On Fri, Dec 17, 2010 at 9:06 PM, dan (ddp) <ddp...@gmail.com> wrote:
> Is your active response configuration also on the server? If it isn't,
> copy it to the server's ossec.conf, restart, and try again
Yes it is already there on the server. In-fact, while installing server I
accepted to the run the server in active-response mode.
<active-response>
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
> .
>
> On Fri, Dec 17, 2010 at 7:27 AM, Ankush Grover <ankushos...@gmail.com>
> wrote:
> > Hi Friends,
> >
> > I have installed Ossec 2.5.1 on Centos 5.x machine and an agent*2.5.1) on
> > Windows XP where IIS is running. From another test machine (linux) I
> tried
> > to wget some false files from IIS server which resulted in 404 errors on
> IIS
> > server. I do get email alerts that where it is showing there are 400
> error
> > codes but the offending ipaddress is not getting blocked as I am able to
> get
> > the correct files download from the IIS server at the same time.
> >
> >
> > Do let me know why the offending ipaddress is not getting blocked and
> also,
> > if you need any further information
> >
> > route print from the Windows Agent
> >
> > 172.16.4.134 255.255.255.255 172.16.4.184 172.16.4.184 1
> >
> > Ossec.conf on the Windows Agent
> > <localfile>
> > <location>%WinDir%\System32\LogFiles\W3SVC1\ex%y%m%d.log</location>
> > <log_format>iis</log_format>
> > </localfile>
> >
> >
> > <command>
> > <name>win_nullroute</name>
> > <executable>route-null.cmd</executable>
> > <expect>srcip</expect>
> > <timeout_allowed>yes</timeout_allowed>
> > </command>
> >
> > <active-response>
> > <command>win_nullroute</command>
> > <location>local</location>
> > <level>6</level>
> > <timeout>600</timeout>
> > </active-response>
> >
> > <active-response>
> > <disabled>no</disabled>
> > </active-response>
> >
> >
> >
> >
> > Logs of Default Web Site of IIS
> >
> > 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 15 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:50 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /iisstart.asp - 200 0 269 120 16 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:51 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> GET
> > /iisstart.asp - 200 0 1532 174 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified)
> ASPSESSIONIDSACBRRBC=NOLNENIBCCNAIBLOJGLKMMIC
> > -
> > 2010-12-17 11:34:51 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /iisstart.asp - 200 0 269 120 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> GET
> > /iisstart.asp - 200 0 1532 194 16 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified)
> ASPSESSIONIDSACBRRBC=OOLNENIBDCHEEGJBHLMFHOMP
> > -
> > 2010-12-17 11:34:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /iisstart.asp - 200 0 269 120 16 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> GET
> > /iisstart.asp - 200 0 1532 194 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified)
> ASPSESSIONIDSACBRRBC=POLNENIBAEDGCAPDJNEJEMPH
> > -
> > 2010-12-17 11:34:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /iisstart.asp - 200 0 269 120 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:54 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> GET
> > /iisstart.asp - 200 0 1532 194 15 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified)
> ASPSESSIONIDSACBRRBC=APLNENIBGJHMCKBAEBKOKALI
> > -
> > 2010-12-17 11:34:54 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /iisstart.asp - 200 0 269 120 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:55 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> GET
> > /iisstart.asp - 200
> >
> >
> > Logs from Ossec Server
> >
> > ** Alert 1292584981.362616: mail - web,accesslog,web_scan,recon,
> > 2010 Dec 17 16:53:01 (windowsxp)
> > 172.16.4.184->\WINDOWS\System32\LogFiles\W3SVC1\ex101217.log
> > Rule: 31151 (level 10) -> 'Mutiple web server 400 error codes from same
> > source ip.'
> > Src IP: 172.16.2.63
> > User: (none)
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 15 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> > 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> >
> > ** Alert 1292584981.364809: - web,accesslog,
> > 2010 Dec 17 16:53:01 (windowsxp)
> > 172.16.4.184->\WINDOWS\System32\LogFiles\W3SVC1\ex101217.log
> > Rule: 31101 (level 5) -> 'Web server 400 error code.'
> > Src IP: 172.16.2.63
> > User: (none)
> > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80
> > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184
> > Wget/1.10.2+(Red+Hat+modified) - -
> >
> >
> >
> > Regards
> >
> > Ankush
> >
>
