Hi All, I am in need of some assistance. I've been trying to get OSSEC to respond to mod security events by banning IP addresses that generate events of level 6+.
1-) I have apache error logs configured and piped to /var/log/apache2/error.log 2-) ModSecurity events are correctly being sent to the error log: [Thu Jul 16 14:25:18.746621 2015] [:error] [pid 17398] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 1). Pattern match "wp-login.php" at REQUEST_URI. [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_61_customrules.conf"] [line "49"] [id "999946"] [hostname "www.xxx.com"] [uri "/wp-login.php"] [unique_id "Vaf3DgoFB9wAAEP2b4MAAAAE"] 3-) When I create a rule with <srcip>!xx.xx.xx.xx</srcip> in the local_rules.xml file that rule no longer fires for xx.xx.xx.xx which is expected. I did that to test and make sure that scrip was being properly extracted. 4-) When I remove the <srcip>!xx.xx.xx.xx</srcip> the rule fires just fine, I see the event in the alerts. 5-) Active Response is never called and xx.xx.xx.xx is not blocked. That said, active response is triggered by other servers with other events and those events are resulting in blocks. 6-) It appears that active response is not called for the web server www.xxx.com (but in the active responses log file I do see entires, and when I do iptables -L there are entries, none of them come from www.xxx.com they all come from mail). 7-) My OSSEC location for active response is set to ALL. Any ideas? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
