On Wed, May 18, 2016 at 2:33 PM, Patrick Müller <[email protected]> wrote: > Hi guys. > > > My configuration is Freebsd-10.2 with ossec-hids-local-2.8.3 installed via > ports. > > > I have this custom configuration for a active reponse which block web > attacks. > > > <active-response> > > <command>ipfw-www</command> > > <location>local</location> > > <timeout>43200</timeout> > > <rules_id>30202,31151</rules_id> > > </active-response> > > > This is my test with logtest > > > **Phase 1: Completed pre-decoding. > > full event: '[Wed May 18 10:50:29.541536 2016] [:error] [pid 1173] > [client ip:54252] [client ip] ModSecurity: Access denied with code 403 > (phase 2). Match of "rx > (^/file\\\\?file=/etc/cccam\\\\.cfg$|event=update_asl_config|^/etc/(?:js/|\\\\?)|^/index\\\\.php\\\\?module=asl&event=|^/etc/img/)" > against "REQUEST_URI" required. [file > "/usr/local/etc/apache24/Includes/modsecurity2/activated_rules/10_asl_rules.conf"] > [line "219"] [id "390709"] [rev "26"] [msg "Atomicorp.com WAF Rules: Attempt > to access protected file remotely"] [data "../etc/"] [severity "CRITICAL"] > [hostname "site-name"] [uri "/home/home.php"] [unique_id > "VzxzJZKkXAIAAASV6VUAAAAH"]' > > hostname: 'host' > > program_name: '(null)' > > log: the same of full event > > > **Phase 2: Completed decoding. > > decoder: 'apache-errorlog' >
There is no IP address for your script to block (assuming it needs one). > > **Phase 3: Completed filtering (rules). > > Rule id: '30202' > > Level: '10' > > Description: 'Multiple attempts blocked by Mod Security.' > > **Alert to be generated. > > > My problem no in file that execute the action to block, because the rule > 31151 work. > > > My alert in active-reponse. > /usr/local/ossec-hids/active-response/bin/ipfw-www.sh add - ip > 1463590617.6659091 31151 > > > Debug mode of logtest > > > 2016/05/18 15:09:13 4 : rule:30202, level 10, timeout: 0 > > 2016/05/18 15:09:14 3 : rule:31151, level 9, timeout: 0 > > > > If the logtest can decode correctly my event log and know the rule, the > active response work for others rules, where is my error? Why the rule to > block this action don’t work? > > > Any idea is welcome. Thanks > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
