Oh and one more thing... why do my logs have [:error] rather than [error]... what's the deal?
On Thursday, July 16, 2015 at 3:09:49 PM UTC-4, greybrimstone wrote: > > Hi Dan, thank you for the reply. My comments are embedded within. > > On Thursday, July 16, 2015 at 2:55:12 PM UTC-4, dan (ddpbsd) wrote: >> >> >> On Jul 16, 2015 2:50 PM, "greybrimstone" <[email protected]> wrote: >> > >> > Hi All, >> > >> > I am in need of some assistance. I've been trying to get OSSEC to >> respond to mod security events by banning IP addresses that generate events >> of level 6+. >> > >> > 1-) I have apache error logs configured and piped to >> /var/log/apache2/error.log >> > 2-) ModSecurity events are correctly being sent to the error log: >> > >> > [Thu Jul 16 14:25:18.746621 2015] [:error] [pid 17398] [client >> xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 1). Pattern >> match "wp-login.php" at REQUEST_URI. [file >> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_61_customrules.conf"] >> >> [line "49"] [id "999946"] [hostname "www.xxx.com"] [uri "/wp-login.php"] >> [unique_id "Vaf3DgoFB9wAAEP2b4MAAAAE"] >> > >> >> Is the IP properly decoded when you run this log through ossec-logtest? >> > > It appears that srcip is not being properly decoded. How do I resolve > this? > > [root@ossec bin]# /var/ossec/bin/ossec-logtest > > 2015/07/16 15:00:50 ossec-testrule: INFO: Reading local decoder file. > > 2015/07/16 15:00:50 ossec-testrule: INFO: Started (pid: 391). > > ossec-testrule: Type one log per line. > > > [Thu Jul 16 14:46:14.691767 2015] [:error] [pid 17396] [client > 50.22.203.210] ModSecurity: Access denied with code 403 (phase 1). Pattern > match "wp-login.php" at REQUEST_URI. [file > "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_61_customrules.conf"] > > [line "49"] [id "999946"] [hostname "www.netragard.com"] [uri > "/wp-login.php"] [unique_id "Vaf79goFB9wAAEP0hpAAAAAC"] > > > > **Phase 1: Completed pre-decoding. > > full event: '[Thu Jul 16 14:46:14.691767 2015] [:error] [pid 17396] > [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 1). > Pattern match "wp-login.php" at REQUEST_URI. [file > "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_61_customrules.conf"] > > [line "49"] [id "999946"] [hostname "www.netragard.com"] [uri > "/wp-login.php"] [unique_id "Vaf79goFB9wAAEP0hpAAAAAC"]' > > hostname: 'ossec' > > program_name: '(null)' > > log: '[Thu Jul 16 14:46:14.691767 2015] [:error] [pid 17396] > [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 1). > Pattern match "wp-login.php" at REQUEST_URI. [file > "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_61_customrules.conf"] > > [line "49"] [id "999946"] [hostname "www.netragard.com"] [uri > "/wp-login.php"] [unique_id "Vaf79goFB9wAAEP0hpAAAAAC"]' > > > **Phase 2: Completed decoding. > > No decoder matched. > > > **Phase 3: Completed filtering (rules). > > Rule id: '100051' > > Level: '7' > > Description: 'WARNING: wp-admin access detected' > > **Alert to be generated. > > > >> > >> > 3-) When I create a rule with <srcip>!xx.xx.xx.xx</srcip> in the >> local_rules.xml file that rule no longer fires for xx.xx.xx.xx which is >> expected. I did that to test and make sure that scrip was being properly >> extracted. >> > >> >> What is the exclamation point for? >> > > It was to filter out the attack from the test system. I figured if it > detected the IP address then it was parsing the srcip correctly... > apparently I was wrong. > > >> > 4-) When I remove the <srcip>!xx.xx.xx.xx</srcip> the rule fires just >> fine, I see the event in the alerts. >> > > 5-) Active Response is never called and xx.xx.xx.xx is not blocked. >> That said, active response is triggered by other servers with other events >> and those events are resulting in blocks. >> >> > >> What is your AR configuration? Is ossec-execd running on the agent that >> isn't running the AR block? >> > > Yes, ossec-execd is running. The mail server is successfully extracting > and blocking IP's on all agents including www which is the agent in > question. My AR configuration is as follows: > > <!-- Active Response Config --> > > <active-response> > > <command>host-deny</command> > > <location>all</location> > > <level>6</level> > > <timeout>172800</timeout> > > </active-response> > > > <active-response> > > <command>firewall-drop</command> > > <location>all</location> > > <level>6</level> > > <timeout>172800</timeout> > > </active-response> > > >> > 6-) It appears that active response is not called for the web server >> www.xxx.com (but in the active responses log file I do see entires, and >> when I do iptables -L there are entries, none of them come from >> www.xxx.com they all come from mail). >> >> So some AR blocks work, but not others? >> > > Correct > > >> > 7-) My OSSEC location for active response is set to ALL >> > > One more thing. I have the logs configured for watching as follows. > > <localfile> > > <log_format>apache</log_format> > > <location>/var/log/apache2/error.log</location> > > </localfile> > > > > >> > Any ideas? >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
