Hello again! After successfully troubleshooted another problem, here is a new one.
First I will provide all necessary logs (etc), then I will post my problem: Ossec WUI output on the manager (ubuntu): 2011 Aug 08 04:49:52 Rule Id: 1012 level: 11 Location: (agent1) 192.168.0.69->\inetpub\logs\LogFiles \W3SVC1\ex110808.log Src IP: 08 11:49:54 192.168.0.69 GET /+union+select+'+where - 80 - 192.168.0.21 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:5.0)+Gecko/ 20100101+Firefox/5.0 404 0 2 187 hacking attempt ** Alert 1312804227.157360: - apache, 2011 Aug 08 04:50:27 ubuntu->/var/log/apache2/error.log Rule: 31410 (level 3) -> 'PHP Warning message.' Src IP: 172.16.1.21 [Mon Aug 08 04:50:27 2011] [error] [client 192.168.0.21] PHP Warning: fseek() expects parameter 3 to be long, string given in /var/www/ossec- wui-0.3/lib/os_lib_alerts.php on line 842, referer: http://192.168.0.124/ossec-wui-0.3/index.php?f=s The referring "rule 1012": <rule id="1012" level="11"> <match>$sqli_xss</match> <options>alert_by_email</options> <description>hacking attempt</description> <group>attack,sql_injection,</group> </rule> To the agent conf: <localfile> <location>%WinDir%\\inetpub\\logs\\LogFiles\\W3SVC1\\ex%y%m%d.log</ location> <log_format>iis</log_format> </localfile> Last but not least, the output of the ex110808.log at the windows server: 2011-08-08 11:49:54 192.168.0.69 GET /+union+select+'+where - 80 - 192.168.0.21 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:5.0)+Gecko/ 20100101+Firefox/5.0 404 0 2 218 2011-08-08 11:49:54 192.168.0.69 GET /+union+select+'+where - 80 - 192.168.0.21 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:5.0)+Gecko/ 20100101+Firefox/5.0 404 0 2 203 Maybe you already know the problem...somehow the IP is not properly extracted. So, the attack is logged, but the host isn't denied. When I directly attack the manager (ubuntu), everything is logged too (of course with another rule) and the attacker is "denied": 2011 Aug 08 00:49:13 Rule Id: 31103 level: 6 Location: ubuntu->/var/log/apache2/access.log Src IP: 192.168.0.21 Thanks for any help! SQL injection attempt.
