Hi Rodrigo, I've seen the file syslog_rules.xml to see the rule with ID 1002, I understood the rule perfectly. As you said I've changed the field <match> of rules with ID 30200 and 30201 for "ModSecurity: Access denied". I've also changed the level of drop in my ossec.conf to level 2. Although, unfortunately it doesn't solve my problem. It's like apache rules doesn't match with any log record, just the rule ID 1002 from syslog_rules.
On the other hand, I made a laboratory with ossec 2.7 and it works perfectly. I made a scan with Nikto and ossec blocked normally. Em segunda-feira, 9 de fevereiro de 2015 09:00:41 UTC-2, Rodrigo Montoro (Sp0oKeR) escreveu: > > Hi there! > > Rule 1002 is triggering because "error" word in the alert and no specific > decoder for this alert > > > #./ossec-logtest > > 2015/02/09 10:26:45 ossec-testrule: INFO: Reading local decoder file. > 2015/02/09 10:26:45 ossec-testrule: INFO: Started (pid: 28969). > ossec-testrule: Type one log per line. > > [Mon Feb 09 00:11:26.954264 2015] [:error] [pid 4242] [client > 37.128.148.180] ModSecurity: Access denied with code 403 (phase 1). Match > of "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. [file > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > [line "84"] [id "960904"] [rev "2"] [msg "Request Containing Content, but > Missing Content-Type header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"] > [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] [uri > "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"] > > > **Phase 1: Completed pre-decoding. > full event: '[Mon Feb 09 00:11:26.954264 2015] [:error] [pid 4242] > [client 37.128.148.180] ModSecurity: Access denied with code 403 (phase 1). > Match of "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. [file > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > [line "84"] [id "960904"] [rev "2"] [msg "Request Containing Content, but > Missing Content-Type header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"] > [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] [uri > "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]' > hostname: 'spookerlabs' > program_name: '(null)' > log: '[Mon Feb 09 00:11:26.954264 2015] [:error] [pid 4242] [client > 37.128.148.180] ModSecurity: Access denied with code 403 (phase 1). Match > of "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. [file > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > [line "84"] [id "960904"] [rev "2"] [msg "Request Containing Content, but > Missing Content-Type header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"] > [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] [uri > "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]' > > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > > > Rule 1002 > > <var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal > |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var> > > <rule id="1002" level="2"> > <match>$BAD_WORDS</match> > <options>alert_by_email</options> > <description>Unknown problem somewhere in the system.</description> > </rule> > > > Since this rule is level 2 it's not going to trigger an active response > since your config said to alert only level 5 or higher. > > More info here http://ossec-docs.readthedocs.org/en/latest/manual/ar/ > > Looking into Modsecurity rules, there are 2 under apache rules > > <rule id="30200" level="6" noalert="1"> > <match>^mod_security-message: </match> > <description>Modsecurity alert.</description> > </rule> > > <rule id="30201" level="6"> > <if_sid>30200</if_sid> > <match>^mod_security-message: Access denied </match> > <description>Modsecurity access denied.</description> > <group>access_denied,</group> > </rule> > > But I think need to update to ModSecurity: Access denied instead of > mod_security-message: Access denied. > > Do you have a raw log different from error ? is this a common modsec error > log ? Maybe need to create a decoder for that. > > Hope it helps. > > On Mon, Feb 9, 2015 at 2:07 AM, Ricardo Galossi <chacal...@gmail.com > <javascript:>> wrote: > >> Hello Rodrigo, >> Thank you so much for answer me. So, some time ago I've had an >> installation of ossec with the same configuration, the ossec read the >> error.log of apache and blocked the attacks on iptables with the active >> response. I really don't know if something has changed in the last version >> of ossec, but it does't block any kind of attack (ssh brute force, http >> attacks, etc). Follow below in attach my ossec.conf and some alerts of >> alert.conf. My active-responses.log is empty. >> When I executed the command (cat /var/chroot/var/log/apache2/error.log | >> /var/ossec/bin/ossec-logtest -a | /var/ossec/bin/ossec-reportd) I received >> the following message: >> >> 2015/02/09 01:03:00 ossec-reportd: INFO: Started (pid: 5038). >> 2015/02/09 01:03:00 ossec-testrule: INFO: Reading local decoder file. >> 2015/02/09 01:03:00 ossec-testrule: INFO: Started (pid: 5037). >> 2015/02/09 01:03:06 ossec-reportd: INFO: Report completed. Creating >> output... >> >> Report completed. == >> ------------------------------------------------ >> ->Processed alerts: 3940 >> ->Post-filtering alerts: 3940 >> ->First alert: 2015 Feb 09 01:03:00 >> ->Last alert: 2015 Feb 09 01:03:01 >> >> >> Top entries for 'Level': >> ------------------------------------------------ >> Severity 6 >> |3864 | >> Severity 13 >> |76 | >> >> >> Top entries for 'Group': >> ------------------------------------------------ >> errors >> |3940 | >> syslog >> |3940 | >> >> Top entries for 'Location': >> ------------------------------------------------ >> ubuntu->stdin >> |3940 | >> >> >> Top entries for 'Rule': >> ------------------------------------------------ >> 1002 - Unknown problem somewhere in the system. >> |3864 | >> 1003 - Non standard syslog message (size too large). >> |76 | >> >> Thank you for your help. >> >> >> Em domingo, 8 de fevereiro de 2015 22:25:22 UTC-2, Rodrigo Montoro >> (Sp0oKeR) escreveu: >>> >>> Hi Ricardo, >>> >>> I think modsec isn't apache format, could you share some alert samples >>> from your log file ? >>> >>> A good way to test if ossec will work with your log format is using >>> logtest http://ossec-docs.readthedocs.org/en/latest/programs/ossec- >>> logtest.html >>> <http://www.google.com/url?q=http%3A%2F%2Fossec-docs.readthedocs.org%2Fen%2Flatest%2Fprograms%2Fossec-logtest.html&sa=D&sntz=1&usg=AFQjCNESCLXtid-ZUXnYi0JxAELDZnTFwA> >>> >>> About active-response, how is configured your ossec.conf ? could you >>> share ? Anyway OSSEC won't block any attack, only take some action from >>> some attack. Looking into /var/ossec/log/ you could see under >>> active-response log. >>> >>> Let me know if this helps. >>> >>> Thanks >>> >>> On Sun, Feb 8, 2015 at 9:11 PM, Ricardo Galossi <chacal...@gmail.com> >>> wrote: >>> >>>> Hi there guys, >>>> I'm facing a problem with ossec, I hope you can help me. I've >>>> configured my ossec to monitoring apache and modsecurity's log of my >>>> chroot. I put the lines below on ossec.conf: >>>> >>>> <localfile> >>>> <log_format>apache</log_format> >>>> <location>/var/chroot/var/log/apache2/modsec_audit.log</location> >>>> </localfile> >>>> >>>> <localfile> >>>> <log_format>apache</log_format> >>>> <location>/var/chroot/var/log/apache2/error.log</location> >>>> </localfile> >>>> >>>> The problem is that ossec doesn't block any attack. I received the >>>> ossec's logs normally, but every log has the same ID, like this: >>>> >>>> Received From: Ubuntu->/var/chroot/var/log/apache2/error.log >>>> Rule: 1002 fired (level 6) -> "Unknown problem somewhere in the system." >>>> Portion of the log(s): >>>> >>>> Thank you for your attention. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> >>> >>> -- >>> Rodrigo Montoro (Sp0oKeR) >>> http://spookerlabs.blogspot.com >>> http://www.twitter.com/spookerlabs >>> http://www.linkedin.com/in/spooker >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Rodrigo Montoro (Sp0oKeR) > http://spookerlabs.blogspot.com > http://www.twitter.com/spookerlabs > http://www.linkedin.com/in/spooker > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
