On Thu, Jun 5, 2014 at 3:49 PM, Lou <[email protected]> wrote: > More info. I've determined that modifying the Apache Log Format does cause a > problem (i suppose i have to update a decoder?). I manually modified my > apache log and ran the tool again and it provided the below output. >
Yes, if you don't use the default log format OSSEC won't recognize it. > **Phase 2: Completed decoding. > decoder: 'pure-transfer' > > **Phase 3: Completed filtering (rules). > Rule id: '11310' > Level: '0' > Description: 'Rule grouping for pure ftpd transfers.' > > So i changed the rule to this but still cannot get it to work > > <rule id="100506" level="1"> > <if_sid>11310</if_sid> > <url>captchaDB.php</url> I don't have access to an OSSEC system I can test on at the moment, but this url doesn't exist in the log message you provided. You'll also notice that in the Phase 2 output you provided, the "url" field doesn't exist. > <match>GET</match> > <description>Captcha attempt.</description> > </rule> > > <rule id="100507" level="10" frequency="4" timeframe="60"> > <if_matched_sid>100506</if_matched_sid> > <same_source_ip /> > <description>Captcha attack.</description> > <group>attack,</group> > </rule> > > On Thursday, June 5, 2014 3:08:30 PM UTC-4, Lou wrote: >> >> I did some google'n and came up with this rule. >> >> <rule id="100506" level="1"> >> <if_sid>31101</if_sid> >> <url>captchaDB.php</url> >> <match>GET</match> >> <description>Captcha attempt.</description> >> </rule> >> >> <rule id="100507" level="10" frequency="4" timeframe="60"> >> <if_matched_sid>100506</if_matched_sid> >> <same_source_ip /> >> <description>Captcha attack.</description> >> <group>attack,</group> >> </rule> >> >> And then I tested: cat /tmp/access_log | /var/ossec/bin/ossec-logtest -a >> >> The tool triggered one alert (the word 'error' in a filename - which is >> ok). So my rule does not seem to be working. Any suggestions? I also have >> one other question. I modified my apache log format to include the domain >> at the start of the log entry... does this affect how OSSEC rules parse the >> logs? >> >> My full log entry actually looks like this: >> >> www.mydomain.com 70.55.163.53 - - [05/Jun/2014:08:46:36 -0400] "GET >> /path/to/file/captcha.php HTTP/1.1" 200 "https://mydomain.com"; "Mozilla/4.0 >> (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR >> 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; >> .NET4.0C; .NET4.0E)" >> >> On Thursday, June 5, 2014 12:13:18 PM UTC-4, Lou wrote: >>> >>> I receive other alerts so at least I know it is partially configured >>> correctly. >>> >>> The apache log file entries look something like this: >>> >>> 70.55.163.53 - - [05/Jun/2014:08:46:36 -0400] "GET >>> /path/to/file/captcha.php HTTP/1.1" 200 >>> >>> thanks >>> >>> On Thursday, June 5, 2014 11:55:09 AM UTC-4, dan (ddpbsd) wrote: >>>> >>>> On Thu, Jun 5, 2014 at 11:44 AM, Lou <[email protected]> wrote: >>>> > I'm new to OSSEC and have recently installed it on some web servers >>>> > that are >>>> > being 'abused'. Every 15-20 seconds the user is accessing the captcha >>>> > file >>>> > and i believe he is using an OCR tool to bypass it. I was under the >>>> > impression >>>> > that OSSEC would detect this automatically with it's included rules >>>> > and send >>>> > me a notification (similar to DOS attack). This does not seem to be >>>> > the >>>> > case. Do i need to create a specific rule for this? Or do i have >>>> > something >>>> > mis-configured? I would appreciate any help. >>>> > >>>> >>>> There's probably no rule for it. You can use the ossec-logtest program >>>> to help create rules for these events. Giving us log samples can also >>>> help. >>>> There is definitely a possibility for misconfiguration though. Without >>>> knowing how your systems are configured, it's hard to tell. >>>> >>>> > Thanks! >>>> > >>>> > -- >>>> > >>>> > --- >>>> > You received this message because you are subscribed to the Google >>>> > Groups >>>> > "ossec-list" group. >>>> > To unsubscribe from this group and stop receiving emails from it, send >>>> > an >>>> > email to [email protected]. >>>> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
