On Thu, Jun 5, 2014 at 11:17 PM, Lou <[email protected]> wrote: > It was choking on one of my local rules. OSSEC is starting up again and it > can now decode my apache logs. Thanks for all the help!! >
Glad you got it working. `/var/ossec/bin/ossec-logtest -t` can sometimes provide a little more information on what's going wrong. > > On Thursday, June 5, 2014 11:01:21 PM UTC-4, Lou wrote: >> >> I did comment out the rule file from the ossec.conf file and i did check >> the log for errors (didn't see anything). Perhaps i missed something in the >> decoder.xml file - i will take a closer look >> >> On Thursday, June 5, 2014 10:41:52 PM UTC-4, dan (ddpbsd) wrote: >>> >>> >>> On Jun 5, 2014 10:40 PM, "Lou" <[email protected]> wrote: >>> > >>> > OSSEC does not start after commenting out the pure-transfer decoder in >>> > /var/ossec/etc/decoder.xml >>> > >>> >>> It does tell you why, and I made sure to mention it in my email. The >>> rules require the decoder. Comment out the rules file from the ossec.conf. >>> >>> > On Thursday, June 5, 2014 10:20:30 PM UTC-4, dan (ddpbsd) wrote: >>> >> >>> >> On Thu, Jun 5, 2014 at 9:43 PM, Lou <[email protected]> wrote: >>> >> > If i use the logtest tool against the sample apache log you provided >>> >> > it >>> >> > decodes it correctly. If i substitute my timzone (see below) it >>> >> > does not >>> >> > >>> >> > Mine: 115.239.248.56 - - [05/Jun/2014:21:10:29 -0400] "GET >>> >> > /manager/html/captcha.php HTTP/1.1" 200 295 "-" "Mozilla/3.0 >>> >> > (compatible; >>> >> > Indy Library)" >>> >> > >>> >> > Yours: 115.239.248.56 - - [05/Jun/2014:21:10:29 +0200] "GET >>> >> > /manager/html/captcha.php HTTP/1.1" 200 295 "-" "Mozilla/3.0 >>> >> > (compatible; >>> >> > Indy Library)" >>> >> > >>> >> > Any idea what's going on here? >>> >> > >>> >> >>> >> Do you use pureftpd? If not, comment out the pure-transfer decoder, >>> >> and the pure-ftpd_rules.xml entry in your ossec.conf and try again. >>> >> >>> >> I thought we had cleaned up the pure ftpd decoder issue, but I guess >>> >> not. >>> >> >>> >> > >>> >> > On Thursday, June 5, 2014 4:51:47 PM UTC-4, Lou wrote: >>> >> >> >>> >> >> Thanks guys.. i will have to take a closer look. My apache log >>> >> >> isn't >>> >> >> being decoded properly - it's not grabbing the url OR scrip. I'm >>> >> >> using this >>> >> >> for my Log Format currently LogFormat "%{HOST}i %h %l %u %t \"%r\" >>> >> >> %>s %b >>> >> >> \"%{Referer}i\" \"%{User-Agent}i\"" >>> >> >> >>> >> >> I'm done for now.. i will hopefully have some more time later this >>> >> >> evening >>> >> >> to investigate further. >>> >> >> >>> >> >> Thanks to you both!! >>> >> >> >>> >> >> On Thursday, June 5, 2014 4:37:57 PM UTC-4, Christian Beer wrote: >>> >> >>> >>> >> >>> You should also note that your rule 100507 will not be triggered >>> >> >>> by >>> >> >>> ossec-logtest because of the timeframe and frequency settings. >>> >> >>> >>> >> >>> I tried a little bit with a normal apache access log: >>> >> >>> 115.239.248.56 - - [05/Jun/2014:21:10:29 +0200] "GET >>> >> >>> /manager/html/captcha.php HTTP/1.1" 200 295 "-" "Mozilla/3.0 >>> >> >>> (compatible; Indy Library)" >>> >> >>> >>> >> >>> **Phase 1: Completed pre-decoding. >>> >> >>> full event: '115.239.248.56 - - [05/Jun/2014:21:10:29 >>> >> >>> +0200] "GET >>> >> >>> /manager/html/captcha.php HTTP/1.1" 200 295 "-" "Mozilla/3.0 >>> >> >>> (compatible; Indy Library)"' >>> >> >>> hostname: 'exp' >>> >> >>> program_name: '(null)' >>> >> >>> log: '115.239.248.56 - - [05/Jun/2014:21:10:29 +0200] "GET >>> >> >>> /manager/html/captcha.php HTTP/1.1" 200 295 "-" "Mozilla/3.0 >>> >> >>> (compatible; Indy Library)"' >>> >> >>> >>> >> >>> **Phase 2: Completed decoding. >>> >> >>> decoder: 'web-accesslog' >>> >> >>> srcip: '115.239.248.56' >>> >> >>> url: '/manager/html/captcha.php' >>> >> >>> id: '200' >>> >> >>> >>> >> >>> **Phase 3: Completed filtering (rules). >>> >> >>> Rule id: '31108' >>> >> >>> Level: '0' >>> >> >>> Description: 'Ignored URLs (simple queries).' >>> >> >>> >>> >> >>> Then I added this rule: >>> >> >>> I used this rule: >>> >> >>> <rule id="100506" level="1"> >>> >> >>> <if_sid>31108</if_sid> >>> >> >>> <url>captcha.php</url> >>> >> >>> <description>Captcha attempt.</description> >>> >> >>> </rule> >>> >> >>> >>> >> >>> Then I got: >>> >> >>> **Phase 1: Completed pre-decoding. >>> >> >>> full event: '115.239.248.56 - - [05/Jun/2014:21:10:29 >>> >> >>> +0200] "GET >>> >> >>> /manager/html/captcha.php HTTP/1.1" 200 295 "-" "Mozilla/3.0 >>> >> >>> (compatible; Indy Library)"' >>> >> >>> hostname: 'exp' >>> >> >>> program_name: '(null)' >>> >> >>> log: '115.239.248.56 - - [05/Jun/2014:21:10:29 +0200] "GET >>> >> >>> /manager/html/captcha.php HTTP/1.1" 200 295 "-" "Mozilla/3.0 >>> >> >>> (compatible; Indy Library)"' >>> >> >>> >>> >> >>> **Phase 2: Completed decoding. >>> >> >>> decoder: 'web-accesslog' >>> >> >>> srcip: '115.239.248.56' >>> >> >>> url: '/manager/html/captcha.php' >>> >> >>> id: '200' >>> >> >>> >>> >> >>> **Phase 3: Completed filtering (rules). >>> >> >>> Rule id: '100506' >>> >> >>> Level: '1' >>> >> >>> Description: 'Captcha attempt.' >>> >> >>> **Alert to be generated. >>> >> >>> >>> >> >>> Now you only have to tweak 100507. >>> >> >>> >>> >> >>> As for your modified access_log I can recommend to include the >>> >> >>> domainname before the path. I use this: >>> >> >>> LogFormat "%h %l %u %t \"%m %v%U%q %H\" %>s %b \"%{Referer}i\" >>> >> >>> \"%{User-agent}i\"" >>> >> >>> >>> >> >>> and there are no problems with ossec or logwatch >>> >> >>> >>> >> >>> Regards >>> >> >>> Christian >>> >> >>> >>> >> >>> >>> >> >>> Am 05.06.2014 21:08, schrieb Lou: >>> >> >>> > I did some google'n and came up with this rule. >>> >> >>> > >>> >> >>> > <rule id="100506" level="1"> >>> >> >>> > <if_sid>31101</if_sid> >>> >> >>> > <url>captchaDB.php</url> >>> >> >>> > <match>GET</match> >>> >> >>> > <description>Captcha attempt.</description> >>> >> >>> > </rule> >>> >> >>> > >>> >> >>> > <rule id="100507" level="10" frequency="4" timeframe="60"> >>> >> >>> > <if_matched_sid>100506</if_matched_sid> >>> >> >>> > <same_source_ip /> >>> >> >>> > <description>Captcha attack.</description> >>> >> >>> > <group>attack,</group> >>> >> >>> > </rule> >>> >> >>> > >>> >> >>> > And then I tested: cat /tmp/access_log | >>> >> >>> > /var/ossec/bin/ossec-logtest >>> >> >>> > -a >>> >> >>> > >>> >> >>> > The tool triggered one alert (the word 'error' in a filename - >>> >> >>> > which is >>> >> >>> > ok). So my rule does not seem to be working. Any suggestions? >>> >> >>> > I also >>> >> >>> > have one other question. I modified my apache log format to >>> >> >>> > include >>> >> >>> > the >>> >> >>> > domain at the start of the log entry... does this affect how >>> >> >>> > OSSEC >>> >> >>> > rules >>> >> >>> > parse the logs? >>> >> >>> > >>> >> >>> > My full log entry actually looks like this: >>> >> >>> > >>> >> >>> > www.mydomain.com 70.55.163.53 - - [05/Jun/2014:08:46:36 -0400] >>> >> >>> > "GET >>> >> >>> > /path/to/file/captcha.php HTTP/1.1" 200 "https://mydomain.com"; >>> >> >>> > "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; >>> >> >>> > Trident/7.0; >>> >> >>> > SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR >>> >> >>> > 3.0.30729; >>> >> >>> > Media >>> >> >>> > Center PC 6.0; .NET4.0C; .NET4.0E)" >>> >> >>> > >>> >> >>> > On Thursday, June 5, 2014 12:13:18 PM UTC-4, Lou wrote: >>> >> >>> > >>> >> >>> > I receive other alerts so at least I know it is partially >>> >> >>> > configured >>> >> >>> > correctly. >>> >> >>> > >>> >> >>> > The apache log file entries look something like this: >>> >> >>> > >>> >> >>> > 70.55.163.53 - - [05/Jun/2014:08:46:36 -0400] "GET >>> >> >>> > /path/to/file/captcha.php HTTP/1.1" 200 >>> >> >>> > >>> >> >>> > thanks >>> >> >>> > >>> >> >>> > On Thursday, June 5, 2014 11:55:09 AM UTC-4, dan (ddpbsd) >>> >> >>> > wrote: >>> >> >>> > >>> >> >>> > On Thu, Jun 5, 2014 at 11:44 AM, Lou >>> >> >>> > <[email protected]> >>> >> >>> > wrote: >>> >> >>> > > I'm new to OSSEC and have recently installed it on >>> >> >>> > some web >>> >> >>> > servers that are >>> >> >>> > > being 'abused'. Every 15-20 seconds the user is >>> >> >>> > accessing >>> >> >>> > the >>> >> >>> > captcha file >>> >> >>> > > and i believe he is using an OCR tool to bypass it. I >>> >> >>> > was >>> >> >>> > under the impression >>> >> >>> > > that OSSEC would detect this automatically with it's >>> >> >>> > included >>> >> >>> > rules and send >>> >> >>> > > me a notification (similar to DOS attack). This does >>> >> >>> > not >>> >> >>> > seem >>> >> >>> > to be the >>> >> >>> > > case. Do i need to create a specific rule for this? >>> >> >>> > Or do i >>> >> >>> > have something >>> >> >>> > > mis-configured? I would appreciate any help. >>> >> >>> > > >>> >> >>> > >>> >> >>> > There's probably no rule for it. You can use the >>> >> >>> > ossec-logtest >>> >> >>> > program >>> >> >>> > to help create rules for these events. Giving us log >>> >> >>> > samples >>> >> >>> > can >>> >> >>> > also >>> >> >>> > help. >>> >> >>> > There is definitely a possibility for misconfiguration >>> >> >>> > though. >>> >> >>> > Without >>> >> >>> > knowing how your systems are configured, it's hard to >>> >> >>> > tell. >>> >> >>> > >>> >> >>> > > Thanks! >>> >> >>> > > >>> >> >>> > > -- >>> >> >>> > > >>> >> >>> > > --- >>> >> >>> > > You received this message because you are subscribed >>> >> >>> > to the >>> >> >>> > Google Groups >>> >> >>> > > "ossec-list" group. >>> >> >>> > > To unsubscribe from this group and stop receiving >>> >> >>> > emails from >>> >> >>> > it, send an >>> >> >>> > > email to [email protected]. >>> >> >>> > > For more options, visit >>> >> >>> > https://groups.google.com/d/optout >>> >> >>> > <https://groups.google.com/d/optout>. >>> >> >>> > >>> >> >>> > -- >>> >> >>> > >>> >> >>> > --- >>> >> >>> > You received this message because you are subscribed to the >>> >> >>> > Google >>> >> >>> > Groups "ossec-list" group. >>> >> >>> > To unsubscribe from this group and stop receiving emails from >>> >> >>> > it, send >>> >> >>> > an email to [email protected] >>> >> >>> > <mailto:[email protected]>. >>> >> >>> > For more options, visit https://groups.google.com/d/optout. >>> >> >>> >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> >> > Groups >>> >> > "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, >>> >> > send an >>> >> > email to [email protected]. >>> >> > For more options, visit https://groups.google.com/d/optout. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
