[ossec-list] Unable to block offending ipaddress on Windows Agent

Fri, 17 Dec 2010 05:44:59 -0800 

Hi Friends,

I have installed Ossec 2.5.1 on Centos 5.x machine and an agent*2.5.1) on
Windows XP where IIS is running. From another test machine (linux) I tried
to wget some false files from IIS server which resulted in 404 errors on IIS
server. I do get email alerts that where it is showing there are 400 error
codes but the offending ipaddress is not getting blocked as I am able to get
the correct files download from the IIS server at the same time.


Do let me know why the offending ipaddress is not getting blocked and also,
if you need any further information

route print from the Windows Agent

172.16.4.134  255.255.255.255     172.16.4.184    172.16.4.184       1

Ossec.conf on the Windows Agent
<localfile>
    <location>%WinDir%\System32\LogFiles\W3SVC1\ex%y%m%d.log</location>
    <log_format>iis</log_format>
</localfile>


<command>
    <name>win_nullroute</name>
    <executable>route-null.cmd</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
    </command>

    <active-response>
    <command>win_nullroute</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
    </active-response>

  <active-response>
    <disabled>no</disabled>
  </active-response>




Logs of Default Web Site of IIS

2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 15 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:50 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /iisstart.asp - 200 0 269 120 16 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:51 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 GET
/iisstart.asp - 200 0 1532 174 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) ASPSESSIONIDSACBRRBC=NOLNENIBCCNAIBLOJGLKMMIC
-
2010-12-17 11:34:51 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /iisstart.asp - 200 0 269 120 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 GET
/iisstart.asp - 200 0 1532 194 16 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) ASPSESSIONIDSACBRRBC=OOLNENIBDCHEEGJBHLMFHOMP
-
2010-12-17 11:34:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /iisstart.asp - 200 0 269 120 16 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 GET
/iisstart.asp - 200 0 1532 194 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) ASPSESSIONIDSACBRRBC=POLNENIBAEDGCAPDJNEJEMPH
-
2010-12-17 11:34:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /iisstart.asp - 200 0 269 120 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:54 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 GET
/iisstart.asp - 200 0 1532 194 15 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) ASPSESSIONIDSACBRRBC=APLNENIBGJHMCKBAEBKOKALI
-
2010-12-17 11:34:54 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /iisstart.asp - 200 0 269 120 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:55 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 GET
/iisstart.asp - 200


Logs from Ossec Server

** Alert 1292584981.362616: mail  - web,accesslog,web_scan,recon,
2010 Dec 17 16:53:01 (windowsxp)
172.16.4.184->\WINDOWS\System32\LogFiles\W3SVC1\ex101217.log
Rule: 31151 (level 10) -> 'Mutiple web server 400 error codes from same
source ip.'
Src IP: 172.16.2.63
User: (none)
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 15 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -
2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -

** Alert 1292584981.364809: - web,accesslog,
2010 Dec 17 16:53:01 (windowsxp)
172.16.4.184->\WINDOWS\System32\LogFiles\W3SVC1\ex101217.log
Rule: 31101 (level 5) -> 'Web server 400 error code.'
Src IP: 172.16.2.63
User: (none)
2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
Wget/1.10.2+(Red+Hat+modified) - -



Regards

Ankush

Reply via email to