It was choking on one of my local rules. OSSEC is starting up again and it can now decode my apache logs. Thanks for all the help!!
On Thursday, June 5, 2014 11:01:21 PM UTC-4, Lou wrote: > > I did comment out the rule file from the ossec.conf file and i did check > the log for errors (didn't see anything). Perhaps i missed something in > the decoder.xml file - i will take a closer look > > On Thursday, June 5, 2014 10:41:52 PM UTC-4, dan (ddpbsd) wrote: >> >> >> On Jun 5, 2014 10:40 PM, "Lou" <[email protected]> wrote: >> > >> > OSSEC does not start after commenting out the pure-transfer decoder >> in /var/ossec/etc/decoder.xml >> > >> >> It does tell you why, and I made sure to mention it in my email. The >> rules require the decoder. Comment out the rules file from the ossec.conf. >> >> > On Thursday, June 5, 2014 10:20:30 PM UTC-4, dan (ddpbsd) wrote: >> >> >> >> On Thu, Jun 5, 2014 at 9:43 PM, Lou <[email protected]> wrote: >> >> > If i use the logtest tool against the sample apache log you provided >> it >> >> > decodes it correctly. If i substitute my timzone (see below) it >> does not >> >> > >> >> > Mine: 115.239.248.56 - - [05/Jun/2014:21:10:29 -0400] "GET >> >> > /manager/html/captcha.php HTTP/1.1" 200 295 "-" "Mozilla/3.0 >> (compatible; >> >> > Indy Library)" >> >> > >> >> > Yours: 115.239.248.56 - - [05/Jun/2014:21:10:29 +0200] "GET >> >> > /manager/html/captcha.php HTTP/1.1" 200 295 "-" "Mozilla/3.0 >> (compatible; >> >> > Indy Library)" >> >> > >> >> > Any idea what's going on here? >> >> > >> >> >> >> Do you use pureftpd? If not, comment out the pure-transfer decoder, >> >> and the pure-ftpd_rules.xml entry in your ossec.conf and try again. >> >> >> >> I thought we had cleaned up the pure ftpd decoder issue, but I guess >> not. >> >> >> >> > >> >> > On Thursday, June 5, 2014 4:51:47 PM UTC-4, Lou wrote: >> >> >> >> >> >> Thanks guys.. i will have to take a closer look. My apache log >> isn't >> >> >> being decoded properly - it's not grabbing the url OR scrip. I'm >> using this >> >> >> for my Log Format currently LogFormat "%{HOST}i %h %l %u %t \"%r\" >> %>s %b >> >> >> \"%{Referer}i\" \"%{User-Agent}i\"" >> >> >> >> >> >> I'm done for now.. i will hopefully have some more time later this >> evening >> >> >> to investigate further. >> >> >> >> >> >> Thanks to you both!! >> >> >> >> >> >> On Thursday, June 5, 2014 4:37:57 PM UTC-4, Christian Beer wrote: >> >> >>> >> >> >>> You should also note that your rule 100507 will not be triggered >> by >> >> >>> ossec-logtest because of the timeframe and frequency settings. >> >> >>> >> >> >>> I tried a little bit with a normal apache access log: >> >> >>> 115.239.248.56 - - [05/Jun/2014:21:10:29 +0200] "GET >> >> >>> /manager/html/captcha.php HTTP/1.1" 200 295 "-" "Mozilla/3.0 >> >> >>> (compatible; Indy Library)" >> >> >>> >> >> >>> **Phase 1: Completed pre-decoding. >> >> >>> full event: '115.239.248.56 - - [05/Jun/2014:21:10:29 >> +0200] "GET >> >> >>> /manager/html/captcha.php HTTP/1.1" 200 295 "-" "Mozilla/3.0 >> >> >>> (compatible; Indy Library)"' >> >> >>> hostname: 'exp' >> >> >>> program_name: '(null)' >> >> >>> log: '115.239.248.56 - - [05/Jun/2014:21:10:29 +0200] "GET >> >> >>> /manager/html/captcha.php HTTP/1.1" 200 295 "-" "Mozilla/3.0 >> >> >>> (compatible; Indy Library)"' >> >> >>> >> >> >>> **Phase 2: Completed decoding. >> >> >>> decoder: 'web-accesslog' >> >> >>> srcip: '115.239.248.56' >> >> >>> url: '/manager/html/captcha.php' >> >> >>> id: '200' >> >> >>> >> >> >>> **Phase 3: Completed filtering (rules). >> >> >>> Rule id: '31108' >> >> >>> Level: '0' >> >> >>> Description: 'Ignored URLs (simple queries).' >> >> >>> >> >> >>> Then I added this rule: >> >> >>> I used this rule: >> >> >>> <rule id="100506" level="1"> >> >> >>> <if_sid>31108</if_sid> >> >> >>> <url>captcha.php</url> >> >> >>> <description>Captcha attempt.</description> >> >> >>> </rule> >> >> >>> >> >> >>> Then I got: >> >> >>> **Phase 1: Completed pre-decoding. >> >> >>> full event: '115.239.248.56 - - [05/Jun/2014:21:10:29 >> +0200] "GET >> >> >>> /manager/html/captcha.php HTTP/1.1" 200 295 "-" "Mozilla/3.0 >> >> >>> (compatible; Indy Library)"' >> >> >>> hostname: 'exp' >> >> >>> program_name: '(null)' >> >> >>> log: '115.239.248.56 - - [05/Jun/2014:21:10:29 +0200] "GET >> >> >>> /manager/html/captcha.php HTTP/1.1" 200 295 "-" "Mozilla/3.0 >> >> >>> (compatible; Indy Library)"' >> >> >>> >> >> >>> **Phase 2: Completed decoding. >> >> >>> decoder: 'web-accesslog' >> >> >>> srcip: '115.239.248.56' >> >> >>> url: '/manager/html/captcha.php' >> >> >>> id: '200' >> >> >>> >> >> >>> **Phase 3: Completed filtering (rules). >> >> >>> Rule id: '100506' >> >> >>> Level: '1' >> >> >>> Description: 'Captcha attempt.' >> >> >>> **Alert to be generated. >> >> >>> >> >> >>> Now you only have to tweak 100507. >> >> >>> >> >> >>> As for your modified access_log I can recommend to include the >> >> >>> domainname before the path. I use this: >> >> >>> LogFormat "%h %l %u %t \"%m %v%U%q %H\" %>s %b \"%{Referer}i\" >> >> >>> \"%{User-agent}i\"" >> >> >>> >> >> >>> and there are no problems with ossec or logwatch >> >> >>> >> >> >>> Regards >> >> >>> Christian >> >> >>> >> >> >>> >> >> >>> Am 05.06.2014 21:08, schrieb Lou: >> >> >>> > I did some google'n and came up with this rule. >> >> >>> > >> >> >>> > <rule id="100506" level="1"> >> >> >>> > <if_sid>31101</if_sid> >> >> >>> > <url>captchaDB.php</url> >> >> >>> > <match>GET</match> >> >> >>> > <description>Captcha attempt.</description> >> >> >>> > </rule> >> >> >>> > >> >> >>> > <rule id="100507" level="10" frequency="4" timeframe="60"> >> >> >>> > <if_matched_sid>100506</if_matched_sid> >> >> >>> > <same_source_ip /> >> >> >>> > <description>Captcha attack.</description> >> >> >>> > <group>attack,</group> >> >> >>> > </rule> >> >> >>> > >> >> >>> > And then I tested: cat /tmp/access_log | >> /var/ossec/bin/ossec-logtest >> >> >>> > -a >> >> >>> > >> >> >>> > The tool triggered one alert (the word 'error' in a filename - >> which is >> >> >>> > ok). So my rule does not seem to be working. Any suggestions? >> I also >> >> >>> > have one other question. I modified my apache log format to >> include >> >> >>> > the >> >> >>> > domain at the start of the log entry... does this affect how >> OSSEC >> >> >>> > rules >> >> >>> > parse the logs? >> >> >>> > >> >> >>> > My full log entry actually looks like this: >> >> >>> > >> >> >>> > www.mydomain.com 70.55.163.53 - - [05/Jun/2014:08:46:36 -0400] >> "GET >> >> >>> > /path/to/file/captcha.php HTTP/1.1" 200 "https://mydomain.com"; >> >> >>> > "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; >> Trident/7.0; >> >> >>> > SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR >> 3.0.30729; >> >> >>> > Media >> >> >>> > Center PC 6.0; .NET4.0C; .NET4.0E)" >> >> >>> > >> >> >>> > On Thursday, June 5, 2014 12:13:18 PM UTC-4, Lou wrote: >> >> >>> > >> >> >>> > I receive other alerts so at least I know it is partially >> >> >>> > configured >> >> >>> > correctly. >> >> >>> > >> >> >>> > The apache log file entries look something like this: >> >> >>> > >> >> >>> > 70.55.163.53 - - [05/Jun/2014:08:46:36 -0400] "GET >> >> >>> > /path/to/file/captcha.php HTTP/1.1" 200 >> >> >>> > >> >> >>> > thanks >> >> >>> > >> >> >>> > On Thursday, June 5, 2014 11:55:09 AM UTC-4, dan (ddpbsd) >> wrote: >> >> >>> > >> >> >>> > On Thu, Jun 5, 2014 at 11:44 AM, Lou <[email protected]> >> >> >> >>> > wrote: >> >> >>> > > I'm new to OSSEC and have recently installed it on >> some web >> >> >>> > servers that are >> >> >>> > > being 'abused'. Every 15-20 seconds the user is >> accessing >> >> >>> > the >> >> >>> > captcha file >> >> >>> > > and i believe he is using an OCR tool to bypass it. I >> was >> >> >>> > under the impression >> >> >>> > > that OSSEC would detect this automatically with it's >> included >> >> >>> > rules and send >> >> >>> > > me a notification (similar to DOS attack). This does >> not >> >> >>> > seem >> >> >>> > to be the >> >> >>> > > case. Do i need to create a specific rule for this? >> Or do i >> >> >>> > have something >> >> >>> > > mis-configured? I would appreciate any help. >> >> >>> > > >> >> >>> > >> >> >>> > There's probably no rule for it. You can use the >> ossec-logtest >> >> >>> > program >> >> >>> > to help create rules for these events. Giving us log >> samples >> >> >>> > can >> >> >>> > also >> >> >>> > help. >> >> >>> > There is definitely a possibility for misconfiguration >> though. >> >> >>> > Without >> >> >>> > knowing how your systems are configured, it's hard to >> tell. >> >> >>> > >> >> >>> > > Thanks! >> >> >>> > > >> >> >>> > > -- >> >> >>> > > >> >> >>> > > --- >> >> >>> > > You received this message because you are subscribed >> to the >> >> >>> > Google Groups >> >> >>> > > "ossec-list" group. >> >> >>> > > To unsubscribe from this group and stop receiving >> emails from >> >> >>> > it, send an >> >> >>> > > email to [email protected]. >> >> >>> > > For more options, visit >> https://groups.google.com/d/optout >> >> >>> > <https://groups.google.com/d/optout>. >> >> >>> > >> >> >>> > -- >> >> >>> > >> >> >>> > --- >> >> >>> > You received this message because you are subscribed to the >> Google >> >> >>> > Groups "ossec-list" group. >> >> >>> > To unsubscribe from this group and stop receiving emails from >> it, send >> >> >>> > an email to [email protected] >> >> >>> > <mailto:[email protected]>. >> >> >>> > For more options, visit https://groups.google.com/d/optout. >> >> >>> >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
