Re: [ossec-list] httpd logs (possible attacks/intrusions)

[Ryan Schulze]

In a nutshell: In order to use the list you would have to tell OSSEC to use the list, then create one or more rules that uses that list, then tell ossec which active response to use when one of those rules gets triggered.

/var/ossec/etc/ossec.conf
  <ossec_config>
    <rules>
      <list>lists/ip_blacklist</list>
    </rules>
  </ossec_config>

The following example uses the list to firewall IPs on the blacklist if they trigger too many 404 error on a webserver: Tell ossec to use ip_blacklist by adding the list to the <rules> block (where all the includes are for the xml rule files) Then copy the file to /var/ossec/lists/ip_blacklist and execute /var/ossec/bin/ossec-makelists (generated a .cdb version of the list) Then create a rule in local_rules.xml that uses the list, http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/rule-lists.html has more details on how to use CDBs in rules.

/var/ossec/rules/local_rules.xml
  <rule id="100611" level="7">
    <if_sid>31151</if_sid>

    <group>ar_malicious_ip,</group>
  </rule>

<list field="srcip" lookup="address_match_key">lists/ip_blacklist</list> <description>Multiple web server 400 error codes from a malicious IP</description> Now we will tell OSSEC what to do when the rule triggers. I like to use groups to trigger active responses instead of alert levels to have more control over what happens when (that is why we added the "ar_malicious_ip" group to the rule in the previous step, it also allows us to easily create multiple rules that trigger a specific active response). http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.active-response.html has more information on options for active response. If I remember correctly the "firewall-drop" command is in the default config and you won't have to add it.

/var/ossec/etc/ossec.conf
  <ossec_config>
    <command>
      <name>firewall-drop</name>
      <executable>firewall-drop.sh</executable>
      <expect>srcip</expect>
      <timeout_allowed>yes</timeout_allowed>
    </command>

    <active-response>
      <command>firewall-drop</command>
      <location>local</location>
      <rules_group>ar_malicious_ip</rules_group>
      <timeout>600</timeout>
<repeated_offenders>30,60,120</repeated_offenders>
    </active-response>
  </ossec_config>



On 7/25/2015 1:06 PM, theresa mic-snare wrote:

That's all. OSSEC loads the lists, the rules use the list, if one of the rules using a list get's triggered it kicks off an active response that executes a command.

Great, thanks for the bash script, Ryan.

maybe through an active-response?

Am Samstag, 25. Juli 2015 04:56:07 UTC+2 schrieb Ryan Schulze:

    I played around with IP reputation and CDB a while back, but never
    pushed it to my live servers. I found the following bash snippet
    on my test server, it may be of use for someone (although the
    alienvault list is pretty long and contains different levels of
    "evil" may be worth parsing and splitting up).

    #!/bin/bash
    {
      curl
    "https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist";
    <https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist> |\
      egrep "^[0-9]" | awk '{print $1":ZeuS IP blocklist"}'

      curl "https://reputation.alienvault.com/reputation.generic";
    <https://reputation.alienvault.com/reputation.generic> |\
      egrep "^[0-9]" | cut -d, -f1 | sed 's/ # /:/'

    } > ip_blacklist


    On 7/24/2015 7:46 PM, Santiago Bassett wrote:

but what else to do after downloading the IP blocklist? how could I feed ossec with it?

    Hi Theresa,

    my guess is that you are probably victim of web crawlers more
    than anything else. In any case it would be interesting to search
    those source IPs info in IP reputation databases to see if those
    are well known attackers.

    Has anyone in this list use an IP reputation database in a CDB
    list? I would probably try something like that and see how it goes.

    Best



    On Fri, Jul 24, 2015 at 12:32 PM, theresa mic-snare
    <rockpr...@gmail.com <javascript:>> wrote:

        hi folks,

        i need some help with intepreting webserver logfiles (apache
        logs).
        while setting up my ossec-test environment for my thesis
        project, I've also setup a wordpress on an apache webserver
        as a "honeypot". although there's no real content, except the
        standard wordpress posts & pages that comes with the
        installation, I already have some "visitors". I see these
        dubious looking requests. I'm not sure if these are
        threats/attacks against my wordpress installation.
        I'm not really familiar with apache logs, but I need some
        threats/attacks to explain in my thesis. I thought this would
        be the best way to get started.

        I have PLENTY of the following requests in my httpd logs

        |
        SrcIP:115.239.228.8
        115.239.228.8--[24/Jul/2015:19:22:42+0200]"GET
        http://zc.qq.com/cgi-bin/common/attr?id=260714&r=0.7636925813952972
        HTTP/1.1"404292"-""Mozilla/5.0 (compatible; MSIE 9.0; Windows
        NT 6.1; Trident/5.0; 360SE)"

        |

        Judging by the HTTP status code it's not really a threat,
        right? it's probaly just some hacker with a tool who's
        looking for vulnerabilities? or is this just nonsense/junk?

        |
        ReceivedFrom:tron->/var/log/httpd/access_log
        Rule:31515fired (level 6)->"PHPMyAdmin scans (looking for
        setup.php)."
        Portionof the log(s):

        178.33.154.144--[24/Jul/2015:11:55:15+0200]"GET
        /phpMyAdmin/scripts/setup.php HTTP/1.1"403309"-""-"
        |

        also this
        |
        ReceivedFrom:tron->/var/log/httpd/access_log
        Rule:31101fired (level 5)->"Web server 400 error code."
        Portionof the log(s):

        202.137.235.243--[24/Jul/2015:07:34:11+0200]"HEAD
        /ossec-wui/index.php HTTP/1.1"401-"-""-"
        |

        i'm surprised they found out about it.....glad i protected it
        with htaccess and they didn't come in. ;)

        and lots of other requests that return HTTP 403 (forbidden)
        or 404 (not found)

        i'm not quite sure what to make of it.
        i didn't realise my server was so exposed....did they just
        find the IP by scanning for http ports?!

        looking to some feedback,
        theresa

        ---
        You received this message because you are subscribed to the
        Google Groups "ossec-list" group.
        To unsubscribe from this group and stop receiving emails from
        it, send an email to ossec-list+...@googlegroups.com
        <javascript:>.
        For more options, visit https://groups.google.com/d/optout.



    ---
    You received this message because you are subscribed to the
    Google Groups "ossec-list" group.
    To unsubscribe from this group and stop receiving emails from it,
    send an email to ossec-list+...@googlegroups.com <javascript:>.
    For more options, visit https://groups.google.com/d/optout.

-- --

--

---

You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com <mailto:ossec-list+unsubscr...@googlegroups.com>.

For more options, visit https://groups.google.com/d/optout.

--


To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--- You received this message because you are subscribed to the Google Groups "ossec-list" group.

smime.p7s
Description: S/MIME Cryptographic Signature