On Wed, Jul 1, 2015 at 2:32 PM, Sean Fagan <[email protected]> wrote:
> Alert Level: 7; Rule: 104150 - Drupal access denied error (permissions
> rejected).; Location: (proxy01) xxx.xxx.xxx.xxx
> ->/var/log/httpd/www.xxx-error_log; [Mon Jun 29 13:54:44.413481 2015]
> [:error] [pid 1075] [client 54.176.229.159] ModSecurity: Access denied with
> code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file
> "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"]
> [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"]
> [severity "NOTICE"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "9"]
> [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag
> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname
> "xxx.xxx.xxx"] [uri "xxx.pdf"] [unique_id "VZGGZCuZS9My5o08pTOE-QAAAAU"]
>
> Alert Level: 2; Rule: 1002 - Unknown problem somewhere in the system.;
> Location: (proxy01) xxx.xxx.xxx.xxx->/var/log/httpd/www.xxx-error_log; [Mon
> Jun 29 13:16:25.592649 2015] [:error] [pid 834] [client 170.226.80.70]
> ModSecurity: Rule 7f4f36ef9c18 [id "970003"][file
> "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_50_outbound.conf"][line
> "123"] - Execution error - PCRE limits exceeded (-8): (null). [hostname
> "xxx.xxx.xxx"] [uri "/xxx/dgi"] [unique_id "VZF9ae-TU@imyyXQxFzU3QAAAAU"]
>
So with a fairly default OSSEC installation (using the latest source
in git) these show up as:
# cat /tmp/xxx | bin/ossec-logtest
2015/07/01 21:57:33 ossec-testrule: INFO: Reading local decoder file.
2015/07/01 21:57:33 ossec-testrule: INFO: Started (pid: 1020).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '[Mon Jun 29 13:54:44.413481 2015] [:error] [pid
1075] [client 54.176.229.159] ModSecurity: Access denied with code 403
(phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file
"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"]
[line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept
Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.6"] [maturity "9"]
[accuracy "9"] [tag
"OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag
"WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname
"xxx.xxx.xxx"] [uri "xxx.pdf"] [unique_id
"VZGGZCuZS9My5o08pTOE-QAAAAU"]'
hostname: 'arrakis'
program_name: '(null)'
log: '[Mon Jun 29 13:54:44.413481 2015] [:error] [pid 1075]
[client 54.176.229.159] ModSecurity: Access denied with code 403
(phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file
"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"]
[line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept
Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.6"] [maturity "9"]
[accuracy "9"] [tag
"OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag
"WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname
"xxx.xxx.xxx"] [uri "xxx.pdf"] [unique_id
"VZGGZCuZS9My5o08pTOE-QAAAAU"]'
**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
**Phase 3: Completed filtering (rules).
Rule id: '30411'
Level: '7'
Description: 'ModSecurity rejected a query'
**Alert to be generated.
This appears to be correct, right? I get the same result with the
drupal decoder and rules.
And the second log sample:
# cat /tmp/yyy | bin/ossec-logtest
2015/07/01 21:58:18 ossec-testrule: INFO: Reading local decoder file.
2015/07/01 21:58:18 ossec-testrule: INFO: Started (pid: 18491).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '[Mon Jun 29 13:16:25.592649 2015] [:error] [pid
834] [client 170.226.80.70] ModSecurity: Rule 7f4f36ef9c18 [id
"970003"][file
"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_50_outbound.conf"][line
"123"] - Execution error - PCRE limits exceeded (-8): (null).
[hostname "xxx.xxx.xxx"] [uri "/xxx/dgi"] [unique_id
"VZF9ae-TU@imyyXQxFzU3QAAAAU"]'
hostname: 'arrakis'
program_name: '(null)'
log: '[Mon Jun 29 13:16:25.592649 2015] [:error] [pid 834]
[client 170.226.80.70] ModSecurity: Rule 7f4f36ef9c18 [id
"970003"][file
"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_50_outbound.conf"][line
"123"] - Execution error - PCRE limits exceeded (-8): (null).
[hostname "xxx.xxx.xxx"] [uri "/xxx/dgi"] [unique_id
"VZF9ae-TU@imyyXQxFzU3QAAAAU"]'
**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
**Phase 3: Completed filtering (rules).
Rule id: '30301'
Level: '0'
Description: 'Apache error messages grouped.'
This appears to be another modsecurity log, but there isn't any rules
that deal with this log. Writing a rule should fix that right up. I
also get the same result for this one with the drupal rules/decoder.
So this could have something to do with the older version of OSSEC you're using.
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
