Hi Dan, thank you for the reply. My comments are embedded within.
On Thursday, July 16, 2015 at 2:55:12 PM UTC-4, dan (ddpbsd) wrote:
>
>
> On Jul 16, 2015 2:50 PM, "greybrimstone" <[email protected]
> <javascript:>> wrote:
> >
> > Hi All,
> >
> > I am in need of some assistance. I've been trying to get OSSEC to
> respond to mod security events by banning IP addresses that generate events
> of level 6+.
> >
> > 1-) I have apache error logs configured and piped to
> /var/log/apache2/error.log
> > 2-) ModSecurity events are correctly being sent to the error log:
> >
> > [Thu Jul 16 14:25:18.746621 2015] [:error] [pid 17398] [client
> xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 1). Pattern
> match "wp-login.php" at REQUEST_URI. [file
> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_61_customrules.conf"]
>
> [line "49"] [id "999946"] [hostname "www.xxx.com"] [uri "/wp-login.php"]
> [unique_id "Vaf3DgoFB9wAAEP2b4MAAAAE"]
> >
>
> Is the IP properly decoded when you run this log through ossec-logtest?
>
It appears that srcip is not being properly decoded. How do I resolve this?
[root@ossec bin]# /var/ossec/bin/ossec-logtest
2015/07/16 15:00:50 ossec-testrule: INFO: Reading local decoder file.
2015/07/16 15:00:50 ossec-testrule: INFO: Started (pid: 391).
ossec-testrule: Type one log per line.
[Thu Jul 16 14:46:14.691767 2015] [:error] [pid 17396] [client
50.22.203.210] ModSecurity: Access denied with code 403 (phase 1). Pattern
match "wp-login.php" at REQUEST_URI. [file
"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_61_customrules.conf"]
[line "49"] [id "999946"] [hostname "www.netragard.com"] [uri
"/wp-login.php"] [unique_id "Vaf79goFB9wAAEP0hpAAAAAC"]
**Phase 1: Completed pre-decoding.
full event: '[Thu Jul 16 14:46:14.691767 2015] [:error] [pid 17396]
[client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 1).
Pattern match "wp-login.php" at REQUEST_URI. [file
"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_61_customrules.conf"]
[line "49"] [id "999946"] [hostname "www.netragard.com"] [uri
"/wp-login.php"] [unique_id "Vaf79goFB9wAAEP0hpAAAAAC"]'
hostname: 'ossec'
program_name: '(null)'
log: '[Thu Jul 16 14:46:14.691767 2015] [:error] [pid 17396] [client
xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 1). Pattern
match "wp-login.php" at REQUEST_URI. [file
"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_61_customrules.conf"]
[line "49"] [id "999946"] [hostname "www.netragard.com"] [uri
"/wp-login.php"] [unique_id "Vaf79goFB9wAAEP0hpAAAAAC"]'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '100051'
Level: '7'
Description: 'WARNING: wp-admin access detected'
**Alert to be generated.
> >
> > 3-) When I create a rule with <srcip>!xx.xx.xx.xx</srcip> in the
> local_rules.xml file that rule no longer fires for xx.xx.xx.xx which is
> expected. I did that to test and make sure that scrip was being properly
> extracted.
> >
>
> What is the exclamation point for?
>
It was to filter out the attack from the test system. I figured if it
detected the IP address then it was parsing the srcip correctly...
apparently I was wrong.
> > 4-) When I remove the <srcip>!xx.xx.xx.xx</srcip> the rule fires just
> fine, I see the event in the alerts.
>
> 5-) Active Response is never called and xx.xx.xx.xx is not blocked. That
> said, active response is triggered by other servers with other events and
> those events are resulting in blocks.
>
>
> What is your AR configuration? Is ossec-execd running on the agent that
> isn't running the AR block?
>
Yes, ossec-execd is running. The mail server is successfully extracting
and blocking IP's on all agents including www which is the agent in
question. My AR configuration is as follows:
<!-- Active Response Config -->
<active-response>
<command>host-deny</command>
<location>all</location>
<level>6</level>
<timeout>172800</timeout>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>all</location>
<level>6</level>
<timeout>172800</timeout>
</active-response>
> > 6-) It appears that active response is not called for the web server
> www.xxx.com (but in the active responses log file I do see entires, and
> when I do iptables -L there are entries, none of them come from
> www.xxx.com they all come from mail).
>
> So some AR blocks work, but not others?
>
Correct
> > 7-) My OSSEC location for active response is set to ALL
>
One more thing. I have the logs configured for watching as follows.
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/error.log</location>
</localfile>
> > Any ideas?
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
