Great, thanks for the bash script, Ryan.
but what else to do after downloading the IP blocklist? how could I feed
ossec with it?
maybe through an active-response?
Am Samstag, 25. Juli 2015 04:56:07 UTC+2 schrieb Ryan Schulze:
>
> I played around with IP reputation and CDB a while back, but never
> pushed it to my live servers. I found the following bash snippet on my test
> server, it may be of use for someone (although the alienvault list is
> pretty long and contains different levels of "evil" may be worth parsing
> and splitting up).
>
> #!/bin/bash
> {
> curl "https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist";
> <https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist> |\
> egrep "^[0-9]" | awk '{print $1":ZeuS IP blocklist"}'
>
> curl "https://reputation.alienvault.com/reputation.generic";
> <https://reputation.alienvault.com/reputation.generic> |\
> egrep "^[0-9]" | cut -d, -f1 | sed 's/ # /:/'
>
> } > ip_blacklist
>
>
> On 7/24/2015 7:46 PM, Santiago Bassett wrote:
>
> Hi Theresa,
>
> my guess is that you are probably victim of web crawlers more than
> anything else. In any case it would be interesting to search those source
> IPs info in IP reputation databases to see if those are well known
> attackers.
>
> Has anyone in this list use an IP reputation database in a CDB list? I
> would probably try something like that and see how it goes.
>
> Best
>
>
>
> On Fri, Jul 24, 2015 at 12:32 PM, theresa mic-snare < <javascript:>
> [email protected] <javascript:>> wrote:
>
>> hi folks,
>>
>> i need some help with intepreting webserver logfiles (apache logs).
>> while setting up my ossec-test environment for my thesis project, I've
>> also setup a wordpress on an apache webserver as a "honeypot". although
>> there's no real content, except the standard wordpress posts & pages that
>> comes with the installation, I already have some "visitors". I see these
>> dubious looking requests. I'm not sure if these are threats/attacks against
>> my wordpress installation.
>> I'm not really familiar with apache logs, but I need some threats/attacks
>> to explain in my thesis. I thought this would be the best way to get
>> started.
>>
>> I have PLENTY of the following requests in my httpd logs
>>
>> Src IP: 115.239.228.8
>> 115.239.228.8 - - [24/Jul/2015:19:22:42 +0200] "GET
>> http://zc.qq.com/cgi-bin/common/attr?id=260714&r=0.7636925813952972
>> HTTP/1.1" 404 292 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT
>> 6.1; Trident/5.0; 360SE)"
>>
>>
>> Judging by the HTTP status code it's not really a threat, right? it's
>> probaly just some hacker with a tool who's looking for vulnerabilities? or
>> is this just nonsense/junk?
>>
>> Received From: tron->/var/log/httpd/access_log
>> Rule: 31515 fired (level 6) -> "PHPMyAdmin scans (looking for
>> setup.php)."
>> Portion of the log(s):
>>
>> 178.33.154.144 - - [24/Jul/2015:11:55:15 +0200] "GET
>> /phpMyAdmin/scripts/setup.php HTTP/1.1" 403 309 "-" "-"
>>
>> also this
>> Received From: tron->/var/log/httpd/access_log
>> Rule: 31101 fired (level 5) -> "Web server 400 error code."
>> Portion of the log(s):
>>
>> 202.137.235.243 - - [24/Jul/2015:07:34:11 +0200] "HEAD
>> /ossec-wui/index.php HTTP/1.1" 401 - "-" "-"
>>
>> i'm surprised they found out about it.....glad i protected it with
>> htaccess and they didn't come in. ;)
>>
>> and lots of other requests that return HTTP 403 (forbidden) or 404 (not
>> found)
>>
>> i'm not quite sure what to make of it.
>> i didn't realise my server was so exposed....did they just find the IP by
>> scanning for http ports?!
>>
>> looking to some feedback,
>> theresa
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected] <javascript:>.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
