On Fri, Dec 17, 2010 at 9:06 PM, dan (ddp) <ddp...@gmail.com> wrote: > Is your active response configuration also on the server? If it isn't, > copy it to the server's ossec.conf, restart, and try again
Yes it is already there on the server. In-fact, while installing server I accepted to the run the server in active-response mode. <active-response> <command>host-deny</command> <location>local</location> <level>6</level> <timeout>600</timeout> </active-response> <active-response> <!-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). --> <command>firewall-drop</command> <location>local</location> <level>6</level> <timeout>600</timeout> </active-response> > . > > On Fri, Dec 17, 2010 at 7:27 AM, Ankush Grover <ankushos...@gmail.com> > wrote: > > Hi Friends, > > > > I have installed Ossec 2.5.1 on Centos 5.x machine and an agent*2.5.1) on > > Windows XP where IIS is running. From another test machine (linux) I > tried > > to wget some false files from IIS server which resulted in 404 errors on > IIS > > server. I do get email alerts that where it is showing there are 400 > error > > codes but the offending ipaddress is not getting blocked as I am able to > get > > the correct files download from the IIS server at the same time. > > > > > > Do let me know why the offending ipaddress is not getting blocked and > also, > > if you need any further information > > > > route print from the Windows Agent > > > > 172.16.4.134 255.255.255.255 172.16.4.184 172.16.4.184 1 > > > > Ossec.conf on the Windows Agent > > <localfile> > > <location>%WinDir%\System32\LogFiles\W3SVC1\ex%y%m%d.log</location> > > <log_format>iis</log_format> > > </localfile> > > > > > > <command> > > <name>win_nullroute</name> > > <executable>route-null.cmd</executable> > > <expect>srcip</expect> > > <timeout_allowed>yes</timeout_allowed> > > </command> > > > > <active-response> > > <command>win_nullroute</command> > > <location>local</location> > > <level>6</level> > > <timeout>600</timeout> > > </active-response> > > > > <active-response> > > <disabled>no</disabled> > > </active-response> > > > > > > > > > > Logs of Default Web Site of IIS > > > > 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 15 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:50 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /iisstart.asp - 200 0 269 120 16 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:51 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > GET > > /iisstart.asp - 200 0 1532 174 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) > ASPSESSIONIDSACBRRBC=NOLNENIBCCNAIBLOJGLKMMIC > > - > > 2010-12-17 11:34:51 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /iisstart.asp - 200 0 269 120 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > GET > > /iisstart.asp - 200 0 1532 194 16 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) > ASPSESSIONIDSACBRRBC=OOLNENIBDCHEEGJBHLMFHOMP > > - > > 2010-12-17 11:34:52 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /iisstart.asp - 200 0 269 120 16 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > GET > > /iisstart.asp - 200 0 1532 194 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) > ASPSESSIONIDSACBRRBC=POLNENIBAEDGCAPDJNEJEMPH > > - > > 2010-12-17 11:34:53 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /iisstart.asp - 200 0 269 120 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:54 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > GET > > /iisstart.asp - 200 0 1532 194 15 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) > ASPSESSIONIDSACBRRBC=APLNENIBGJHMCKBAEBKOKALI > > - > > 2010-12-17 11:34:54 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /iisstart.asp - 200 0 269 120 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:55 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > GET > > /iisstart.asp - 200 > > > > > > Logs from Ossec Server > > > > ** Alert 1292584981.362616: mail - web,accesslog,web_scan,recon, > > 2010 Dec 17 16:53:01 (windowsxp) > > 172.16.4.184->\WINDOWS\System32\LogFiles\W3SVC1\ex101217.log > > Rule: 31151 (level 10) -> 'Mutiple web server 400 error codes from same > > source ip.' > > Src IP: 172.16.2.63 > > User: (none) > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 15 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > 2010-12-17 11:34:43 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > > > ** Alert 1292584981.364809: - web,accesslog, > > 2010 Dec 17 16:53:01 (windowsxp) > > 172.16.4.184->\WINDOWS\System32\LogFiles\W3SVC1\ex101217.log > > Rule: 31101 (level 5) -> 'Web server 400 error code.' > > Src IP: 172.16.2.63 > > User: (none) > > 2010-12-17 11:34:45 172.16.2.63 - W3SVC1 ADMIN-B5C3D2CA9 172.16.4.184 80 > > HEAD /test/test/test.html - 404 3 144 139 0 HTTP/1.0 172.16.4.184 > > Wget/1.10.2+(Red+Hat+modified) - - > > > > > > > > Regards > > > > Ankush > > >