Steve,
What download did you use to install? I'm on Linux (CentOS/6) and had the
exact same problems with the STABLE v2.8.2 download. T
Try running one of the offending lines from your access_log through the
logtest module. In particular, we're looking for some indication that the
pure-ftpd decoder is being used instead of the web-accesslog. If you see
that it's the pure-ftpd decoder, then you might want to just grab the
latest development snapshot. That's what I did and it fixed the problem.
Here's what mine looks like (now that it works).
# grep xmlrpc.php /var/log/httpd/access_log |tail -1
|/var/ossec/bin/ossec-logtest
2015/07/10 16:38:44 ossec-testrule: INFO: Reading local decoder file.
2015/07/10 16:38:44 ossec-testrule: INFO: Started (pid: 13920).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'xxx.xxx.xxx.xxx - - [10/Jul/2015:16:16:21 -0500] "POST
/xmlrpc.php HTTP/1.0" 200 403 "-" "Wget/1.12 (linux-gnu)"'
hostname: 'hidden'
program_name: '(null)'
log: 'xxx.xxx.xxx.xxx - - [10/Jul/2015:16:16:21 -0500] "POST
/xmlrpc.php HTTP/1.0" 200 403 "-" "Wget/1.12 (linux-gnu)"'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: 'xxx.xxx.xxx.xxx'
url: '/xmlrpc.php'
id: '200'
**Phase 3: Completed filtering (rules).
Rule id: '110001'
Level: '1'
Description: 'WordPress xmlrpc attempt.'
**Alert to be generated.
On Monday, June 29, 2015 at 2:22:02 PM UTC-5, SternData wrote:
>
> I'm having a problem with xmlrpc.php attacks.
>
> I added this rule to the top of local_rules.xml and restarted OSSEC, but
> I'm seeing no active responses despite more than 200 hits on the file
> from the same IP in the last 90 seconds:
>
>
> group name="web,accesslog,">
> <!-- rate limit xmlrpc -->
> <rule id="100167" level="1">
> <if_sid>31108</if_sid>
> <url>xmlrpc.php</url>
> <match>POST</match>
> <description>WordPress xmlrpc attempt.</description>
> </rule>
>
> <rule id="100168" level="10" frequency="20" timeframe="600">
> <if_matched_sid>100167</if_matched_sid>
> <same_source_ip />
> <description>WordPress xmlrpc attack.</description>
> <group>attack,</group>
> </rule>
>
> <!-- end xmlrpc -->
> </group>
>
> I followed this guide and OSSEC is watching all http log files.
>
> --
> -- Steve
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
