I just tested your log with the latest code from github and it triggered rule 30411 as expected. So you should update your decoder and rule files at least the apache ones. I couldn't tell if the srcip was extracted but it should have.
The [:error] is the new apache 2.4 log format. Regards Christian Am 16.07.2015 um 21:44 schrieb greybrimstone: > Oh and one more thing... why do my logs have [:error] rather than > [error]... what's the deal? > > On Thursday, July 16, 2015 at 3:09:49 PM UTC-4, greybrimstone wrote: > > Hi Dan, thank you for the reply. My comments are embedded within. > > On Thursday, July 16, 2015 at 2:55:12 PM UTC-4, dan (ddpbsd) wrote: > > > On Jul 16, 2015 2:50 PM, "greybrimstone" <[email protected]> > wrote: > > > > Hi All, > > > > I am in need of some assistance. I've been trying to get > OSSEC to respond to mod security events by banning IP addresses > that generate events of level 6+. > > > > 1-) I have apache error logs configured and piped to > /var/log/apache2/error.log > > 2-) ModSecurity events are correctly being sent to the error log: > > > > [Thu Jul 16 14:25:18.746621 2015] [:error] [pid 17398] [client > xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 1). > Pattern match "wp-login.php" at REQUEST_URI. [file > > "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_61_customrules.conf"] > [line "49"] [id "999946"] [hostname "www.xxx.com > <http://www.xxx.com>"] [uri "/wp-login.php"] [unique_id > "Vaf3DgoFB9wAAEP2b4MAAAAE"] > > > > Is the IP properly decoded when you run this log through > ossec-logtest? > > > It appears that srcip is not being properly decoded. How do I > resolve this? > > [root@ossec bin]# /var/ossec/bin/ossec-logtest > > 2015/07/16 15:00:50 ossec-testrule: INFO: Reading local decoder file. > > 2015/07/16 15:00:50 ossec-testrule: INFO: Started (pid: 391). > > ossec-testrule: Type one log per line. > > > [Thu Jul 16 14:46:14.691767 2015] [:error] [pid 17396] [client > 50.22.203.210] ModSecurity: Access denied with code 403 (phase 1). > Pattern match "wp-login.php" at REQUEST_URI. [file > > "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_61_customrules.conf"] > [line "49"] [id "999946"] [hostname "www.netragard.com > <http://www.netragard.com>"] [uri "/wp-login.php"] [unique_id > "Vaf79goFB9wAAEP0hpAAAAAC"] > > > > **Phase 1: Completed pre-decoding. > > full event: '[Thu Jul 16 14:46:14.691767 2015] [:error] [pid > 17396] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 > (phase 1). Pattern match "wp-login.php" at REQUEST_URI. [file > > "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_61_customrules.conf"] > [line "49"] [id "999946"] [hostname "www.netragard.com > <http://www.netragard.com>"] [uri "/wp-login.php"] [unique_id > "Vaf79goFB9wAAEP0hpAAAAAC"]' > > hostname: 'ossec' > > program_name: '(null)' > > log: '[Thu Jul 16 14:46:14.691767 2015] [:error] [pid 17396] > [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase > 1). Pattern match "wp-login.php" at REQUEST_URI. [file > > "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_61_customrules.conf"] > [line "49"] [id "999946"] [hostname "www.netragard.com > <http://www.netragard.com>"] [uri "/wp-login.php"] [unique_id > "Vaf79goFB9wAAEP0hpAAAAAC"]' > > > **Phase 2: Completed decoding. > > No decoder matched. > > > **Phase 3: Completed filtering (rules). > > Rule id: '100051' > > Level: '7' > > Description: 'WARNING: wp-admin access detected' > > **Alert to be generated. > > > > > > > > 3-) When I create a rule with <srcip>!xx.xx.xx.xx</srcip> in > the local_rules.xml file that rule no longer fires for > xx.xx.xx.xx which is expected. I did that to test and make sure > that scrip was being properly extracted. > > > > What is the exclamation point for? > > > It was to filter out the attack from the test system. I figured if > it detected the IP address then it was parsing the srcip > correctly... apparently I was wrong. > > > > 4-) When I remove the <srcip>!xx.xx.xx.xx</srcip> the rule > fires just fine, I see the event in the alerts. > > > 5-) Active Response is never called and xx.xx.xx.xx is not > blocked. That said, active response is triggered by other > servers with other events and those events are resulting in blocks. > > > > What is your AR configuration? Is ossec-execd running on the > agent that isn't running the AR block? > > > Yes, ossec-execd is running. The mail server is successfully > extracting and blocking IP's on all agents including www which is > the agent in question. My AR configuration is as follows: > > <!-- Active Response Config --> > > <active-response> > > <command>host-deny</command> > > <location>all</location> > > <level>6</level> > > <timeout>172800</timeout> > > </active-response> > > > <active-response> > > <command>firewall-drop</command> > > <location>all</location> > > <level>6</level> > > <timeout>172800</timeout> > > </active-response> > > > > > 6-) It appears that active response is not called for the web > server www.xxx.com <http://www.xxx.com> (but in the active > responses log file I do see entires, and when I do iptables -L > there are entries, none of them come from www.xxx.com > <http://www.xxx.com> they all come from mail). > > So some AR blocks work, but not others? > > > Correct > > > > 7-) My OSSEC location for active response is set to ALL > > > One more thing. I have the logs configured for watching as follows. > > <localfile> > > <log_format>apache</log_format> > > <location>/var/log/apache2/error.log</location> > > </localfile> > > > > > > > Any ideas? > > > > -- > > > > --- > > You received this message because you are subscribed to the > Google Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from > it, send an email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
