You should also note that your rule 100507 will not be triggered by
ossec-logtest because of the timeframe and frequency settings.
I tried a little bit with a normal apache access log:
115.239.248.56 - - [05/Jun/2014:21:10:29 +0200] "GET
/manager/html/captcha.php HTTP/1.1" 200 295 "-" "Mozilla/3.0
(compatible; Indy Library)"
**Phase 1: Completed pre-decoding.
full event: '115.239.248.56 - - [05/Jun/2014:21:10:29 +0200] "GET
/manager/html/captcha.php HTTP/1.1" 200 295 "-" "Mozilla/3.0
(compatible; Indy Library)"'
hostname: 'exp'
program_name: '(null)'
log: '115.239.248.56 - - [05/Jun/2014:21:10:29 +0200] "GET
/manager/html/captcha.php HTTP/1.1" 200 295 "-" "Mozilla/3.0
(compatible; Indy Library)"'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '115.239.248.56'
url: '/manager/html/captcha.php'
id: '200'
**Phase 3: Completed filtering (rules).
Rule id: '31108'
Level: '0'
Description: 'Ignored URLs (simple queries).'
Then I added this rule:
I used this rule:
<rule id="100506" level="1">
<if_sid>31108</if_sid>
<url>captcha.php</url>
<description>Captcha attempt.</description>
</rule>
Then I got:
**Phase 1: Completed pre-decoding.
full event: '115.239.248.56 - - [05/Jun/2014:21:10:29 +0200] "GET
/manager/html/captcha.php HTTP/1.1" 200 295 "-" "Mozilla/3.0
(compatible; Indy Library)"'
hostname: 'exp'
program_name: '(null)'
log: '115.239.248.56 - - [05/Jun/2014:21:10:29 +0200] "GET
/manager/html/captcha.php HTTP/1.1" 200 295 "-" "Mozilla/3.0
(compatible; Indy Library)"'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '115.239.248.56'
url: '/manager/html/captcha.php'
id: '200'
**Phase 3: Completed filtering (rules).
Rule id: '100506'
Level: '1'
Description: 'Captcha attempt.'
**Alert to be generated.
Now you only have to tweak 100507.
As for your modified access_log I can recommend to include the
domainname before the path. I use this:
LogFormat "%h %l %u %t \"%m %v%U%q %H\" %>s %b \"%{Referer}i\"
\"%{User-agent}i\""
and there are no problems with ossec or logwatch
Regards
Christian
Am 05.06.2014 21:08, schrieb Lou:
> I did some google'n and came up with this rule.
>
> <rule id="100506" level="1">
> <if_sid>31101</if_sid>
> <url>captchaDB.php</url>
> <match>GET</match>
> <description>Captcha attempt.</description>
> </rule>
>
> <rule id="100507" level="10" frequency="4" timeframe="60">
> <if_matched_sid>100506</if_matched_sid>
> <same_source_ip />
> <description>Captcha attack.</description>
> <group>attack,</group>
> </rule>
>
> And then I tested: cat /tmp/access_log | /var/ossec/bin/ossec-logtest -a
>
> The tool triggered one alert (the word 'error' in a filename - which is
> ok). So my rule does not seem to be working. Any suggestions? I also
> have one other question. I modified my apache log format to include the
> domain at the start of the log entry... does this affect how OSSEC rules
> parse the logs?
>
> My full log entry actually looks like this:
>
> www.mydomain.com 70.55.163.53 - - [05/Jun/2014:08:46:36 -0400] "GET
> /path/to/file/captcha.php HTTP/1.1" 200 "https://mydomain.com";
> "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0;
> SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media
> Center PC 6.0; .NET4.0C; .NET4.0E)"
>
> On Thursday, June 5, 2014 12:13:18 PM UTC-4, Lou wrote:
>
> I receive other alerts so at least I know it is partially configured
> correctly.
>
> The apache log file entries look something like this:
>
> 70.55.163.53 - - [05/Jun/2014:08:46:36 -0400] "GET
> /path/to/file/captcha.php HTTP/1.1" 200
>
> thanks
>
> On Thursday, June 5, 2014 11:55:09 AM UTC-4, dan (ddpbsd) wrote:
>
> On Thu, Jun 5, 2014 at 11:44 AM, Lou <[email protected]> wrote:
> > I'm new to OSSEC and have recently installed it on some web
> servers that are
> > being 'abused'. Every 15-20 seconds the user is accessing the
> captcha file
> > and i believe he is using an OCR tool to bypass it. I was
> under the impression
> > that OSSEC would detect this automatically with it's included
> rules and send
> > me a notification (similar to DOS attack). This does not seem
> to be the
> > case. Do i need to create a specific rule for this? Or do i
> have something
> > mis-configured? I would appreciate any help.
> >
>
> There's probably no rule for it. You can use the ossec-logtest
> program
> to help create rules for these events. Giving us log samples can
> also
> help.
> There is definitely a possibility for misconfiguration though.
> Without
> knowing how your systems are configured, it's hard to tell.
>
> > Thanks!
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the
> Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from
> it, send an
> > email to [email protected].
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected]
> <mailto:[email protected]>.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
