >> >> >> >>> >> <var > name="BAD_WORDS">core_dumped|failure|error|attack|bad > >> >> >> >>> >> |illegal > >> >> >> >>> >> |denied|refused|unauthorized|fatal|failed|Segmentation > >> >> >> >>> >> Fault|Corrupted</var> > >> >> >> >>> >> > >> >> >> >>> >> <rule id="1002" level="2"> > >> >> >> >>> >> <match>$BAD_WORDS</match> > >> >> >> >>> >> <options>alert_by_email</options> > >> >> >> >>> >> <description>Unknown problem somewhere in the > >> >> >> >>> >> system.</description> > >> >> >> >>> >> </rule> > >> >> >> >>> >> > >> >> >> >>> >> > >> >> >> >>> >> Since this rule is level 2 it's not going to trigger an > >> >> >> >>> >> active > >> >> >> >>> >> response > >> >> >> >>> >> since your config said to alert only level 5 or higher. > >> >> >> >>> >> > >> >> >> >>> >> More info here > >> >> >> >>> >> > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ > <http://ossec-docs.readthedocs.org/en/latest/manual/ar/> > >> >> >> >>> >> > >> >> >> >>> >> Looking into Modsecurity rules, there are 2 under > apache > >> >> >> >>> >> rules > >> >> >> >>> >> > >> >> >> >>> >> <rule id="30200" level="6" noalert="1"> > >> >> >> >>> >> <match>^mod_security-message: </match> > >> >> >> >>> >> <description>Modsecurity alert.</description> > >> >> >> >>> >> </rule> > >> >> >> >>> >> > >> >> >> >>> >> <rule id="30201" level="6"> > >> >> >> >>> >> <if_sid>30200</if_sid> > >> >> >> >>> >> <match>^mod_security-message: Access denied > </match> > >> >> >> >>> >> <description>Modsecurity access > denied.</description> > >> >> >> >>> >> <group>access_denied,</group> > >> >> >> >>> >> </rule> > >> >> >> >>> >> > >> >> >> >>> >> But I think need to update to ModSecurity: Access > denied > >> >> >> >>> >> instead > >> >> >> >>> >> of > >> >> >> >>> >> mod_security-message: Access denied. > >> >> >> >>> >> > >> >> >> >>> >> Do you have a raw log different from error ? is this > a common > >> >> >> >>> >> modsec > >> >> >> >>> >> error > >> >> >> >>> >> log ? Maybe need to create a decoder for that. > >> >> >> >>> >> > >> >> >> >>> >> Hope it helps. > >> >> >> >>> >> > >> >> >> >>> >> On Mon, Feb 9, 2015 at 2:07 AM, Ricardo Galossi > >> >> >> >>> >> <[email protected]> > >> >> >> >>> >> wrote: > >> >> >> >>> >>> > >> >> >> >>> >>> Hello Rodrigo, > >> >> >> >>> >>> Thank you so much for answer me. So, some time ago > I've had > >> >> >> >>> >>> an > >> >> >> >>> >>> installation of ossec with the same configuration, > the ossec > >> >> >> >>> >>> read > >> >> >> >>> >>> the > >> >> >> >>> >>> error.log of apache and blocked the attacks on > iptables with > >> >> >> >>> >>> the > >> >> >> >>> >>> active > >> >> >> >>> >>> response. I really don't know if something has > changed in > >> >> >> >>> >>> the > >> >> >> >>> >>> last > >> >> >> >>> >>> version > >> >> >> >>> >>> of ossec, but it does't block any kind of attack > (ssh brute > >> >> >> >>> >>> force, > >> >> >> >>> >>> http > >> >> >> >>> >>> attacks, etc). Follow below in attach my ossec.conf > and some > >> >> >> >>> >>> alerts > >> >> >> >>> >>> of > >> >> >> >>> >>> alert.conf. My active-responses.log is empty. > >> >> >> >>> >>> When I executed the command (cat > >> >> >> >>> >>> /var/chroot/var/log/apache2/error.log | > >> >> >> >>> >>> /var/ossec/bin/ossec-logtest -a | > >> >> >> >>> >>> /var/ossec/bin/ossec-reportd) > >> >> >> >>> >>> I > >> >> >> >>> >>> received > >> >> >> >>> >>> the following message: > >> >> >> >>> >>> > >> >> >> >>> >>> 2015/02/09 01:03:00 ossec-reportd: INFO: Started (pid: > >> >> >> >>> >>> 5038). > >> >> >> >>> >>> 2015/02/09 01:03:00 ossec-testrule: INFO: Reading > local > >> >> >> >>> >>> decoder > >> >> >> >>> >>> file. > >> >> >> >>> >>> 2015/02/09 01:03:00 ossec-testrule: INFO: Started > (pid: > >> >> >> >>> >>> 5037). > >> >> >> >>> >>> 2015/02/09 01:03:06 ossec-reportd: INFO: Report > completed. > >> >> >> >>> >>> Creating > >> >> >> >>> >>> output... > >> >> >> >>> >>> > >> >> >> >>> >>> Report completed. == > >> >> >> >>> >>> ------------------------------------------------ > >> >> >> >>> >>> ->Processed alerts: 3940 > >> >> >> >>> >>> ->Post-filtering alerts: 3940 > >> >> >> >>> >>> ->First alert: 2015 Feb 09 01:03:00 > >> >> >> >>> >>> ->Last alert: 2015 Feb 09 01:03:01 > >> >> >> >>> >>> > >> >> >> >>> >>> > >> >> >> >>> >>> Top entries for 'Level': > >> >> >> >>> >>> ------------------------------------------------ > >> >> >> >>> >>> Severity 6 > >> >> >> >>> >>> |3864 | > >> >> >> >>> >>> Severity 13 > >> >> >> >>> >>> |76 | > >> >> >> >>> >>> > >> >> >> >>> >>> > >> >> >> >>> >>> Top entries for 'Group': > >> >> >> >>> >>> ------------------------------------------------ > >> >> >> >>> >>> errors > >> >> >> >>> >>> |3940 | > >> >> >> >>> >>> syslog > >> >> >> >>> >>> |3940 | > >> >> >> >>> >>> > >> >> >> >>> >>> Top entries for 'Location': > >> >> >> >>> >>> ------------------------------------------------ > >> >> >> >>> >>> ubuntu->stdin > >> >> >> >>> >>> |3940 | > >> >> >> >>> >>> > >> >> >> >>> >>> > >> >> >> >>> >>> Top entries for 'Rule': > >> >> >> >>> >>> ------------------------------------------------ > >> >> >> >>> >>> 1002 - Unknown problem somewhere in the system. > >> >> >> >>> >>> |3864 | > >> >> >> >>> >>> 1003 - Non standard syslog message (size too large). > >> >> >> >>> >>> |76 | > >> >> >> >>> >>> > >> >> >> >>> >>> Thank you for your help. > >> >> >> >>> >>> > >> >> >> >>> >>> > >> >> >> >>> >>> Em domingo, 8 de fevereiro de 2015 22:25:22 UTC-2, > Rodrigo > >> >> >> >>> >>> Montoro > >> >> >> >>> >>> (Sp0oKeR) escreveu: > >> >> >> >>> >>>> > >> >> >> >>> >>>> Hi Ricardo, > >> >> >> >>> >>>> > >> >> >> >>> >>>> I think modsec isn't apache format, could you > share some > >> >> >> >>> >>>> alert > >> >> >> >>> >>>> samples > >> >> >> >>> >>>> from your log file ? > >> >> >> >>> >>>> > >> >> >> >>> >>>> A good way to test if ossec will work with your > log format > >> >> >> >>> >>>> is > >> >> >> >>> >>>> using > >> >> >> >>> >>>> logtest > >> >> >> >>> >>>> > >> >> >> >>> >>>> > >> >> >> >>> >>>> > >> >> >> >>> >>>> > >> >> >> >>> >>>> > http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html > <http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html> > > >> >> >> >>> >>>> > >> >> >> >>> >>>> About active-response, how is configured your > ossec.conf ? > >> >> >> >>> >>>> could > >> >> >> >>> >>>> you > >> >> >> >>> >>>> share ? Anyway OSSEC won't block any attack, only > take some > >> >> >> >>> >>>> action > >> >> >> >>> >>>> from some > >> >> >> >>> >>>> attack. Looking into /var/ossec/log/ you could see > under > >> >> >> >>> >>>> active-response > >> >> >> >>> >>>> log. > >> >> >> >>> >>>> > >> >> >> >>> >>>> Let me know if this helps. > >> >> >> >>> >>>> > >> >> >> >>> >>>> Thanks > >> >> >> >>> >>>> > >> >> >> >>> >>>> On Sun, Feb 8, 2015 at 9:11 PM, Ricardo Galossi > >> >> >> >>> >>>> <[email protected]> > >> >> >> >>> >>>> wrote: > >> >> >> >>> >>>>> > >> >> >> >>> >>>>> Hi there guys, > >> >> >> >>> >>>>> I'm facing a problem with ossec, I hope you can > help me. > >> >> >> >>> >>>>> I've > >> >> >> >>> >>>>> configured my ossec to monitoring apache and > modsecurity's > >> >> >> >>> >>>>> log > >> >> >> >>> >>>>> of > >> >> >> >>> >>>>> my chroot. > >> >> >> >>> >>>>> I put the lines below on ossec.conf: > >> >> >> >>> >>>>> > >> >> >> >>> >>>>> <localfile> > >> >> >> >>> >>>>> <log_format>apache</log_format> > >> >> >> >>> >>>>> > >> >> >> >>> >>>>> > >> >> >> >>> >>>>> > >> >> >> >>> >>>>> > <location>/var/chroot/var/log/apache2/modsec_audit.log</location> > >> >> >> >>> >>>>> </localfile> > >> >> >> >>> >>>>> > >> >> >> >>> >>>>> <localfile> > >> >> >> >>> >>>>> <log_format>apache</log_format> > >> >> >> >>> >>>>> > <location>/var/chroot/var/log/apache2/error.log</location> > >> >> >> >>> >>>>> </localfile> > >> >> >> >>> >>>>> > >> >> >> >>> >>>>> The problem is that ossec doesn't block any > attack. I > >> >> >> >>> >>>>> received > >> >> >> >>> >>>>> the > >> >> >> >>> >>>>> ossec's logs normally, but every log has the same > ID, like > >> >> >> >>> >>>>> this: > >> >> >> >>> >>>>> > >> >> >> >>> >>>>> Received From: > >> >> >> >>> >>>>> Ubuntu->/var/chroot/var/log/apache2/error.log > >> >> >> >>> >>>>> Rule: 1002 fired (level 6) -> "Unknown problem > somewhere > >> >> >> >>> >>>>> in > >> >> >> >>> >>>>> the > >> >> >> >>> >>>>> system." > >> >> >> >>> >>>>> Portion of the log(s): > >> >> >> >>> >>>>> > >> >> >> >>> >>>>> Thank you for your attention. > >> >> >> >>> >>>>> > >> >> >> >>> >>>>> > >> >> >> >>> >>>>> -- > >> >> >> >>> >>>>> > >> >> >> >>> >>>>> --- > >> >> >> >>> >>>>> You received this message because you are > subscribed to > >> >> >> >>> >>>>> the > >> >> >> >>> >>>>> Google > >> >> >> >>> >>>>> Groups "ossec-list" group. > >> >> >> >>> >>>>> To unsubscribe from this group and stop receiving > emails > >> >> >> >>> >>>>> from > >> >> >> >>> >>>>> it, > >> >> >> >>> >>>>> send > >> >> >> >>> >>>>> an email to [email protected]. > >> >> >> >>> >>>>> For more options, visit > >> >> >> >>> >>>>> https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. > >> >> >> >>> >>>> > >> >> >> >>> >>>> > >> >> >> >>> >>>> > >> >> >> >>> >>>> > >> >> >> >>> >>>> -- > >> >> >> >>> >>>> Rodrigo Montoro (Sp0oKeR) > >> >> >> >>> >>>> http://spookerlabs.blogspot.com > <http://spookerlabs.blogspot.com> > >> >> >> >>> >>>> http://www.twitter.com/spookerlabs > <http://www.twitter.com/spookerlabs> > >> >> >> >>> >>>> http://www.linkedin.com/in/spooker > <http://www.linkedin.com/in/spooker> > >> >> >> >>> >>> > >> >> >> >>> >>> -- > >> >> >> >>> >>> > >> >> >> >>> >>> --- > >> >> >> >>> >>> You received this message because you are > subscribed to the > >> >> >> >>> >>> Google > >> >> >> >>> >>> Groups > >> >> >> >>> >>> "ossec-list" group. > >> >> >> >>> >>> To unsubscribe from this group and stop receiving > emails > >> >> >> >>> >>> from > >> >> >> >>> >>> it, > >> >> >> >>> >>> send an > >> >> >> >>> >>> email to [email protected]. > >> >> >> >>> >>> For more options, visit > https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. > >> >> >> >>> >> > >> >> >> >>> >> > >> >> >> >>> >> > >> >> >> >>> >> > >> >> >> >>> >> -- > >> >> >> >>> >> Rodrigo Montoro (Sp0oKeR) > >> >> >> >>> >> http://spookerlabs.blogspot.com > <http://spookerlabs.blogspot.com> > >> >> >> >>> >> http://www.twitter.com/spookerlabs > <http://www.twitter.com/spookerlabs> > >> >> >> >>> >> http://www.linkedin.com/in/spooker > <http://www.linkedin.com/in/spooker> > >> >> >> >>> > > >> >> >> >>> > -- > >> >> >> >>> > > >> >> >> >>> > --- > >> >> >> >>> > You received this message because you are subscribed > to the > >> >> >> >>> > Google > >> >> >> >>> > Groups > >> >> >> >>> > "ossec-list" group. > >> >> >> >>> > To unsubscribe from this group and stop receiving > emails from > >> >> >> >>> > it, > >> >> >> >>> > send > >> >> >> >>> > an > >> >> >> >>> > email to [email protected]. > >> >> >> >>> > For more options, visit > https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. > >> >> >> > > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to > the Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails > from it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to [email protected]. > >> >> >> > For more options, visit > https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the > Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails > from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from > it, send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, > send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
