Hi, The rule fired because it matched the "rm%20" from the URL:
GET /uniform%20price%20list.doc >From the rule: <url>cat%|exec%|rm%20</url> You should probably change it for your environment (as a local rule), since it is clearly a false positive. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/8/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Hi There, > > Just fine tuning OSSEC and need a bit of help understanding why a > particular rule was fired to trigger Active Response. > > Turns out that we like Peter's idea of just firing Active Repsonse > based on the rules we set. > Atleast this way we know which rules are being match to trigger Active > Response. > > ---------- > Step 1. > ---------- > > I have done it like this in the ossec.conf file to match the rules I > want to enable Active Response on. > > <!-- Active Response Config --> > <active-response> > <!-- This response is going to execute the host-deny > - command for every matching rule. > - The IP is going to be blocked for 600 seconds. > --> > <command>host-deny</command> > <location>local</location> > <rules_id>5551,5706,5712,5720,11210,30107,31103,31104</rules_id> > <timeout>600</timeout> > </active-response> > > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>local</location> > <rules_id>5551,5706,5712,5720,11210,30107,31103,31104</rules_id> > <timeout>600</timeout> > </active-response> > > ---------- > Step 2. > ---------- > > "tail -f active-responses.log" to make sure it was just matching the > rules we specified (which it was). > > Mon Oct 8 12:47:10 EST 2007 /usr/local/ossec/active-response/bin/host- > deny.sh add - 58.168.238.226 1191811630.2518074 31104 > Mon Oct 8 12:47:10 EST 2007 /usr/local/ossec/active-response/bin/ > firewall-drop.sh add - 58.168.238.226 1191811630.2518074 31104 > > I see IP address 58.168.238.226 has matched one of the rules (31104) > and is now being blocked. > > ---------- > Step 3. > ---------- > > I then check alerts.log to see why rule 31104 was triggered and I > can't work out why ??? > It doesn't seem to match any of the <url> tag and this is where I'm a > bit lost. > > -------------------- > web_rules.xml > -------------------- > > <rule id="31104" level="6"> > <if_sid>31100</if_sid> > > <!-- Attempt to do directory transversal, simple sql injections, > - or access to the etc or bin directory (unix). --> > <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..</url> > <url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|</url> > <url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%|</ > url> > <url>cat%|exec%|rm%20</url> > <description>Common web attack.</description> > <info>http://www.armbrustconsulting.com/LogEntries.html</info> > <group>attack,</group> > </rule> > > -------------- > alerts.log > -------------- > > Src IP: 58.168.238.226 > User: (none) > 58.168.238.226 - - [08/Oct/2007:12:45:30 +1000] "GET /popblank.js HTTP/ > 1.1" 404 970 "http://www.marlboroughps.vic.edu.au/contents.htm"; > "Mozilla/4.0 (compatibl > e; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" > > ** Alert 1191811530.2512070: - web,accesslog, > 2007 Oct 08 12:45:30 plesk2->/etc/httpd/logs/access_log > Rule: 31101 (level 5) -> 'Web server 400 error code.' > Src IP: 58.168.238.226 > User: (none) > 58.168.238.226 - - [08/Oct/2007:12:45:30 +1000] "GET /popblank.js HTTP/ > 1.1" 404 970 "http://www.marlboroughps.vic.edu.au/contents.htm"; > "Mozilla/4.0 (compatibl > e; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" > > Src IP: 58.168.238.226 > User: (none) > 58.168.238.226 - - [08/Oct/2007:12:47:10 +1000] "GET /uniform%20price > %20list.doc HTTP/1.1" 404 970 "http://www.marlboroughps.vic.edu.au/"; > "Mozilla/4.0 (compat > ible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" > > ** Alert 1191811630.2518074: mail - web,accesslog,attack, > 2007 Oct 08 12:47:10 plesk2->/etc/httpd/logs/access_log > Rule: 31104 (level 6) -> 'Common web attack.' > Src IP: 58.168.238.226 > User: (none) > 58.168.238.226 - - [08/Oct/2007:12:47:10 +1000] "GET /uniform%20price > %20list.doc HTTP/1.1" 404 970 "http://www.marlboroughps.vic.edu.au/"; > "Mozilla/4.0 (compat > ible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" > > -------------------- > > Can someone please explain to me why rule 31104 was triggered??? > > -------------------- > > Thank you in advance. > > >
