Hi Brian,
when running it through ossec-logtest, this is what I get:
**Phase 1: Completed pre-decoding.
full event: '[Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223]
[client 46.4.84.147] ModSecurity: Access denied with code 403 (phase 2).
String match "JDatabaseDriverMysqli" at REQUEST_HEADERS:User-Agent. [file
"/etc/httpd/modsecurity.d/cwaf_rules/26_Apps_Joomla.conf"] [line "46"] [id
"222390"] [rev "2"] [msg "COMODO WAF: PHP object injection or arbitrary
code execution attacks in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6
(CVE-2015-8562)"] [hostname "xyz.com"] [uri "/"] [unique_id
"VsLzrS4Zyx3R5xy6tzH0zAAAAAk"]'
hostname: 'vpc-ossec-manager'
program_name: '(null)'
log: '[Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client
46.4.84.147] ModSecurity: Access denied with code 403 (phase 2). String
match "JDatabaseDriverMysqli" at REQUEST_HEADERS:User-Agent. [file
"/etc/httpd/modsecurity.d/cwaf_rules/26_Apps_Joomla.conf"] [line "46"] [id
"222390"] [rev "2"] [msg "COMODO WAF: PHP object injection or arbitrary
code execution attacks in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6
(CVE-2015-8562)"] [hostname "xyz.com"] [uri "/"] [unique_id
"VsLzrS4Zyx3R5xy6tzH0zAAAAAk"]'
**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
**Phase 3: Completed filtering (rules).
Rule id: '30411'
Level: '7'
Description: 'ModSecurity rejected a query'
**Alert to be generated.
This means it is matching this decoder: "apache-errorlog", but not
"apache24-errorlog-ip".
If I am right, just by having a look at the regexes, the problem might be
that the decoders are not expecting the *[pid 3223]* part, and also it is
expecting a source port. A log message like this would work (notice I
removed the pid section, and included a source port):
[Tue Feb 16 04:02:21.018764 2016] [:error] [client 46.4.84.147*:1024*]
ModSecurity: Access denied with code 403 (phase 2). String match
"JDatabaseDriverMysqli" at REQUEST_HEADERS:User-Agent. [file
"/etc/httpd/modsecurity.d/cwaf_rules/26_Apps_Joomla.conf"] [line "46"] [id
"222390"] [rev "2"] [msg "COMODO WAF: PHP object injection or arbitrary
code execution attacks in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6
(CVE-2015-8562)"] [hostname "xyz.com"] [uri "/"] [unique_id
"VsLzrS4Zyx3R5xy6tzH0zAAAAAk"]
**Phase 1: Completed pre-decoding.
full event: '[Tue Feb 16 04:02:21.018764 2016] [:error] [client
46.4.84.147:1024] ModSecurity: Access denied with code 403 (phase 2).
String match "JDatabaseDriverMysqli" at REQUEST_HEADERS:User-Agent. [file
"/etc/httpd/modsecurity.d/cwaf_rules/26_Apps_Joomla.conf"] [line "46"] [id
"222390"] [rev "2"] [msg "COMODO WAF: PHP object injection or arbitrary
code execution attacks in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6
(CVE-2015-8562)"] [hostname "xyz.com"] [uri "/"] [unique_id
"VsLzrS4Zyx3R5xy6tzH0zAAAAAk"]'
hostname: 'vpc-ossec-manager'
program_name: '(null)'
log: '[Tue Feb 16 04:02:21.018764 2016] [:error] [client
46.4.84.147:1024] ModSecurity: Access denied with code 403 (phase 2).
String match "JDatabaseDriverMysqli" at REQUEST_HEADERS:User-Agent. [file
"/etc/httpd/modsecurity.d/cwaf_rules/26_Apps_Joomla.conf"] [line "46"] [id
"222390"] [rev "2"] [msg "COMODO WAF: PHP object injection or arbitrary
code execution attacks in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6
(CVE-2015-8562)"] [hostname "xyz.com"] [uri "/"] [unique_id
"VsLzrS4Zyx3R5xy6tzH0zAAAAAk"]'
**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
*srcip: '46.4.84.147'*
id: 'ModSecurity'
**Phase 3: Completed filtering (rules).
Rule id: '30411'
Level: '7'
Description: 'ModSecurity rejected a query'
**Alert to be generated.
I hope it helps
On Tue, Feb 16, 2016 at 4:24 PM, webwzrd <[email protected]> wrote:
> I'm having an issue extracting the IP out of a successfully triggered
> ModSecurity rule.
>
> Details:
> I'm using Ossec-Hid 2.8.3 on CentOS 7 with Apache 2.4. I have borrowed
> the Apache 2.4 rules and decoder (Apache section) from Ossec 2.9b, which
> are:
>
> +++++++++++++++++++++++++++++++++++++++++++
> <!-- Apache 2.4 ModSecurity Rules -->
> <rule id="30401" level="0">
> <if_sid>30301</if_sid>
> <match>ModSecurity: Warning</match>
> <description>ModSecurity Warning messages grouped</description>
> </rule>
>
> <rule id="30402" level="0">
> <if_sid>30301</if_sid>
> <match>ModSecurity: Access denied</match>
> <description>ModSecurity Access denied messages grouped</description>
> </rule>
>
> <rule id="30403" level="0">
> <if_sid>30301</if_sid>
> <match>ModSecurity: Audit log:</match>
> <description>ModSecurity Audit log messages grouped</description>
> </rule>
>
> <rule id="30411" level="7">
> <if_sid>30402</if_sid>
> <match>with code 403</match>
> <description>ModSecurity rejected a query</description>
> </rule>
> +++++++++++++++++++++++++++++++++++++++++++
>
> <decoder name="apache-errorlog">
> <program_name>^httpd</program_name>
> </decoder>
>
> <decoder name="apache-errorlog">
> <prematch>^[warn] |^[notice] |^[error] </prematch>
> </decoder>
>
> <decoder name="apache-errorlog">
> <prematch>^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:warn] |^[\w+ \w+ \d+
> \d+:\d+:\d+.\d+ \d+] [\S+:notice] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+]
> [\S*:error] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:info] </prematch>
> </decoder>
>
> <decoder name="apache24-errorlog-ip">
> <parent>apache-errorlog</parent>
>
> <prematch offset="after_parent">[client</prematch>
> <regex offset="after_prematch">^ (\S+):\d+] (\S+): </regex>
> <order>srcip,id</order>
> </decoder>
>
> <decoder name="apache24-modsec-errorlog-ip">
> <parent>apache-errorlog</parent>
>
> <prematch offset="after_parent">[client</prematch>
> <regex offset="after_prematch">^ (\S+)] ModSecurity: </regex>
> <order>srcip</order>
> </decoder>
>
> <decoder name="apache-errorlog-ip">
> <parent>apache-errorlog</parent>
>
> <prematch offset="after_parent">^[client</prematch>
> <regex offset="after_prematch">^ (\S+)] </regex>
> <order>srcip</order>
> </decoder>
> +++++++++++++++++++++++++++++++++++++++++++
>
> The error_log shows as:
>
> [Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client 46.4.84.147]
> ModSecurity: Access denied with code 403 (phase 2). String match
> "JDatabaseDriverMysqli" at REQUEST_HEADERS:User-Agent. [file
> "/etc/httpd/modsecurity.d/cwaf_rules/26_Apps_Joomla.conf"] [line "46"] [id
> "222390"] [rev "2"] [msg "COMODO WAF: PHP object injection or arbitrary
> code execution attacks in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6
> (CVE-2015-8562)"] [hostname "xyz.com"] [uri "/"] [unique_id
> "VsLzrS4Zyx3R5xy6tzH0zAAAAAk"]
>
>
> And Rule 30411 triggers successfully as (not matching alert to above, just
> an example):
>
>
> ** Alert 1455667932.9725404: mail - apache,
> 2016 Feb 16 18:12:12 (server.mine.org) 1.1.1.1->/home/xyz/logs/error_log
> Rule: 30411 (level 7) -> 'ModSecurity rejected a query'
> [Tue Feb 16 18:12:12.419586 2016] [:error] [pid 22253] [client 178.137.167.9]
> ModSecurity: Access denied with code 403 (phase 2). Operator GT matched 5 at
> IP:multiple_username_count. [file
> "/etc/httpd/modsecurity.d/cwaf_rules/09_Bruteforce_Bruteforce.conf"] [line
> "79"] [id "230021"] [rev "3"] [msg "COMODO WAF: Multiple Username Violation:
> Too Many Usernames Submitted for Authentication."] [data "Current Username:
> xyz"] [hostname "www.xyz.com"] [uri "/administrator/index.php"] [unique_id
> "VsO63OFvCgWfU4iCpLmGvQAAABg"]
>
>
> As you can see the srcip doesn't get listed as it should below Rule:
> 20411, same when doing an ossec-logtest.
>
> I've done a ton of searching and can not find anything on this issue. I
> tried experimenting with the regex to no avail.
>
> Can anyone suggest a correction to:
>
> <decoder name="apache24-modsec-errorlog-ip">
> <parent>apache-errorlog</parent>
>
> <prematch offset="after_parent">[client</prematch>
> <regex offset="after_prematch">^ (\S+)] ModSecurity: </regex>
> <order>srcip</order>
> </decoder>
>
> Or offer another solution?
>
> Thanks,
> Brian
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
