Remember to add your decoder to local_decoder.xml so it won't be overwritten on upgrade.
On Monday, August 8, 2011, Hermes <[email protected]> wrote: > Yes. I am already writing the new decoder^^ > But something that really helped (and THANKS for that): > For every log decoder, there is an example directly above, so I can > instantly compare differences, without installing IIS5 and IIS6. > > On 8 Aug., 14:39, "dan (ddp)" <[email protected]> wrote: >> Run the log message through ossec-logtest. Decoders.xml has examples, and >> they don't appear to be in the same format as the log you posted. >> >> >> >> >> >> >> >> >> >> On Monday, August 8, 2011, Hermes <[email protected]> wrote: >> > _Sorry_ for the double post!! >> >> > The more I appreciate the answers! >> > Is there something weird with the log file? Because, shouldn't it >> > already be in IIS style, ready for decode? >> >> > On 8 Aug., 14:28, "dan (ddp)" <[email protected]> wrote: >> >> On Mon, Aug 8, 2011 at 8:08 AM, Hermes <[email protected]> wrote: >> >> > Hello again! >> >> >> > After successfully troubleshooted another problem, here is a new one. >> >> >> > First I will provide all necessary logs (etc), then I will post my >> >> > problem: >> >> >> > Ossec WUI output on the manager (ubuntu): >> >> > 2011 Aug 08 04:49:52 Rule Id: 1012 level: 11 >> >> > Location: (agent1) 192.168.0.69->\inetpub\logs\LogFiles >> >> > \W3SVC1\ex110808.log >> >> > Src IP: 08 11:49:54 192.168.0.69 GET /+union+select+'+where - 80 - >> >> > 192.168.0.21 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:5.0)+Gecko/ >> >> > 20100101+Firefox/5.0 404 0 2 187 >> >> > hacking attempt >> >> > ** Alert 1312804227.157360: - apache, >> >> > 2011 Aug 08 04:50:27 ubuntu->/var/log/apache2/error.log >> >> > Rule: 31410 (level 3) -> 'PHP Warning message.' >> >> > Src IP: 172.16.1.21 >> >> > [Mon Aug 08 04:50:27 2011] [error] [client 192.168.0.21] PHP Warning: >> >> > fseek() expects parameter 3 to be long, string given in /var/www/ossec- >> >> > wui-0.3/lib/os_lib_alerts.php on line 842, referer: >> >> >http://192.168.0.124/ossec-wui-0.3/index.php?f=s >> >> >> Yes, the WUI code is broken. One day the people that want to use it >> >> will get together and share the fixes they've had to put in place so >> >> we don't have to keep seeing the same posts about it. The above seems >> >> unrelated to anything else in this message though... >> >> >> > The referring "rule 1012": >> >> > <rule id="1012" level="11"> >> >> > <match>$sqli_xss</match> >> >> > <options>alert_by_email</options> >> >> > <description>hacking attempt</description> >> >> > <group>attack,sql_injection,</group> >> >> > </rule> >> >> >> > To the agent conf: >> >> > <localfile> >> >> > <location>%WinDir%\\inetpub\\logs\\LogFiles\\W3SVC1\\ex%y%m%d.log</ >> >> > location> >> >> > <log_format>iis</log_format> >> >> > </localfile> >> >> >> > Last but not least, the output of the ex110808.log at the windows >> >> > server: >> >> > 2011-08-08 11:49:54 192.168.0.69 GET /+union+select+'+where - 80 - >> >> > 192.168.0.21 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:5.0)+Gecko/ >> >> > 20100101+Firefox/5.0 404 0 2 218 >> >> > 2011-08-08 11:49:54 192.168.0.69 GET /+union+select+'+where - 80 - >> >> > 192.168.0.21 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:5.0)+Gecko/ >> >> > 20100101+Firefox/5.0 404 0 2 203 >> >> >> This doesn't appear to be any IIS log format we have support for at the >> moment. >> >> >> > Maybe you already know the problem...somehow the IP is not properly >> >> > extracted. So, the attack is logged, but the host isn't denied. >> >> > When I directly attack the manager (ubuntu), everything is logged too >> >> > (of course with another rule) and the attacker is "denied": >> >> > 2011 Aug 08 00:49:13 Rule Id: 31103 level: 6 >> >> > Location: ubuntu->/var/log/apache2/access.log >> >> > Src IP: 192.168.0.21 >> >> >> > Thanks for any help! >> >> > SQL injection attempt. >> >> >> Write a decoder to grab the IP. I don't think it should be too difficul
