On Mon, Feb 9, 2015 at 2:14 PM, Ricardo Galossi <chacalito2...@gmail.com> wrote: > Hi Dan, > I see. As soon as I get home I'll send the log files. Do you want only the > alert.log or something else? >
I'd love to see the apache log messages that work in OSSEC 2.7 but not in 2.8. > Em segunda-feira, 9 de fevereiro de 2015 17:00:38 UTC-2, dan (ddpbsd) > escreveu: >> >> On Mon, Feb 9, 2015 at 1:39 PM, Ricardo Galossi <chacal...@gmail.com> >> wrote: >> > Hi guys, >> > I made some tests here with ossec 2.7. When I try to scan the target, >> > the >> > modsec delivery a 403 error page, so, ossec read the apache access.log >> > file >> > and match the rule with ID 31151 from web_rules.xml and block the >> > attacker's >> > IP on iptables. Follow the rule below: >> > >> > <rule level="10" id="31151" timeframe="90" frequency="12"> >> > <if_matched_sid>31101</if_matched_sid> >> > <same_source_ip/> >> > <description>Multiple web server 400 error codes </description> >> > <description>from same source ip.</description> >> > <group>web_scan,recon,</group> >> > </rule> >> > >> > The question is, why doesn't happen the same thing on ossec 2.8.1? >> > There is some problem if I used the version 2.7? >> > >> >> It's hard to tell without log samples. >> >> > Em segunda-feira, 9 de fevereiro de 2015 15:47:31 UTC-2, Ricardo Galossi >> > escreveu: >> >> >> >> Hi Dan, >> >> Thank you for your attention. I'm at work now, and I'm not able to >> >> access >> >> my VPS from here, but tonight when I leave the company I'll send you >> >> the log >> >> file. >> >> >> >> Em segunda-feira, 9 de fevereiro de 2015 15:42:46 UTC-2, dan (ddpbsd) >> >> escreveu: >> >>> >> >>> On Mon, Feb 9, 2015 at 12:39 PM, Ricardo Galossi >> >>> <chacal...@gmail.com> wrote: >> >>> > Hi Rodrigo, >> >>> > I've seen the file syslog_rules.xml to see the rule with ID 1002, I >> >>> > understood the rule perfectly. As you said I've changed the field >> >>> > <match> of >> >>> > rules with ID 30200 and 30201 for "ModSecurity: Access denied". I've >> >>> > also >> >>> > changed the level of drop in my ossec.conf to level 2. Although, >> >>> > unfortunately it doesn't solve my problem. It's like apache rules >> >>> > doesn't >> >>> > match with any log record, just the rule ID 1002 from syslog_rules. >> >>> > >> >>> >> >>> Can you provide a log sample? >> >>> >> >>> >> >>> > On the other hand, I made a laboratory with ossec 2.7 and it works >> >>> > perfectly. I made a scan with Nikto and ossec blocked normally. >> >>> > >> >>> > Em segunda-feira, 9 de fevereiro de 2015 09:00:41 UTC-2, Rodrigo >> >>> > Montoro >> >>> > (Sp0oKeR) escreveu: >> >>> >> >> >>> >> Hi there! >> >>> >> >> >>> >> Rule 1002 is triggering because "error" word in the alert and no >> >>> >> specific >> >>> >> decoder for this alert >> >>> >> >> >>> >> >> >>> >> #./ossec-logtest >> >>> >> >> >>> >> 2015/02/09 10:26:45 ossec-testrule: INFO: Reading local decoder >> >>> >> file. >> >>> >> 2015/02/09 10:26:45 ossec-testrule: INFO: Started (pid: 28969). >> >>> >> ossec-testrule: Type one log per line. >> >>> >> >> >>> >> [Mon Feb 09 00:11:26.954264 2015] [:error] [pid 4242] [client >> >>> >> 37.128.148.180] ModSecurity: Access denied with code 403 (phase 1). >> >>> >> Match of >> >>> >> "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. [file >> >>> >> >> >>> >> >> >>> >> "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing >> >>> >> Content, >> >>> >> but >> >>> >> Missing Content-Type header"] [severity "NOTICE"] [ver >> >>> >> "OWASP_CRS/2.2.9"] >> >>> >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] [uri >> >>> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"] >> >>> >> >> >>> >> >> >>> >> **Phase 1: Completed pre-decoding. >> >>> >> full event: '[Mon Feb 09 00:11:26.954264 2015] [:error] [pid >> >>> >> 4242] >> >>> >> [client 37.128.148.180] ModSecurity: Access denied with code 403 >> >>> >> (phase 1). >> >>> >> Match of "rx ^0$" against "REQUEST_HEADERS:Content-Length" >> >>> >> required. >> >>> >> [file >> >>> >> >> >>> >> >> >>> >> "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing >> >>> >> Content, >> >>> >> but >> >>> >> Missing Content-Type header"] [severity "NOTICE"] [ver >> >>> >> "OWASP_CRS/2.2.9"] >> >>> >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] [uri >> >>> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]' >> >>> >> hostname: 'spookerlabs' >> >>> >> program_name: '(null)' >> >>> >> log: '[Mon Feb 09 00:11:26.954264 2015] [:error] [pid 4242] >> >>> >> [client >> >>> >> 37.128.148.180] ModSecurity: Access denied with code 403 (phase 1). >> >>> >> Match of >> >>> >> "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. [file >> >>> >> >> >>> >> >> >>> >> "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing >> >>> >> Content, >> >>> >> but >> >>> >> Missing Content-Type header"] [severity "NOTICE"] [ver >> >>> >> "OWASP_CRS/2.2.9"] >> >>> >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] [uri >> >>> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]' >> >>> >> >> >>> >> **Phase 2: Completed decoding. >> >>> >> No decoder matched. >> >>> >> >> >>> >> **Phase 3: Completed filtering (rules). >> >>> >> Rule id: '1002' >> >>> >> Level: '2' >> >>> >> Description: 'Unknown problem somewhere in the system.' >> >>> >> **Alert to be generated. >> >>> >> >> >>> >> >> >>> >> Rule 1002 >> >>> >> >> >>> >> <var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal >> >>> >> |denied|refused|unauthorized|fatal|failed|Segmentation >> >>> >> Fault|Corrupted</var> >> >>> >> >> >>> >> <rule id="1002" level="2"> >> >>> >> <match>$BAD_WORDS</match> >> >>> >> <options>alert_by_email</options> >> >>> >> <description>Unknown problem somewhere in the >> >>> >> system.</description> >> >>> >> </rule> >> >>> >> >> >>> >> >> >>> >> Since this rule is level 2 it's not going to trigger an active >> >>> >> response >> >>> >> since your config said to alert only level 5 or higher. >> >>> >> >> >>> >> More info here >> >>> >> http://ossec-docs.readthedocs.org/en/latest/manual/ar/ >> >>> >> >> >>> >> Looking into Modsecurity rules, there are 2 under apache rules >> >>> >> >> >>> >> <rule id="30200" level="6" noalert="1"> >> >>> >> <match>^mod_security-message: </match> >> >>> >> <description>Modsecurity alert.</description> >> >>> >> </rule> >> >>> >> >> >>> >> <rule id="30201" level="6"> >> >>> >> <if_sid>30200</if_sid> >> >>> >> <match>^mod_security-message: Access denied </match> >> >>> >> <description>Modsecurity access denied.</description> >> >>> >> <group>access_denied,</group> >> >>> >> </rule> >> >>> >> >> >>> >> But I think need to update to ModSecurity: Access denied instead of >> >>> >> mod_security-message: Access denied. >> >>> >> >> >>> >> Do you have a raw log different from error ? is this a common >> >>> >> modsec >> >>> >> error >> >>> >> log ? Maybe need to create a decoder for that. >> >>> >> >> >>> >> Hope it helps. >> >>> >> >> >>> >> On Mon, Feb 9, 2015 at 2:07 AM, Ricardo Galossi >> >>> >> <chacal...@gmail.com> >> >>> >> wrote: >> >>> >>> >> >>> >>> Hello Rodrigo, >> >>> >>> Thank you so much for answer me. So, some time ago I've had an >> >>> >>> installation of ossec with the same configuration, the ossec read >> >>> >>> the >> >>> >>> error.log of apache and blocked the attacks on iptables with the >> >>> >>> active >> >>> >>> response. I really don't know if something has changed in the last >> >>> >>> version >> >>> >>> of ossec, but it does't block any kind of attack (ssh brute force, >> >>> >>> http >> >>> >>> attacks, etc). Follow below in attach my ossec.conf and some >> >>> >>> alerts >> >>> >>> of >> >>> >>> alert.conf. My active-responses.log is empty. >> >>> >>> When I executed the command (cat >> >>> >>> /var/chroot/var/log/apache2/error.log | >> >>> >>> /var/ossec/bin/ossec-logtest -a | /var/ossec/bin/ossec-reportd) I >> >>> >>> received >> >>> >>> the following message: >> >>> >>> >> >>> >>> 2015/02/09 01:03:00 ossec-reportd: INFO: Started (pid: 5038). >> >>> >>> 2015/02/09 01:03:00 ossec-testrule: INFO: Reading local decoder >> >>> >>> file. >> >>> >>> 2015/02/09 01:03:00 ossec-testrule: INFO: Started (pid: 5037). >> >>> >>> 2015/02/09 01:03:06 ossec-reportd: INFO: Report completed. >> >>> >>> Creating >> >>> >>> output... >> >>> >>> >> >>> >>> Report completed. == >> >>> >>> ------------------------------------------------ >> >>> >>> ->Processed alerts: 3940 >> >>> >>> ->Post-filtering alerts: 3940 >> >>> >>> ->First alert: 2015 Feb 09 01:03:00 >> >>> >>> ->Last alert: 2015 Feb 09 01:03:01 >> >>> >>> >> >>> >>> >> >>> >>> Top entries for 'Level': >> >>> >>> ------------------------------------------------ >> >>> >>> Severity 6 >> >>> >>> |3864 | >> >>> >>> Severity 13 >> >>> >>> |76 | >> >>> >>> >> >>> >>> >> >>> >>> Top entries for 'Group': >> >>> >>> ------------------------------------------------ >> >>> >>> errors >> >>> >>> |3940 | >> >>> >>> syslog >> >>> >>> |3940 | >> >>> >>> >> >>> >>> Top entries for 'Location': >> >>> >>> ------------------------------------------------ >> >>> >>> ubuntu->stdin >> >>> >>> |3940 | >> >>> >>> >> >>> >>> >> >>> >>> Top entries for 'Rule': >> >>> >>> ------------------------------------------------ >> >>> >>> 1002 - Unknown problem somewhere in the system. >> >>> >>> |3864 | >> >>> >>> 1003 - Non standard syslog message (size too large). >> >>> >>> |76 | >> >>> >>> >> >>> >>> Thank you for your help. >> >>> >>> >> >>> >>> >> >>> >>> Em domingo, 8 de fevereiro de 2015 22:25:22 UTC-2, Rodrigo Montoro >> >>> >>> (Sp0oKeR) escreveu: >> >>> >>>> >> >>> >>>> Hi Ricardo, >> >>> >>>> >> >>> >>>> I think modsec isn't apache format, could you share some alert >> >>> >>>> samples >> >>> >>>> from your log file ? >> >>> >>>> >> >>> >>>> A good way to test if ossec will work with your log format is >> >>> >>>> using >> >>> >>>> logtest >> >>> >>>> >> >>> >>>> >> >>> >>>> http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html >> >>> >>>> >> >>> >>>> About active-response, how is configured your ossec.conf ? could >> >>> >>>> you >> >>> >>>> share ? Anyway OSSEC won't block any attack, only take some >> >>> >>>> action >> >>> >>>> from some >> >>> >>>> attack. Looking into /var/ossec/log/ you could see under >> >>> >>>> active-response >> >>> >>>> log. >> >>> >>>> >> >>> >>>> Let me know if this helps. >> >>> >>>> >> >>> >>>> Thanks >> >>> >>>> >> >>> >>>> On Sun, Feb 8, 2015 at 9:11 PM, Ricardo Galossi >> >>> >>>> <chacal...@gmail.com> >> >>> >>>> wrote: >> >>> >>>>> >> >>> >>>>> Hi there guys, >> >>> >>>>> I'm facing a problem with ossec, I hope you can help me. I've >> >>> >>>>> configured my ossec to monitoring apache and modsecurity's log >> >>> >>>>> of >> >>> >>>>> my chroot. >> >>> >>>>> I put the lines below on ossec.conf: >> >>> >>>>> >> >>> >>>>> <localfile> >> >>> >>>>> <log_format>apache</log_format> >> >>> >>>>> >> >>> >>>>> <location>/var/chroot/var/log/apache2/modsec_audit.log</location> >> >>> >>>>> </localfile> >> >>> >>>>> >> >>> >>>>> <localfile> >> >>> >>>>> <log_format>apache</log_format> >> >>> >>>>> <location>/var/chroot/var/log/apache2/error.log</location> >> >>> >>>>> </localfile> >> >>> >>>>> >> >>> >>>>> The problem is that ossec doesn't block any attack. I received >> >>> >>>>> the >> >>> >>>>> ossec's logs normally, but every log has the same ID, like this: >> >>> >>>>> >> >>> >>>>> Received From: Ubuntu->/var/chroot/var/log/apache2/error.log >> >>> >>>>> Rule: 1002 fired (level 6) -> "Unknown problem somewhere in the >> >>> >>>>> system." >> >>> >>>>> Portion of the log(s): >> >>> >>>>> >> >>> >>>>> Thank you for your attention. >> >>> >>>>> >> >>> >>>>> >> >>> >>>>> -- >> >>> >>>>> >> >>> >>>>> --- >> >>> >>>>> You received this message because you are subscribed to the >> >>> >>>>> Google >> >>> >>>>> Groups "ossec-list" group. >> >>> >>>>> To unsubscribe from this group and stop receiving emails from >> >>> >>>>> it, >> >>> >>>>> send >> >>> >>>>> an email to ossec-list+...@googlegroups.com. >> >>> >>>>> For more options, visit https://groups.google.com/d/optout. >> >>> >>>> >> >>> >>>> >> >>> >>>> >> >>> >>>> >> >>> >>>> -- >> >>> >>>> Rodrigo Montoro (Sp0oKeR) >> >>> >>>> http://spookerlabs.blogspot.com >> >>> >>>> http://www.twitter.com/spookerlabs >> >>> >>>> http://www.linkedin.com/in/spooker >> >>> >>> >> >>> >>> -- >> >>> >>> >> >>> >>> --- >> >>> >>> You received this message because you are subscribed to the Google >> >>> >>> Groups >> >>> >>> "ossec-list" group. >> >>> >>> To unsubscribe from this group and stop receiving emails from it, >> >>> >>> send an >> >>> >>> email to ossec-list+...@googlegroups.com. >> >>> >>> For more options, visit https://groups.google.com/d/optout. >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> -- >> >>> >> Rodrigo Montoro (Sp0oKeR) >> >>> >> http://spookerlabs.blogspot.com >> >>> >> http://www.twitter.com/spookerlabs >> >>> >> http://www.linkedin.com/in/spooker >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups >> >>> > "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> >>> > send >> >>> > an >> >>> > email to ossec-list+...@googlegroups.com. >> >>> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.