Ok. i removed the <url> from the rule and just use <match> and this worked. The first rule is triggered. However, the second rule which should trigger if there are 4 requests in 60 seconds does not. The sample apache log file has 5 entries with date stamps within 1 minute of each other. Any idea what i'm missing?
thanks for the help thus far. Much appreciated. On Thursday, June 5, 2014 3:57:52 PM UTC-4, dan (ddpbsd) wrote: > > On Thu, Jun 5, 2014 at 3:49 PM, Lou <[email protected] <javascript:>> > wrote: > > More info. I've determined that modifying the Apache Log Format does > cause a > > problem (i suppose i have to update a decoder?). I manually modified my > > apache log and ran the tool again and it provided the below output. > > > > Yes, if you don't use the default log format OSSEC won't recognize it. > > > **Phase 2: Completed decoding. > > decoder: 'pure-transfer' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '11310' > > Level: '0' > > Description: 'Rule grouping for pure ftpd transfers.' > > > > So i changed the rule to this but still cannot get it to work > > > > <rule id="100506" level="1"> > > <if_sid>11310</if_sid> > > <url>captchaDB.php</url> > > I don't have access to an OSSEC system I can test on at the moment, > but this url doesn't exist in the log message you provided. > You'll also notice that in the Phase 2 output you provided, the "url" > field doesn't exist. > > > <match>GET</match> > > <description>Captcha attempt.</description> > > </rule> > > > > <rule id="100507" level="10" frequency="4" timeframe="60"> > > <if_matched_sid>100506</if_matched_sid> > > <same_source_ip /> > > <description>Captcha attack.</description> > > <group>attack,</group> > > </rule> > > > > On Thursday, June 5, 2014 3:08:30 PM UTC-4, Lou wrote: > >> > >> I did some google'n and came up with this rule. > >> > >> <rule id="100506" level="1"> > >> <if_sid>31101</if_sid> > >> <url>captchaDB.php</url> > >> <match>GET</match> > >> <description>Captcha attempt.</description> > >> </rule> > >> > >> <rule id="100507" level="10" frequency="4" timeframe="60"> > >> <if_matched_sid>100506</if_matched_sid> > >> <same_source_ip /> > >> <description>Captcha attack.</description> > >> <group>attack,</group> > >> </rule> > >> > >> And then I tested: cat /tmp/access_log | /var/ossec/bin/ossec-logtest > -a > >> > >> The tool triggered one alert (the word 'error' in a filename - which is > >> ok). So my rule does not seem to be working. Any suggestions? I also > have > >> one other question. I modified my apache log format to include the > domain > >> at the start of the log entry... does this affect how OSSEC rules parse > the > >> logs? > >> > >> My full log entry actually looks like this: > >> > >> www.mydomain.com 70.55.163.53 - - [05/Jun/2014:08:46:36 -0400] "GET > >> /path/to/file/captcha.php HTTP/1.1" 200 "https://mydomain.com"; > "Mozilla/4.0 > >> (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET > CLR > >> 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; > >> .NET4.0C; .NET4.0E)" > >> > >> On Thursday, June 5, 2014 12:13:18 PM UTC-4, Lou wrote: > >>> > >>> I receive other alerts so at least I know it is partially configured > >>> correctly. > >>> > >>> The apache log file entries look something like this: > >>> > >>> 70.55.163.53 - - [05/Jun/2014:08:46:36 -0400] "GET > >>> /path/to/file/captcha.php HTTP/1.1" 200 > >>> > >>> thanks > >>> > >>> On Thursday, June 5, 2014 11:55:09 AM UTC-4, dan (ddpbsd) wrote: > >>>> > >>>> On Thu, Jun 5, 2014 at 11:44 AM, Lou <[email protected]> wrote: > >>>> > I'm new to OSSEC and have recently installed it on some web servers > >>>> > that are > >>>> > being 'abused'. Every 15-20 seconds the user is accessing the > captcha > >>>> > file > >>>> > and i believe he is using an OCR tool to bypass it. I was under > the > >>>> > impression > >>>> > that OSSEC would detect this automatically with it's included rules > >>>> > and send > >>>> > me a notification (similar to DOS attack). This does not seem to > be > >>>> > the > >>>> > case. Do i need to create a specific rule for this? Or do i have > >>>> > something > >>>> > mis-configured? I would appreciate any help. > >>>> > > >>>> > >>>> There's probably no rule for it. You can use the ossec-logtest > program > >>>> to help create rules for these events. Giving us log samples can also > >>>> help. > >>>> There is definitely a possibility for misconfiguration though. > Without > >>>> knowing how your systems are configured, it's hard to tell. > >>>> > >>>> > Thanks! > >>>> > > >>>> > -- > >>>> > > >>>> > --- > >>>> > You received this message because you are subscribed to the Google > >>>> > Groups > >>>> > "ossec-list" group. > >>>> > To unsubscribe from this group and stop receiving emails from it, > send > >>>> > an > >>>> > email to [email protected]. > >>>> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
