On Mon, Aug 8, 2011 at 8:08 AM, Hermes <[email protected]> wrote: > Hello again! > > After successfully troubleshooted another problem, here is a new one. > > First I will provide all necessary logs (etc), then I will post my > problem: > > Ossec WUI output on the manager (ubuntu): > 2011 Aug 08 04:49:52 Rule Id: 1012 level: 11 > Location: (agent1) 192.168.0.69->\inetpub\logs\LogFiles > \W3SVC1\ex110808.log > Src IP: 08 11:49:54 192.168.0.69 GET /+union+select+'+where - 80 - > 192.168.0.21 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:5.0)+Gecko/ > 20100101+Firefox/5.0 404 0 2 187 > hacking attempt > ** Alert 1312804227.157360: - apache, > 2011 Aug 08 04:50:27 ubuntu->/var/log/apache2/error.log > Rule: 31410 (level 3) -> 'PHP Warning message.' > Src IP: 172.16.1.21 > [Mon Aug 08 04:50:27 2011] [error] [client 192.168.0.21] PHP Warning: > fseek() expects parameter 3 to be long, string given in /var/www/ossec- > wui-0.3/lib/os_lib_alerts.php on line 842, referer: > http://192.168.0.124/ossec-wui-0.3/index.php?f=s >
Yes, the WUI code is broken. One day the people that want to use it will get together and share the fixes they've had to put in place so we don't have to keep seeing the same posts about it. The above seems unrelated to anything else in this message though... > The referring "rule 1012": > <rule id="1012" level="11"> > <match>$sqli_xss</match> > <options>alert_by_email</options> > <description>hacking attempt</description> > <group>attack,sql_injection,</group> > </rule> > > To the agent conf: > <localfile> > <location>%WinDir%\\inetpub\\logs\\LogFiles\\W3SVC1\\ex%y%m%d.log</ > location> > <log_format>iis</log_format> > </localfile> > > Last but not least, the output of the ex110808.log at the windows > server: > 2011-08-08 11:49:54 192.168.0.69 GET /+union+select+'+where - 80 - > 192.168.0.21 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:5.0)+Gecko/ > 20100101+Firefox/5.0 404 0 2 218 > 2011-08-08 11:49:54 192.168.0.69 GET /+union+select+'+where - 80 - > 192.168.0.21 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:5.0)+Gecko/ > 20100101+Firefox/5.0 404 0 2 203 > This doesn't appear to be any IIS log format we have support for at the moment. > Maybe you already know the problem...somehow the IP is not properly > extracted. So, the attack is logged, but the host isn't denied. > When I directly attack the manager (ubuntu), everything is logged too > (of course with another rule) and the attacker is "denied": > 2011 Aug 08 00:49:13 Rule Id: 31103 level: 6 > Location: ubuntu->/var/log/apache2/access.log > Src IP: 192.168.0.21 > > Thanks for any help! > SQL injection attempt. Write a decoder to grab the IP. I don't think it should be too difficult.
