On Jul 16, 2015 2:50 PM, "greybrimstone" <[email protected]> wrote: > > Hi All, > > I am in need of some assistance. I've been trying to get OSSEC to respond to mod security events by banning IP addresses that generate events of level 6+. > > 1-) I have apache error logs configured and piped to /var/log/apache2/error.log > 2-) ModSecurity events are correctly being sent to the error log: > > [Thu Jul 16 14:25:18.746621 2015] [:error] [pid 17398] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 1). Pattern match "wp-login.php" at REQUEST_URI. [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_61_customrules.conf"] [line "49"] [id "999946"] [hostname "www.xxx.com"] [uri "/wp-login.php"] [unique_id "Vaf3DgoFB9wAAEP2b4MAAAAE"] >
Is the IP properly decoded when you run this log through ossec-logtest? > > 3-) When I create a rule with <srcip>!xx.xx.xx.xx</srcip> in the local_rules.xml file that rule no longer fires for xx.xx.xx.xx which is expected. I did that to test and make sure that scrip was being properly extracted. > What is the exclamation point for? > 4-) When I remove the <srcip>!xx.xx.xx.xx</srcip> the rule fires just fine, I see the event in the alerts. > 5-) Active Response is never called and xx.xx.xx.xx is not blocked. That said, active response is triggered by other servers with other events and those events are resulting in blocks. What is your AR configuration? Is ossec-execd running on the agent that isn't running the AR block? > 6-) It appears that active response is not called for the web server www.xxx.com (but in the active responses log file I do see entires, and when I do iptables -L there are entries, none of them come from www.xxx.com they all come from mail). So some AR blocks work, but not others? > 7-) My OSSEC location for active response is set to ALL. > > Any ideas? > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
