I took a look at the file you send. As far as I am aware, ossec does not understand the modsec_audit log format. Mainly because it is a multiline log. This seemed to work for you in 2.7 because some of the lines also match the apache decoder and rule 31101. Thus triggering an AR. But this was sheer coincidence and not intended behavior.
You should configure modsecurity to also print log messages to the apache error log and monitor this with ossec. There is a good chance that the apache decoder can also read modescurity related lines in there. Ossec basically needs a single line that has the information to identify a threat and block the attacker. With the modsec_audit log this is not possible. Regards Christian Am 16.02.2015 um 06:04 schrieb Ricardo Galossi: > Hi Christian, > Thanks for answer me, I've attached the modsecurity's log. I've tried to > use ossec 2.8, but it does not work, it only alert the rule ID 1002 > (syslog_rules). For while I'm using ossec 2.7, because this version > matching with rule ID 31151, when someone try attacking the site, modsec > block his request and ossec block his IP matching the rule ID 31151. > > Em quinta-feira, 12 de fevereiro de 2015 06:54:57 UTC-2, ChristianB > escreveu: > > Apache 2.4 style log messages are only supported in the master > branch on > github.com/ossec/ossec-hids <http://github.com/ossec/ossec-hids> or > the upcoming 2.9 release. > > It would be nice if you could provide some log messages of ModSecurity > so we can try this out in the dev version. > > Regards > Christian > > Am 12.02.2015 um 00:03 schrieb Ricardo Galossi: > > Hi Dan, > > I'm so sorry for my delay, I was really busy yesterday. So, I've > > attached the output ossec-logtest in both versions of ossec 2.7 and > > 2.8.1. The version 2.8.1 don't match with no one high level rules. > I'm a > > beginner ossec user, but I've taken a look on decoder.xml file and > got a > > doubt on apache decoder. The log example of this decoder is "[error] > > [client 64.94.163.159] Client sent malformed Host header", > however, this > > style of log is from apache 2.2, on the other hand, the new > version of > > apache, 2.4, has a different log style, example "[:error] [pid 6629] > > [client 172.16.10.57] ModSecurity: Warning. Operator EQ matched 0 at > > REQUEST_HEADERS". I don't understand too much about decoder, because > > that, I don't know if it could influence on the matching of the rule. > > > > Thank you so much for help me. > > > > Em terça-feira, 10 de fevereiro de 2015 10:24:14 UTC-2, dan (ddpbsd) > > escreveu: > > > > On Mon, Feb 9, 2015 at 3:42 PM, Ricardo Galossi > > <[email protected]> wrote: > > > Hi Dan, > > > I installed ossec as "local". Yeah, the AR configuration is > > default. The > > > daemon ossec-execd is running normally and the firewall is > enable. > > I made > > > testes with both versions of ossec 2.7 and 2.8.1 within the > same VPS. > > > However, only the version 2.7 block the attacker based on > the rule > > ID 31151. > > > > > > If you want I can send you the logs of ossec 2.8.1. > > > > > > Thank you for your attention. > > > > > > > Run ossec-logtest, and paste the log message I used in it > multiple > > times. Let's see if 31151 or whatever fires (and see if the > output > > differs from what I saw with post 2.8.1). > > I'm hoping to have a chance to try active responses tonight. > > > > > > > Em segunda-feira, 9 de fevereiro de 2015 18:23:09 UTC-2, dan > (ddpbsd) > > > escreveu: > > >> > > >> On Mon, Feb 9, 2015 at 2:53 PM, Ricardo Galossi > > <[email protected]> > > >> wrote: > > >> > Hi Dan, > > >> > The logs are in attach. > > >> > > > >> > > >> Ok, it looks like active response is being triggered by > rule 31151: > > >> Mon Feb 9 15:10:03 BRST 2015 > > >> /var/ossec/active-response/bin/host-deny.sh add - 172.16.10.87 > > >> 1423501803.36643 31151 > > >> > > >> Using ossec-logtest, and pasting the log message in a few > times, > > does > > >> trigger 31151: > > >> 172.16.10.87 - - [09/Feb/2015:15:10:03 -0200] "GET > > >> /wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" "Mozilla/5.00 > > >> (Nikto/2.1.6) (Evasions:None) (Test:map_codes)" > > >> > > >> > > >> **Phase 1: Completed pre-decoding. > > >> full event: '172.16.10.87 - - [09/Feb/2015:15:10:03 > -0200] > > "GET > > >> /wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" "Mozilla/5.00 > > >> (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"' > > >> hostname: 'arrakis' > > >> program_name: '(null)' > > >> log: '172.16.10.87 - - [09/Feb/2015:15:10:03 -0200] > "GET > > >> /wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" "Mozilla/5.00 > > >> (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"' > > >> > > >> **Phase 2: Completed decoding. > > >> decoder: 'web-accesslog' > > >> srcip: '172.16.10.87' > > >> url: '/wordpress/KwJ55hQv.asmx' > > >> id: '403' > > >> > > >> **Phase 3: Completed filtering (rules). > > >> Rule id: '31151' > > >> Level: '10' > > >> Description: 'Multiple web server 400 error codes from > > same source > > >> ip.' > > >> **Alert to be generated. > > >> > > >> Since you didn't provide your AR configuration I'll have to > assume > > >> it's the default. Based on that, we get back to earlier > questions: > > >> Is ossec-execd running on the agent? > > >> Is the firewall enabled on the system? > > >> > > >> > Em segunda-feira, 9 de fevereiro de 2015 17:20:05 UTC-2, dan > > (ddpbsd) > > >> > escreveu: > > >> >> > > >> >> On Mon, Feb 9, 2015 at 2:14 PM, Ricardo Galossi > > <[email protected]> > > >> >> wrote: > > >> >> > Hi Dan, > > >> >> > I see. As soon as I get home I'll send the log files. > Do you > > want > > >> >> > only > > >> >> > the > > >> >> > alert.log or something else? > > >> >> > > > >> >> > > >> >> I'd love to see the apache log messages that work in > OSSEC 2.7 > > but not > > >> >> in > > >> >> 2.8. > > >> >> > > >> >> > Em segunda-feira, 9 de fevereiro de 2015 17:00:38 > UTC-2, dan > > (ddpbsd) > > >> >> > escreveu: > > >> >> >> > > >> >> >> On Mon, Feb 9, 2015 at 1:39 PM, Ricardo Galossi > > >> >> >> <[email protected]> > > >> >> >> wrote: > > >> >> >> > Hi guys, > > >> >> >> > I made some tests here with ossec 2.7. When I try > to scan > > the > > >> >> >> > target, > > >> >> >> > the > > >> >> >> > modsec delivery a 403 error page, so, ossec read > the apache > > >> >> >> > access.log > > >> >> >> > file > > >> >> >> > and match the rule with ID 31151 from web_rules.xml > and > > block the > > >> >> >> > attacker's > > >> >> >> > IP on iptables. Follow the rule below: > > >> >> >> > > > >> >> >> > <rule level="10" id="31151" timeframe="90" > frequency="12"> > > >> >> >> > <if_matched_sid>31101</if_matched_sid> > > >> >> >> > <same_source_ip/> > > >> >> >> > <description>Multiple web server 400 error codes > > </description> > > >> >> >> > <description>from same source ip.</description> > > >> >> >> > <group>web_scan,recon,</group> > > >> >> >> > </rule> > > >> >> >> > > > >> >> >> > The question is, why doesn't happen the same thing on > > ossec 2.8.1? > > >> >> >> > There is some problem if I used the version 2.7? > > >> >> >> > > > >> >> >> > > >> >> >> It's hard to tell without log samples. > > >> >> >> > > >> >> >> > Em segunda-feira, 9 de fevereiro de 2015 15:47:31 > UTC-2, > > Ricardo > > >> >> >> > Galossi > > >> >> >> > escreveu: > > >> >> >> >> > > >> >> >> >> Hi Dan, > > >> >> >> >> Thank you for your attention. I'm at work now, and > I'm > > not able > > >> >> >> >> to > > >> >> >> >> access > > >> >> >> >> my VPS from here, but tonight when I leave the > company > > I'll send > > >> >> >> >> you > > >> >> >> >> the log > > >> >> >> >> file. > > >> >> >> >> > > >> >> >> >> Em segunda-feira, 9 de fevereiro de 2015 15:42:46 > UTC-2, > > dan > > >> >> >> >> (ddpbsd) > > >> >> >> >> escreveu: > > >> >> >> >>> > > >> >> >> >>> On Mon, Feb 9, 2015 at 12:39 PM, Ricardo Galossi > > >> >> >> >>> <[email protected]> wrote: > > >> >> >> >>> > Hi Rodrigo, > > >> >> >> >>> > I've seen the file syslog_rules.xml to see the > rule > > with ID > > >> >> >> >>> > 1002, > > >> >> >> >>> > I > > >> >> >> >>> > understood the rule perfectly. As you said I've > > changed the > > >> >> >> >>> > field > > >> >> >> >>> > <match> of > > >> >> >> >>> > rules with ID 30200 and 30201 for "ModSecurity: > Access > > >> >> >> >>> > denied". > > >> >> >> >>> > I've > > >> >> >> >>> > also > > >> >> >> >>> > changed the level of drop in my ossec.conf to > level 2. > > >> >> >> >>> > Although, > > >> >> >> >>> > unfortunately it doesn't solve my problem. It's > like > > apache > > >> >> >> >>> > rules > > >> >> >> >>> > doesn't > > >> >> >> >>> > match with any log record, just the rule ID > 1002 from > > >> >> >> >>> > syslog_rules. > > >> >> >> >>> > > > >> >> >> >>> > > >> >> >> >>> Can you provide a log sample? > > >> >> >> >>> > > >> >> >> >>> > > >> >> >> >>> > On the other hand, I made a laboratory with > ossec 2.7 > > and it > > >> >> >> >>> > works > > >> >> >> >>> > perfectly. I made a scan with Nikto and ossec > blocked > > >> >> >> >>> > normally. > > >> >> >> >>> > > > >> >> >> >>> > Em segunda-feira, 9 de fevereiro de 2015 > 09:00:41 UTC-2, > > >> >> >> >>> > Rodrigo > > >> >> >> >>> > Montoro > > >> >> >> >>> > (Sp0oKeR) escreveu: > > >> >> >> >>> >> > > >> >> >> >>> >> Hi there! > > >> >> >> >>> >> > > >> >> >> >>> >> Rule 1002 is triggering because "error" word > in the > > alert > > >> >> >> >>> >> and > > >> >> >> >>> >> no > > >> >> >> >>> >> specific > > >> >> >> >>> >> decoder for this alert > > >> >> >> >>> >> > > >> >> >> >>> >> > > >> >> >> >>> >> #./ossec-logtest > > >> >> >> >>> >> > > >> >> >> >>> >> 2015/02/09 10:26:45 ossec-testrule: INFO: > Reading local > > >> >> >> >>> >> decoder > > >> >> >> >>> >> file. > > >> >> >> >>> >> 2015/02/09 10:26:45 ossec-testrule: INFO: > Started (pid: > > >> >> >> >>> >> 28969). > > >> >> >> >>> >> ossec-testrule: Type one log per line. > > >> >> >> >>> >> > > >> >> >> >>> >> [Mon Feb 09 00:11:26.954264 2015] [:error] [pid > > 4242] [client > > >> >> >> >>> >> 37.128.148.180] ModSecurity: Access denied > with code > > 403 > > >> >> >> >>> >> (phase > > >> >> >> >>> >> 1). > > >> >> >> >>> >> Match of > > >> >> >> >>> >> "rx ^0$" against "REQUEST_HEADERS:Content-Length" > > required. > > >> >> >> >>> >> [file > > >> >> >> >>> >> > > >> >> >> >>> >> > > >> >> >> >>> >> > > >> >> >> >>> >> > > >> >> >> >>> >> > > > > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > > > > >> >> >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request > > Containing > > >> >> >> >>> >> Content, > > >> >> >> >>> >> but > > >> >> >> >>> >> Missing Content-Type header"] [severity > "NOTICE"] [ver > > >> >> >> >>> >> "OWASP_CRS/2.2.9"] > > >> >> >> >>> >> [maturity "9"] [accuracy "9"] [hostname > > "www.ubuntu.com.br <http://www.ubuntu.com.br> > <http://www.ubuntu.com.br>"] > > >> >> >> >>> >> [uri > > >> >> >> >>> >> "/nyet.gif"] [unique_id > "VNglXmiDNHMAABCSoYkAAAAH"] > > >> >> >> >>> >> > > >> >> >> >>> >> > > >> >> >> >>> >> **Phase 1: Completed pre-decoding. > > >> >> >> >>> >> full event: '[Mon Feb 09 > 00:11:26.954264 2015] > > >> >> >> >>> >> [:error] > > >> >> >> >>> >> [pid > > >> >> >> >>> >> 4242] > > >> >> >> >>> >> [client 37.128.148.180] ModSecurity: Access > denied > > with code > > >> >> >> >>> >> 403 > > >> >> >> >>> >> (phase 1). > > >> >> >> >>> >> Match of "rx ^0$" against > > "REQUEST_HEADERS:Content-Length" > > >> >> >> >>> >> required. > > >> >> >> >>> >> [file > > >> >> >> >>> >> > > >> >> >> >>> >> > > >> >> >> >>> >> > > >> >> >> >>> >> > > >> >> >> >>> >> > > > > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > > > > >> >> >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request > > Containing > > >> >> >> >>> >> Content, > > >> >> >> >>> >> but > > >> >> >> >>> >> Missing Content-Type header"] [severity > "NOTICE"] [ver > > >> >> >> >>> >> "OWASP_CRS/2.2.9"] > > >> >> >> >>> >> [maturity "9"] [accuracy "9"] [hostname > > "www.ubuntu.com.br <http://www.ubuntu.com.br> > <http://www.ubuntu.com.br>"] > > >> >> >> >>> >> [uri > > >> >> >> >>> >> "/nyet.gif"] [unique_id > "VNglXmiDNHMAABCSoYkAAAAH"]' > > >> >> >> >>> >> hostname: 'spookerlabs' > > >> >> >> >>> >> program_name: '(null)' > > >> >> >> >>> >> log: '[Mon Feb 09 00:11:26.954264 2015] > > [:error] [pid > > >> >> >> >>> >> 4242] > > >> >> >> >>> >> [client > > >> >> >> >>> >> 37.128.148.180] ModSecurity: Access denied > with code > > 403 > > >> >> >> >>> >> (phase > > >> >> >> >>> >> 1). > > >> >> >> >>> >> Match of > > >> >> >> >>> >> "rx ^0$" against "REQUEST_HEADERS:Content-Length" > > required. > > >> >> >> >>> >> [file > > >> >> >> >>> >> > > >> >> >> >>> >> > > >> >> >> >>> >> > > >> >> >> >>> >> > > >> >> >> >>> >> > > > > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > > > > >> >> >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request > > Containing > > >> >> >> >>> >> Content, > > >> >> >> >>> >> but > > >> >> >> >>> >> Missing Content-Type header"] [severity > "NOTICE"] [ver > > >> >> >> >>> >> "OWASP_CRS/2.2.9"] > > >> >> >> >>> >> [maturity "9"] [accuracy "9"] [hostname > > "www.ubuntu.com.br <http://www.ubuntu.com.br> > <http://www.ubuntu.com.br>"] > > >> >> >> >>> >> [uri > > >> >> >> >>> >> "/nyet.gif"] [unique_id > "VNglXmiDNHMAABCSoYkAAAAH"]' > > >> >> >> >>> >> > > >> >> >> >>> >> **Phase 2: Completed decoding. > > >> >> >> >>> >> No decoder matched. > > >> >> >> >>> >> > > >> >> >> >>> >> **Phase 3: Completed filtering (rules). > > >> >> >> >>> >> Rule id: '1002' > > >> >> >> >>> >> Level: '2' > > >> >> >> >>> >> Description: 'Unknown problem somewhere > in the > > >> >> >> >>> >> system.' > > >> >> >> >>> >> **Alert to be generated. > > >> >> >> >>> >> > > >> >> >> >>> >> > > >> >> >> >>> >> Rule 1002 > > >> >> >> >>> >> > > >> >> >> >>> >> <var > > name="BAD_WORDS">core_dumped|failure|error|attack|bad > > >> >> >> >>> >> |illegal > > >> >> >> >>> >> > |denied|refused|unauthorized|fatal|failed|Segmentation > > >> >> >> >>> >> Fault|Corrupted</var> > > >> >> >> >>> >> > > >> >> >> >>> >> <rule id="1002" level="2"> > > >> >> >> >>> >> <match>$BAD_WORDS</match> > > >> >> >> >>> >> <options>alert_by_email</options> > > >> >> >> >>> >> <description>Unknown problem somewhere in the > > >> >> >> >>> >> system.</description> > > >> >> >> >>> >> </rule> > > >> >> >> >>> >> > > >> >> >> >>> >> > > >> >> >> >>> >> Since this rule is level 2 it's not going to > trigger an > > >> >> >> >>> >> active > > >> >> >> >>> >> response > > >> >> >> >>> >> since your config said to alert only level 5 > or higher. > > >> >> >> >>> >> > > >> >> >> >>> >> More info here > > >> >> >> >>> >> > > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ > <http://ossec-docs.readthedocs.org/en/latest/manual/ar/> > > <http://ossec-docs.readthedocs.org/en/latest/manual/ar/ > <http://ossec-docs.readthedocs.org/en/latest/manual/ar/>> > > >> >> >> >>> >> > > >> >> >> >>> >> Looking into Modsecurity rules, there are 2 under > > apache > > >> >> >> >>> >> rules > > >> >> >> >>> >> > > >> >> >> >>> >> <rule id="30200" level="6" noalert="1"> > > >> >> >> >>> >> <match>^mod_security-message: </match> > > >> >> >> >>> >> <description>Modsecurity alert.</description> > > >> >> >> >>> >> </rule> > > >> >> >> >>> >> > > >> >> >> >>> >> <rule id="30201" level="6"> > > >> >> >> >>> >> <if_sid>30200</if_sid> > > >> >> >> >>> >> <match>^mod_security-message: Access denied > > </match> > > >> >> >> >>> >> <description>Modsecurity access > > denied.</description> > > >> >> >> >>> >> <group>access_denied,</group> > > >> >> >> >>> >> </rule> > > >> >> >> >>> >> > > >> >> >> >>> >> But I think need to update to ModSecurity: Access > > denied > > >> >> >> >>> >> instead > > >> >> >> >>> >> of > > >> >> >> >>> >> mod_security-message: Access denied. > > >> >> >> >>> >> > > >> >> >> >>> >> Do you have a raw log different from error ? > is this > > a common > > >> >> >> >>> >> modsec > > >> >> >> >>> >> error > > >> >> >> >>> >> log ? Maybe need to create a decoder for that. > > >> >> >> >>> >> > > >> >> >> >>> >> Hope it helps. > > >> >> >> >>> >> > > >> >> >> >>> >> On Mon, Feb 9, 2015 at 2:07 AM, Ricardo Galossi > > >> >> >> >>> >> <[email protected]> > > >> >> >> >>> >> wrote: > > >> >> >> >>> >>> > > >> >> >> >>> >>> Hello Rodrigo, > > >> >> >> >>> >>> Thank you so much for answer me. So, some > time ago > > I've had > > >> >> >> >>> >>> an > > >> >> >> >>> >>> installation of ossec with the same > configuration, > > the ossec > > >> >> >> >>> >>> read > > >> >> >> >>> >>> the > > >> >> >> >>> >>> error.log of apache and blocked the attacks on > > iptables with > > >> >> >> >>> >>> the > > >> >> >> >>> >>> active > > >> >> >> >>> >>> response. I really don't know if something has > > changed in > > >> >> >> >>> >>> the > > >> >> >> >>> >>> last > > >> >> >> >>> >>> version > > >> >> >> >>> >>> of ossec, but it does't block any kind of attack > > (ssh brute > > >> >> >> >>> >>> force, > > >> >> >> >>> >>> http > > >> >> >> >>> >>> attacks, etc). Follow below in attach my > ossec.conf > > and some > > >> >> >> >>> >>> alerts > > >> >> >> >>> >>> of > > >> >> >> >>> >>> alert.conf. My active-responses.log is empty. > > >> >> >> >>> >>> When I executed the command (cat > > >> >> >> >>> >>> /var/chroot/var/log/apache2/error.log | > > >> >> >> >>> >>> /var/ossec/bin/ossec-logtest -a | > > >> >> >> >>> >>> /var/ossec/bin/ossec-reportd) > > >> >> >> >>> >>> I > > >> >> >> >>> >>> received > > >> >> >> >>> >>> the following message: > > >> >> >> >>> >>> > > >> >> >> >>> >>> 2015/02/09 01:03:00 ossec-reportd: INFO: > Started (pid: > > >> >> >> >>> >>> 5038). > > >> >> >> >>> >>> 2015/02/09 01:03:00 ossec-testrule: INFO: > Reading > > local > > >> >> >> >>> >>> decoder > > >> >> >> >>> >>> file. > > >> >> >> >>> >>> 2015/02/09 01:03:00 ossec-testrule: INFO: > Started > > (pid: > > >> >> >> >>> >>> 5037). > > >> >> >> >>> >>> 2015/02/09 01:03:06 ossec-reportd: INFO: Report > > completed. > > >> >> >> >>> >>> Creating > > >> >> >> >>> >>> output... > > >> >> >> >>> >>> > > >> >> >> >>> >>> Report completed. == > > >> >> >> >>> >>> ------------------------------------------------ > > >> >> >> >>> >>> ->Processed alerts: 3940 > > >> >> >> >>> >>> ->Post-filtering alerts: 3940 > > >> >> >> >>> >>> ->First alert: 2015 Feb 09 01:03:00 > > >> >> >> >>> >>> ->Last alert: 2015 Feb 09 01:03:01 > > >> >> >> >>> >>> > > >> >> >> >>> >>> > > >> >> >> >>> >>> Top entries for 'Level': > > >> >> >> >>> >>> ------------------------------------------------ > > >> >> >> >>> >>> Severity 6 > > >> >> >> >>> >>> |3864 | > > >> >> >> >>> >>> Severity 13 > > >> >> >> >>> >>> |76 | > > >> >> >> >>> >>> > > >> >> >> >>> >>> > > >> >> >> >>> >>> Top entries for 'Group': > > >> >> >> >>> >>> ------------------------------------------------ > > >> >> >> >>> >>> errors > > >> >> >> >>> >>> |3940 | > > >> >> >> >>> >>> syslog > > >> >> >> >>> >>> |3940 | > > >> >> >> >>> >>> > > >> >> >> >>> >>> Top entries for 'Location': > > >> >> >> >>> >>> ------------------------------------------------ > > >> >> >> >>> >>> ubuntu->stdin > > >> >> >> >>> >>> |3940 | > > >> >> >> >>> >>> > > >> >> >> >>> >>> > > >> >> >> >>> >>> Top entries for 'Rule': > > >> >> >> >>> >>> ------------------------------------------------ > > >> >> >> >>> >>> 1002 - Unknown problem somewhere in the system. > > >> >> >> >>> >>> |3864 | > > >> >> >> >>> >>> 1003 - Non standard syslog message (size too > large). > > >> >> >> >>> >>> |76 | > > >> >> >> >>> >>> > > >> >> >> >>> >>> Thank you for your help. > > >> >> >> >>> >>> > > >> >> >> >>> >>> > > >> >> >> >>> >>> Em domingo, 8 de fevereiro de 2015 22:25:22 > UTC-2, > > Rodrigo > > >> >> >> >>> >>> Montoro > > >> >> >> >>> >>> (Sp0oKeR) escreveu: > > >> >> >> >>> >>>> > > >> >> >> >>> >>>> Hi Ricardo, > > >> >> >> >>> >>>> > > >> >> >> >>> >>>> I think modsec isn't apache format, could you > > share some > > >> >> >> >>> >>>> alert > > >> >> >> >>> >>>> samples > > >> >> >> >>> >>>> from your log file ? > > >> >> >> >>> >>>> > > >> >> >> >>> >>>> A good way to test if ossec will work with your > > log format > > >> >> >> >>> >>>> is > > >> >> >> >>> >>>> using > > >> >> >> >>> >>>> logtest > > >> >> >> >>> >>>> > > >> >> >> >>> >>>> > > >> >> >> >>> >>>> > > >> >> >> >>> >>>> > > >> >> >> >>> >>>> > > > http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html > <http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html> > > > > <http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html > <http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html>> > > > > > >> >> >> >>> >>>> > > >> >> >> >>> >>>> About active-response, how is configured your > > ossec.conf ? > > >> >> >> >>> >>>> could > > >> >> >> >>> >>>> you > > >> >> >> >>> >>>> share ? Anyway OSSEC won't block any attack, > only > > take some > > >> >> >> >>> >>>> action > > >> >> >> >>> >>>> from some > > >> >> >> >>> >>>> attack. Looking into /var/ossec/log/ you > could see > > under > > >> >> >> >>> >>>> active-response > > >> >> >> >>> >>>> log. > > >> >> >> >>> >>>> > > >> >> >> >>> >>>> Let me know if this helps. > > >> >> >> >>> >>>> > > >> >> >> >>> >>>> Thanks > > >> >> >> >>> >>>> > > >> >> >> >>> >>>> On Sun, Feb 8, 2015 at 9:11 PM, Ricardo Galossi > > >> >> >> >>> >>>> <[email protected]> > > >> >> >> >>> >>>> wrote: > > >> >> >> >>> >>>>> > > >> >> >> >>> >>>>> Hi there guys, > > >> >> >> >>> >>>>> I'm facing a problem with ossec, I hope you > can > > help me. > > >> >> >> >>> >>>>> I've > > >> >> >> >>> >>>>> configured my ossec to monitoring apache and > > modsecurity's > > >> >> >> >>> >>>>> log > > >> >> >> >>> >>>>> of > > >> >> >> >>> >>>>> my chroot. > > >> >> >> >>> >>>>> I put the lines below on ossec.conf: > > >> >> >> >>> >>>>> > > >> >> >> >>> >>>>> <localfile> > > >> >> >> >>> >>>>> <log_format>apache</log_format> > > >> >> >> >>> >>>>> > > >> >> >> >>> >>>>> > > >> >> >> >>> >>>>> > > >> >> >> >>> >>>>> > > <location>/var/chroot/var/log/apache2/modsec_audit.log</location> > > >> >> >> >>> >>>>> </localfile> > > >> >> >> >>> >>>>> > > >> >> >> >>> >>>>> <localfile> > > >> >> >> >>> >>>>> <log_format>apache</log_format> > > >> >> >> >>> >>>>> > > <location>/var/chroot/var/log/apache2/error.log</location> > > >> >> >> >>> >>>>> </localfile> > > >> >> >> >>> >>>>> > > >> >> >> >>> >>>>> The problem is that ossec doesn't block any > > attack. I > > >> >> >> >>> >>>>> received > > >> >> >> >>> >>>>> the > > >> >> >> >>> >>>>> ossec's logs normally, but every log has > the same > > ID, like > > >> >> >> >>> >>>>> this: > > >> >> >> >>> >>>>> > > >> >> >> >>> >>>>> Received From: > > >> >> >> >>> >>>>> Ubuntu->/var/chroot/var/log/apache2/error.log > > >> >> >> >>> >>>>> Rule: 1002 fired (level 6) -> "Unknown problem > > somewhere > > >> >> >> >>> >>>>> in > > >> >> >> >>> >>>>> the > > >> >> >> >>> >>>>> system." > > >> >> >> >>> >>>>> Portion of the log(s): > > >> >> >> >>> >>>>> > > >> >> >> >>> >>>>> Thank you for your attention. > > >> >> >> >>> >>>>> > > >> >> >> >>> >>>>> > > >> >> >> >>> >>>>> -- > > >> >> >> >>> >>>>> > > >> >> >> >>> >>>>> --- > > >> >> >> >>> >>>>> You received this message because you are > > subscribed to > > >> >> >> >>> >>>>> the > > >> >> >> >>> >>>>> Google > > >> >> >> >>> >>>>> Groups "ossec-list" group. > > >> >> >> >>> >>>>> To unsubscribe from this group and stop > receiving > > emails > > >> >> >> >>> >>>>> from > > >> >> >> >>> >>>>> it, > > >> >> >> >>> >>>>> send > > >> >> >> >>> >>>>> an email to [email protected]. > > >> >> >> >>> >>>>> For more options, visit > > >> >> >> >>> >>>>> https://groups.google.com/d/optout > <https://groups.google.com/d/optout> > > <https://groups.google.com/d/optout > <https://groups.google.com/d/optout>>. > > >> >> >> >>> >>>> > > >> >> >> >>> >>>> > > >> >> >> >>> >>>> > > >> >> >> >>> >>>> > > >> >> >> >>> >>>> -- > > >> >> >> >>> >>>> Rodrigo Montoro (Sp0oKeR) > > >> >> >> >>> >>>> http://spookerlabs.blogspot.com > <http://spookerlabs.blogspot.com> > > <http://spookerlabs.blogspot.com > <http://spookerlabs.blogspot.com>> > > >> >> >> >>> >>>> http://www.twitter.com/spookerlabs > <http://www.twitter.com/spookerlabs> > > <http://www.twitter.com/spookerlabs > <http://www.twitter.com/spookerlabs>> > > >> >> >> >>> >>>> http://www.linkedin.com/in/spooker > <http://www.linkedin.com/in/spooker> > > <http://www.linkedin.com/in/spooker > <http://www.linkedin.com/in/spooker>> > > >> >> >> >>> >>> > > >> >> >> >>> >>> -- > > >> >> >> >>> >>> > > >> >> >> >>> >>> --- > > >> >> >> >>> >>> You received this message because you are > > subscribed to the > > >> >> >> >>> >>> Google > > >> >> >> >>> >>> Groups > > >> >> >> >>> >>> "ossec-list" group. > > >> >> >> >>> >>> To unsubscribe from this group and stop > receiving > > emails > > >> >> >> >>> >>> from > > >> >> >> >>> >>> it, > > >> >> >> >>> >>> send an > > >> >> >> >>> >>> email to [email protected]. > > >> >> >> >>> >>> For more options, visit > > https://groups.google.com/d/optout > <https://groups.google.com/d/optout> > > <https://groups.google.com/d/optout > <https://groups.google.com/d/optout>>. > > >> >> >> >>> >> > > >> >> >> >>> >> > > >> >> >> >>> >> > > >> >> >> >>> >> > > >> >> >> >>> >> -- > > >> >> >> >>> >> Rodrigo Montoro (Sp0oKeR) > > >> >> >> >>> >> http://spookerlabs.blogspot.com > <http://spookerlabs.blogspot.com> > > <http://spookerlabs.blogspot.com > <http://spookerlabs.blogspot.com>> > > >> >> >> >>> >> http://www.twitter.com/spookerlabs > <http://www.twitter.com/spookerlabs> > > <http://www.twitter.com/spookerlabs > <http://www.twitter.com/spookerlabs>> > > >> >> >> >>> >> http://www.linkedin.com/in/spooker > <http://www.linkedin.com/in/spooker> > > <http://www.linkedin.com/in/spooker > <http://www.linkedin.com/in/spooker>> > > >> >> >> >>> > > > >> >> >> >>> > -- > > >> >> >> >>> > > > >> >> >> >>> > --- > > >> >> >> >>> > You received this message because you are > subscribed > > to the > > >> >> >> >>> > Google > > >> >> >> >>> > Groups > > >> >> >> >>> > "ossec-list" group. > > >> >> >> >>> > To unsubscribe from this group and stop receiving > > emails from > > >> >> >> >>> > it, > > >> >> >> >>> > send > > >> >> >> >>> > an > > >> >> >> >>> > email to [email protected]. > > >> >> >> >>> > For more options, visit > > https://groups.google.com/d/optout > <https://groups.google.com/d/optout> > > <https://groups.google.com/d/optout > <https://groups.google.com/d/optout>>. > > >> >> >> > > > >> >> >> > -- > > >> >> >> > > > >> >> >> > --- > > >> >> >> > You received this message because you are > subscribed to > > the Google > > >> >> >> > Groups > > >> >> >> > "ossec-list" group. > > >> >> >> > To unsubscribe from this group and stop receiving > emails > > from it, > > >> >> >> > send > > >> >> >> > an > > >> >> >> > email to [email protected]. > > >> >> >> > For more options, visit > > https://groups.google.com/d/optout > <https://groups.google.com/d/optout> > > <https://groups.google.com/d/optout > <https://groups.google.com/d/optout>>. > > >> >> > > > >> >> > -- > > >> >> > > > >> >> > --- > > >> >> > You received this message because you are subscribed > to the > > Google > > >> >> > Groups > > >> >> > "ossec-list" group. > > >> >> > To unsubscribe from this group and stop receiving emails > > from it, > > >> >> > send > > >> >> > an > > >> >> > email to [email protected]. > > >> >> > For more options, visit > https://groups.google.com/d/optout <https://groups.google.com/d/optout> > > <https://groups.google.com/d/optout > <https://groups.google.com/d/optout>>. > > >> > > > >> > -- > > >> > > > >> > --- > > >> > You received this message because you are subscribed to > the Google > > >> > Groups > > >> > "ossec-list" group. > > >> > To unsubscribe from this group and stop receiving emails > from > > it, send > > >> > an > > >> > email to [email protected]. > > >> > For more options, visit > https://groups.google.com/d/optout <https://groups.google.com/d/optout> > > <https://groups.google.com/d/optout > <https://groups.google.com/d/optout>>. > > > > > > -- > > > > > > --- > > > You received this message because you are subscribed to the > Google > > Groups > > > "ossec-list" group. > > > To unsubscribe from this group and stop receiving emails > from it, > > send an > > > email to [email protected]. > > > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout> > > <https://groups.google.com/d/optout > <https://groups.google.com/d/optout>>. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, > send > > an email to [email protected] > > <mailto:[email protected]>. > > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
