On Tue, Jan 31, 2017 at 11:15 AM, SternData
<[email protected]> wrote:
> I'm getting hammered by probes for non-existent PHP files.
>
> Received From: sugaree->/var/log/httpd/xxx.c om_error_log
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> [Tue Jan 31 09:57:35.809951 2017] [proxy_fcgi:error] [pid 25770] [client
> 46.28.110.136:51282] AH01071: Got error 'Primary script unknown\n'
>
> What's the best way to make a rule to throw an active deny response for
> these after two attempts within 1 minute?
>
Running this through ossec-logtest gives me the following information:
**Phase 1: Completed pre-decoding.
full event: '[Tue Jan 31 09:57:35.809951 2017]
[proxy_fcgi:error] [pid 25770] [client 46.28.110.136:51282] AH01071:
Got error 'Primary script unknown\n''
hostname: 'ossec-test'
program_name: '(null)'
log: '[Tue Jan 31 09:57:35.809951 2017] [proxy_fcgi:error] [pid
25770] [client 46.28.110.136:51282] AH01071: Got error 'Primary script
unknown\n''
**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
srcip: '46.28.110.136'
srcport: '51282'
id: 'AH01071'
**Phase 3: Completed filtering (rules).
Rule id: '30301'
Level: '0'
Description: 'Apache error messages grouped.'
So creating a rule should be fairly straight forward.
Something like this (mostly untested):
<rule id="400017" level="0">
<if_sid>30301</if_sid>
<match>Primary script unknown</match>
<description>Primary script unknown</description>
</rule>
<rule id="400018" level="10" frequency="0" timeframe="60">
<if_matched_sid>400017</if_matched_sid>
<same_source_ip />
<description>Multiple attempts to Primary script unknown</description>
</rule>
Then setup the active response to block based on sid 400018.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
