On Thu, Jun 5, 2014 at 4:30 PM, Lou <[email protected]> wrote: > Ok. i removed the <url> from the rule and just use <match> and this worked. > The first rule is triggered. However, the second rule which should trigger > if there are 4 requests in 60 seconds does not. The sample apache log file > has 5 entries with date stamps within 1 minute of each other. Any idea what > i'm missing? >
Try 3 requests in 60 seconds. The documentation explains why. > thanks for the help thus far. Much appreciated. > > On Thursday, June 5, 2014 3:57:52 PM UTC-4, dan (ddpbsd) wrote: >> >> On Thu, Jun 5, 2014 at 3:49 PM, Lou <[email protected]> wrote: >> > More info. I've determined that modifying the Apache Log Format does >> > cause a >> > problem (i suppose i have to update a decoder?). I manually modified my >> > apache log and ran the tool again and it provided the below output. >> > >> >> Yes, if you don't use the default log format OSSEC won't recognize it. >> >> > **Phase 2: Completed decoding. >> > decoder: 'pure-transfer' >> > >> > **Phase 3: Completed filtering (rules). >> > Rule id: '11310' >> > Level: '0' >> > Description: 'Rule grouping for pure ftpd transfers.' >> > >> > So i changed the rule to this but still cannot get it to work >> > >> > <rule id="100506" level="1"> >> > <if_sid>11310</if_sid> >> > <url>captchaDB.php</url> >> >> I don't have access to an OSSEC system I can test on at the moment, >> but this url doesn't exist in the log message you provided. >> You'll also notice that in the Phase 2 output you provided, the "url" >> field doesn't exist. >> >> > <match>GET</match> >> > <description>Captcha attempt.</description> >> > </rule> >> > >> > <rule id="100507" level="10" frequency="4" timeframe="60"> >> > <if_matched_sid>100506</if_matched_sid> >> > <same_source_ip /> >> > <description>Captcha attack.</description> >> > <group>attack,</group> >> > </rule> >> > >> > On Thursday, June 5, 2014 3:08:30 PM UTC-4, Lou wrote: >> >> >> >> I did some google'n and came up with this rule. >> >> >> >> <rule id="100506" level="1"> >> >> <if_sid>31101</if_sid> >> >> <url>captchaDB.php</url> >> >> <match>GET</match> >> >> <description>Captcha attempt.</description> >> >> </rule> >> >> >> >> <rule id="100507" level="10" frequency="4" timeframe="60"> >> >> <if_matched_sid>100506</if_matched_sid> >> >> <same_source_ip /> >> >> <description>Captcha attack.</description> >> >> <group>attack,</group> >> >> </rule> >> >> >> >> And then I tested: cat /tmp/access_log | /var/ossec/bin/ossec-logtest >> >> -a >> >> >> >> The tool triggered one alert (the word 'error' in a filename - which is >> >> ok). So my rule does not seem to be working. Any suggestions? I also >> >> have >> >> one other question. I modified my apache log format to include the >> >> domain >> >> at the start of the log entry... does this affect how OSSEC rules parse >> >> the >> >> logs? >> >> >> >> My full log entry actually looks like this: >> >> >> >> www.mydomain.com 70.55.163.53 - - [05/Jun/2014:08:46:36 -0400] "GET >> >> /path/to/file/captcha.php HTTP/1.1" 200 "https://mydomain.com"; >> >> "Mozilla/4.0 >> >> (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET >> >> CLR >> >> 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; >> >> .NET4.0C; .NET4.0E)" >> >> >> >> On Thursday, June 5, 2014 12:13:18 PM UTC-4, Lou wrote: >> >>> >> >>> I receive other alerts so at least I know it is partially configured >> >>> correctly. >> >>> >> >>> The apache log file entries look something like this: >> >>> >> >>> 70.55.163.53 - - [05/Jun/2014:08:46:36 -0400] "GET >> >>> /path/to/file/captcha.php HTTP/1.1" 200 >> >>> >> >>> thanks >> >>> >> >>> On Thursday, June 5, 2014 11:55:09 AM UTC-4, dan (ddpbsd) wrote: >> >>>> >> >>>> On Thu, Jun 5, 2014 at 11:44 AM, Lou <[email protected]> wrote: >> >>>> > I'm new to OSSEC and have recently installed it on some web servers >> >>>> > that are >> >>>> > being 'abused'. Every 15-20 seconds the user is accessing the >> >>>> > captcha >> >>>> > file >> >>>> > and i believe he is using an OCR tool to bypass it. I was under >> >>>> > the >> >>>> > impression >> >>>> > that OSSEC would detect this automatically with it's included rules >> >>>> > and send >> >>>> > me a notification (similar to DOS attack). This does not seem to >> >>>> > be >> >>>> > the >> >>>> > case. Do i need to create a specific rule for this? Or do i have >> >>>> > something >> >>>> > mis-configured? I would appreciate any help. >> >>>> > >> >>>> >> >>>> There's probably no rule for it. You can use the ossec-logtest >> >>>> program >> >>>> to help create rules for these events. Giving us log samples can also >> >>>> help. >> >>>> There is definitely a possibility for misconfiguration though. >> >>>> Without >> >>>> knowing how your systems are configured, it's hard to tell. >> >>>> >> >>>> > Thanks! >> >>>> > >> >>>> > -- >> >>>> > >> >>>> > --- >> >>>> > You received this message because you are subscribed to the Google >> >>>> > Groups >> >>>> > "ossec-list" group. >> >>>> > To unsubscribe from this group and stop receiving emails from it, >> >>>> > send >> >>>> > an >> >>>> > email to [email protected]. >> >>>> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
