I suggest to create a CDB list with them, and also create rules to use the CDB list. For example if the IP is in the CDB list, then trigger an alert with a higher level. If you want to take it a step further and trigger action responses then go for it :-)
On Sat, Jul 25, 2015 at 11:06 AM, theresa mic-snare <[email protected]> wrote: > Great, thanks for the bash script, Ryan. > but what else to do after downloading the IP blocklist? how could I feed > ossec with it? > maybe through an active-response? > > Am Samstag, 25. Juli 2015 04:56:07 UTC+2 schrieb Ryan Schulze: >> >> I played around with IP reputation and CDB a while back, but never >> pushed it to my live servers. I found the following bash snippet on my test >> server, it may be of use for someone (although the alienvault list is >> pretty long and contains different levels of "evil" may be worth parsing >> and splitting up). >> >> #!/bin/bash >> { >> curl "https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist"; >> <https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist> |\ >> egrep "^[0-9]" | awk '{print $1":ZeuS IP blocklist"}' >> >> curl "https://reputation.alienvault.com/reputation.generic"; >> <https://reputation.alienvault.com/reputation.generic> |\ >> egrep "^[0-9]" | cut -d, -f1 | sed 's/ # /:/' >> >> } > ip_blacklist >> >> >> On 7/24/2015 7:46 PM, Santiago Bassett wrote: >> >> Hi Theresa, >> >> my guess is that you are probably victim of web crawlers more than >> anything else. In any case it would be interesting to search those source >> IPs info in IP reputation databases to see if those are well known >> attackers. >> >> Has anyone in this list use an IP reputation database in a CDB list? I >> would probably try something like that and see how it goes. >> >> Best >> >> >> >> On Fri, Jul 24, 2015 at 12:32 PM, theresa mic-snare <[email protected]> >> wrote: >> >>> hi folks, >>> >>> i need some help with intepreting webserver logfiles (apache logs). >>> while setting up my ossec-test environment for my thesis project, I've >>> also setup a wordpress on an apache webserver as a "honeypot". although >>> there's no real content, except the standard wordpress posts & pages that >>> comes with the installation, I already have some "visitors". I see these >>> dubious looking requests. I'm not sure if these are threats/attacks against >>> my wordpress installation. >>> I'm not really familiar with apache logs, but I need some >>> threats/attacks to explain in my thesis. I thought this would be the best >>> way to get started. >>> >>> I have PLENTY of the following requests in my httpd logs >>> >>> Src IP: 115.239.228.8 >>> 115.239.228.8 - - [24/Jul/2015:19:22:42 +0200] "GET >>> http://zc.qq.com/cgi-bin/common/attr?id=260714&r=0.7636925813952972 >>> HTTP/1.1" 404 292 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT >>> 6.1; Trident/5.0; 360SE)" >>> >>> >>> Judging by the HTTP status code it's not really a threat, right? it's >>> probaly just some hacker with a tool who's looking for vulnerabilities? or >>> is this just nonsense/junk? >>> >>> Received From: tron->/var/log/httpd/access_log >>> Rule: 31515 fired (level 6) -> "PHPMyAdmin scans (looking for >>> setup.php)." >>> Portion of the log(s): >>> >>> 178.33.154.144 - - [24/Jul/2015:11:55:15 +0200] "GET >>> /phpMyAdmin/scripts/setup.php HTTP/1.1" 403 309 "-" "-" >>> >>> also this >>> Received From: tron->/var/log/httpd/access_log >>> Rule: 31101 fired (level 5) -> "Web server 400 error code." >>> Portion of the log(s): >>> >>> 202.137.235.243 - - [24/Jul/2015:07:34:11 +0200] "HEAD >>> /ossec-wui/index.php HTTP/1.1" 401 - "-" "-" >>> >>> i'm surprised they found out about it.....glad i protected it with >>> htaccess and they didn't come in. ;) >>> >>> and lots of other requests that return HTTP 403 (forbidden) or 404 (not >>> found) >>> >>> i'm not quite sure what to make of it. >>> i didn't realise my server was so exposed....did they just find the IP >>> by scanning for http ports?! >>> >>> looking to some feedback, >>> theresa >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
