Hi Friends, I have installed Ossec 2.5.1 on Centos 5.x machine and an agent*2.5.1) on Windows XP where IIS is running. From another test machine (linux) I tried to wget some false files from IIS server which resulted in 404 errors on IIS server. I do get email alerts that where it is showing there are 400 error codes but the offending ipaddress is not getting blocked as I am able to get the correct files download from the IIS server at the same time.
Do let me know why the offending ipaddress is not getting blocked and also, if you need any further information route print from the Windows Agent 172.16.4.134 255.255.255.255 172.16.4.184 172.16.4.184 1 Ossec.conf on the Windows Agent <localfile> <location>%WinDir%\System32\LogFiles\W3SVC1\ex%y%m%d.log</location> <log_format>iis</log_format> </localfile> <command> <name>win_nullroute</name> <executable>route-null.cmd</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <active-response> <command>win_nullroute</command> <location>local</location> <level>6</level> <timeout>600</timeout> </active-response> <active-response> <disabled>no</disabled> </active-response> Logs of Default Web Site of IIS 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 15 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:50 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /iisstart.asp - 200 0 269 120 16 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:51 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 GET /iisstart.asp - 200 0 1532 174 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) ASPSESSIONIDSACBRRBC=NOLNENIBCCNAIBLOJGLKMMIC - 2010-12-17 11:34:51 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /iisstart.asp - 200 0 269 120 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 GET /iisstart.asp - 200 0 1532 194 16 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) ASPSESSIONIDSACBRRBC=OOLNENIBDCHEEGJBHLMFHOMP - 2010-12-17 11:34:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /iisstart.asp - 200 0 269 120 16 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 GET /iisstart.asp - 200 0 1532 194 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) ASPSESSIONIDSACBRRBC=POLNENIBAEDGCAPDJNEJEMPH - 2010-12-17 11:34:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /iisstart.asp - 200 0 269 120 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:54 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 GET /iisstart.asp - 200 0 1532 194 15 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) ASPSESSIONIDSACBRRBC=APLNENIBGJHMCKBAEBKOKALI - 2010-12-17 11:34:54 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /iisstart.asp - 200 0 269 120 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:55 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 GET /iisstart.asp - 200 Logs from Ossec Server ** Alert 1292584981.362616: mail - web,accesslog,web_scan,recon, 2010 Dec 17 16:53:01 (windowsxp) 172.16.4.184->\WINDOWS\System32\LogFiles\W3SVC1\ex101217.log Rule: 31151 (level 10) -> 'Mutiple web server 400 error codes from same source ip.' Src IP: 172.16.2.63 User: (none) 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 15 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - ** Alert 1292584981.364809: - web,accesslog, 2010 Dec 17 16:53:01 (windowsxp) 172.16.4.184->\WINDOWS\System32\LogFiles\W3SVC1\ex101217.log Rule: 31101 (level 5) -> 'Web server 400 error code.' Src IP: 172.16.2.63 User: (none) 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 Wget/1.10.2+(Red+Hat+modified) - - Regards Ankush