Hi Dan, I installed ossec as "local". Yeah, the AR configuration is default. The daemon ossec-execd is running normally and the firewall is enable. I made testes with both versions of ossec 2.7 and 2.8.1 within the same VPS. However, only the version 2.7 block the attacker based on the rule ID 31151.
If you want I can send you the logs of ossec 2.8.1. Thank you for your attention. Em segunda-feira, 9 de fevereiro de 2015 18:23:09 UTC-2, dan (ddpbsd) escreveu: > > On Mon, Feb 9, 2015 at 2:53 PM, Ricardo Galossi <chacal...@gmail.com > <javascript:>> wrote: > > Hi Dan, > > The logs are in attach. > > > > Ok, it looks like active response is being triggered by rule 31151: > Mon Feb 9 15:10:03 BRST 2015 > /var/ossec/active-response/bin/host-deny.sh add - 172.16.10.87 > 1423501803.36643 31151 > > Using ossec-logtest, and pasting the log message in a few times, does > trigger 31151: > 172.16.10.87 - - [09/Feb/2015:15:10:03 -0200] "GET > /wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" "Mozilla/5.00 > (Nikto/2.1.6) (Evasions:None) (Test:map_codes)" > > > **Phase 1: Completed pre-decoding. > full event: '172.16.10.87 - - [09/Feb/2015:15:10:03 -0200] "GET > /wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" "Mozilla/5.00 > (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"' > hostname: 'arrakis' > program_name: '(null)' > log: '172.16.10.87 - - [09/Feb/2015:15:10:03 -0200] "GET > /wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" "Mozilla/5.00 > (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"' > > **Phase 2: Completed decoding. > decoder: 'web-accesslog' > srcip: '172.16.10.87' > url: '/wordpress/KwJ55hQv.asmx' > id: '403' > > **Phase 3: Completed filtering (rules). > Rule id: '31151' > Level: '10' > Description: 'Multiple web server 400 error codes from same source > ip.' > **Alert to be generated. > > Since you didn't provide your AR configuration I'll have to assume > it's the default. Based on that, we get back to earlier questions: > Is ossec-execd running on the agent? > Is the firewall enabled on the system? > > > Em segunda-feira, 9 de fevereiro de 2015 17:20:05 UTC-2, dan (ddpbsd) > > escreveu: > >> > >> On Mon, Feb 9, 2015 at 2:14 PM, Ricardo Galossi <chacal...@gmail.com> > >> wrote: > >> > Hi Dan, > >> > I see. As soon as I get home I'll send the log files. Do you want > only > >> > the > >> > alert.log or something else? > >> > > >> > >> I'd love to see the apache log messages that work in OSSEC 2.7 but not > in > >> 2.8. > >> > >> > Em segunda-feira, 9 de fevereiro de 2015 17:00:38 UTC-2, dan (ddpbsd) > >> > escreveu: > >> >> > >> >> On Mon, Feb 9, 2015 at 1:39 PM, Ricardo Galossi <chacal...@gmail.com> > > >> >> wrote: > >> >> > Hi guys, > >> >> > I made some tests here with ossec 2.7. When I try to scan the > target, > >> >> > the > >> >> > modsec delivery a 403 error page, so, ossec read the apache > >> >> > access.log > >> >> > file > >> >> > and match the rule with ID 31151 from web_rules.xml and block the > >> >> > attacker's > >> >> > IP on iptables. Follow the rule below: > >> >> > > >> >> > <rule level="10" id="31151" timeframe="90" frequency="12"> > >> >> > <if_matched_sid>31101</if_matched_sid> > >> >> > <same_source_ip/> > >> >> > <description>Multiple web server 400 error codes </description> > >> >> > <description>from same source ip.</description> > >> >> > <group>web_scan,recon,</group> > >> >> > </rule> > >> >> > > >> >> > The question is, why doesn't happen the same thing on ossec 2.8.1? > >> >> > There is some problem if I used the version 2.7? > >> >> > > >> >> > >> >> It's hard to tell without log samples. > >> >> > >> >> > Em segunda-feira, 9 de fevereiro de 2015 15:47:31 UTC-2, Ricardo > >> >> > Galossi > >> >> > escreveu: > >> >> >> > >> >> >> Hi Dan, > >> >> >> Thank you for your attention. I'm at work now, and I'm not able > to > >> >> >> access > >> >> >> my VPS from here, but tonight when I leave the company I'll send > you > >> >> >> the log > >> >> >> file. > >> >> >> > >> >> >> Em segunda-feira, 9 de fevereiro de 2015 15:42:46 UTC-2, dan > >> >> >> (ddpbsd) > >> >> >> escreveu: > >> >> >>> > >> >> >>> On Mon, Feb 9, 2015 at 12:39 PM, Ricardo Galossi > >> >> >>> <chacal...@gmail.com> wrote: > >> >> >>> > Hi Rodrigo, > >> >> >>> > I've seen the file syslog_rules.xml to see the rule with ID > 1002, > >> >> >>> > I > >> >> >>> > understood the rule perfectly. As you said I've changed the > field > >> >> >>> > <match> of > >> >> >>> > rules with ID 30200 and 30201 for "ModSecurity: Access > denied". > >> >> >>> > I've > >> >> >>> > also > >> >> >>> > changed the level of drop in my ossec.conf to level 2. > Although, > >> >> >>> > unfortunately it doesn't solve my problem. It's like apache > rules > >> >> >>> > doesn't > >> >> >>> > match with any log record, just the rule ID 1002 from > >> >> >>> > syslog_rules. > >> >> >>> > > >> >> >>> > >> >> >>> Can you provide a log sample? > >> >> >>> > >> >> >>> > >> >> >>> > On the other hand, I made a laboratory with ossec 2.7 and it > >> >> >>> > works > >> >> >>> > perfectly. I made a scan with Nikto and ossec blocked > normally. > >> >> >>> > > >> >> >>> > Em segunda-feira, 9 de fevereiro de 2015 09:00:41 UTC-2, > Rodrigo > >> >> >>> > Montoro > >> >> >>> > (Sp0oKeR) escreveu: > >> >> >>> >> > >> >> >>> >> Hi there! > >> >> >>> >> > >> >> >>> >> Rule 1002 is triggering because "error" word in the alert > and > >> >> >>> >> no > >> >> >>> >> specific > >> >> >>> >> decoder for this alert > >> >> >>> >> > >> >> >>> >> > >> >> >>> >> #./ossec-logtest > >> >> >>> >> > >> >> >>> >> 2015/02/09 10:26:45 ossec-testrule: INFO: Reading local > decoder > >> >> >>> >> file. > >> >> >>> >> 2015/02/09 10:26:45 ossec-testrule: INFO: Started (pid: > 28969). > >> >> >>> >> ossec-testrule: Type one log per line. > >> >> >>> >> > >> >> >>> >> [Mon Feb 09 00:11:26.954264 2015] [:error] [pid 4242] [client > >> >> >>> >> 37.128.148.180] ModSecurity: Access denied with code 403 > (phase > >> >> >>> >> 1). > >> >> >>> >> Match of > >> >> >>> >> "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. > >> >> >>> >> [file > >> >> >>> >> > >> >> >>> >> > >> >> >>> >> > >> >> >>> >> > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > > >> >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing > >> >> >>> >> Content, > >> >> >>> >> but > >> >> >>> >> Missing Content-Type header"] [severity "NOTICE"] [ver > >> >> >>> >> "OWASP_CRS/2.2.9"] > >> >> >>> >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] > >> >> >>> >> [uri > >> >> >>> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"] > >> >> >>> >> > >> >> >>> >> > >> >> >>> >> **Phase 1: Completed pre-decoding. > >> >> >>> >> full event: '[Mon Feb 09 00:11:26.954264 2015] > [:error] > >> >> >>> >> [pid > >> >> >>> >> 4242] > >> >> >>> >> [client 37.128.148.180] ModSecurity: Access denied with code > 403 > >> >> >>> >> (phase 1). > >> >> >>> >> Match of "rx ^0$" against "REQUEST_HEADERS:Content-Length" > >> >> >>> >> required. > >> >> >>> >> [file > >> >> >>> >> > >> >> >>> >> > >> >> >>> >> > >> >> >>> >> > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > > >> >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing > >> >> >>> >> Content, > >> >> >>> >> but > >> >> >>> >> Missing Content-Type header"] [severity "NOTICE"] [ver > >> >> >>> >> "OWASP_CRS/2.2.9"] > >> >> >>> >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] > >> >> >>> >> [uri > >> >> >>> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]' > >> >> >>> >> hostname: 'spookerlabs' > >> >> >>> >> program_name: '(null)' > >> >> >>> >> log: '[Mon Feb 09 00:11:26.954264 2015] [:error] [pid > >> >> >>> >> 4242] > >> >> >>> >> [client > >> >> >>> >> 37.128.148.180] ModSecurity: Access denied with code 403 > (phase > >> >> >>> >> 1). > >> >> >>> >> Match of > >> >> >>> >> "rx ^0$" against "REQUEST_HEADERS:Content-Length" required. > >> >> >>> >> [file > >> >> >>> >> > >> >> >>> >> > >> >> >>> >> > >> >> >>> >> > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > > >> >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg "Request Containing > >> >> >>> >> Content, > >> >> >>> >> but > >> >> >>> >> Missing Content-Type header"] [severity "NOTICE"] [ver > >> >> >>> >> "OWASP_CRS/2.2.9"] > >> >> >>> >> [maturity "9"] [accuracy "9"] [hostname "www.ubuntu.com.br"] > >> >> >>> >> [uri > >> >> >>> >> "/nyet.gif"] [unique_id "VNglXmiDNHMAABCSoYkAAAAH"]' > >> >> >>> >> > >> >> >>> >> **Phase 2: Completed decoding. > >> >> >>> >> No decoder matched. > >> >> >>> >> > >> >> >>> >> **Phase 3: Completed filtering (rules). > >> >> >>> >> Rule id: '1002' > >> >> >>> >> Level: '2' > >> >> >>> >> Description: 'Unknown problem somewhere in the > system.' > >> >> >>> >> **Alert to be generated. > >> >> >>> >> > >> >> >>> >> > >> >> >>> >> Rule 1002 > >> >> >>> >> > >> >> >>> >> <var name="BAD_WORDS">core_dumped|failure|error|attack|bad > >> >> >>> >> |illegal > >> >> >>> >> |denied|refused|unauthorized|fatal|failed|Segmentation > >> >> >>> >> Fault|Corrupted</var> > >> >> >>> >> > >> >> >>> >> <rule id="1002" level="2"> > >> >> >>> >> <match>$BAD_WORDS</match> > >> >> >>> >> <options>alert_by_email</options> > >> >> >>> >> <description>Unknown problem somewhere in the > >> >> >>> >> system.</description> > >> >> >>> >> </rule> > >> >> >>> >> > >> >> >>> >> > >> >> >>> >> Since this rule is level 2 it's not going to trigger an > active > >> >> >>> >> response > >> >> >>> >> since your config said to alert only level 5 or higher. > >> >> >>> >> > >> >> >>> >> More info here > >> >> >>> >> http://ossec-docs.readthedocs.org/en/latest/manual/ar/ > >> >> >>> >> > >> >> >>> >> Looking into Modsecurity rules, there are 2 under apache > rules > >> >> >>> >> > >> >> >>> >> <rule id="30200" level="6" noalert="1"> > >> >> >>> >> <match>^mod_security-message: </match> > >> >> >>> >> <description>Modsecurity alert.</description> > >> >> >>> >> </rule> > >> >> >>> >> > >> >> >>> >> <rule id="30201" level="6"> > >> >> >>> >> <if_sid>30200</if_sid> > >> >> >>> >> <match>^mod_security-message: Access denied </match> > >> >> >>> >> <description>Modsecurity access denied.</description> > >> >> >>> >> <group>access_denied,</group> > >> >> >>> >> </rule> > >> >> >>> >> > >> >> >>> >> But I think need to update to ModSecurity: Access denied > instead > >> >> >>> >> of > >> >> >>> >> mod_security-message: Access denied. > >> >> >>> >> > >> >> >>> >> Do you have a raw log different from error ? is this a common > >> >> >>> >> modsec > >> >> >>> >> error > >> >> >>> >> log ? Maybe need to create a decoder for that. > >> >> >>> >> > >> >> >>> >> Hope it helps. > >> >> >>> >> > >> >> >>> >> On Mon, Feb 9, 2015 at 2:07 AM, Ricardo Galossi > >> >> >>> >> <chacal...@gmail.com> > >> >> >>> >> wrote: > >> >> >>> >>> > >> >> >>> >>> Hello Rodrigo, > >> >> >>> >>> Thank you so much for answer me. So, some time ago I've had > an > >> >> >>> >>> installation of ossec with the same configuration, the ossec > >> >> >>> >>> read > >> >> >>> >>> the > >> >> >>> >>> error.log of apache and blocked the attacks on iptables with > >> >> >>> >>> the > >> >> >>> >>> active > >> >> >>> >>> response. I really don't know if something has changed in > the > >> >> >>> >>> last > >> >> >>> >>> version > >> >> >>> >>> of ossec, but it does't block any kind of attack (ssh brute > >> >> >>> >>> force, > >> >> >>> >>> http > >> >> >>> >>> attacks, etc). Follow below in attach my ossec.conf and some > >> >> >>> >>> alerts > >> >> >>> >>> of > >> >> >>> >>> alert.conf. My active-responses.log is empty. > >> >> >>> >>> When I executed the command (cat > >> >> >>> >>> /var/chroot/var/log/apache2/error.log | > >> >> >>> >>> /var/ossec/bin/ossec-logtest -a | > /var/ossec/bin/ossec-reportd) > >> >> >>> >>> I > >> >> >>> >>> received > >> >> >>> >>> the following message: > >> >> >>> >>> > >> >> >>> >>> 2015/02/09 01:03:00 ossec-reportd: INFO: Started (pid: > 5038). > >> >> >>> >>> 2015/02/09 01:03:00 ossec-testrule: INFO: Reading local > decoder > >> >> >>> >>> file. > >> >> >>> >>> 2015/02/09 01:03:00 ossec-testrule: INFO: Started (pid: > 5037). > >> >> >>> >>> 2015/02/09 01:03:06 ossec-reportd: INFO: Report completed. > >> >> >>> >>> Creating > >> >> >>> >>> output... > >> >> >>> >>> > >> >> >>> >>> Report completed. == > >> >> >>> >>> ------------------------------------------------ > >> >> >>> >>> ->Processed alerts: 3940 > >> >> >>> >>> ->Post-filtering alerts: 3940 > >> >> >>> >>> ->First alert: 2015 Feb 09 01:03:00 > >> >> >>> >>> ->Last alert: 2015 Feb 09 01:03:01 > >> >> >>> >>> > >> >> >>> >>> > >> >> >>> >>> Top entries for 'Level': > >> >> >>> >>> ------------------------------------------------ > >> >> >>> >>> Severity 6 > >> >> >>> >>> |3864 | > >> >> >>> >>> Severity 13 > >> >> >>> >>> |76 | > >> >> >>> >>> > >> >> >>> >>> > >> >> >>> >>> Top entries for 'Group': > >> >> >>> >>> ------------------------------------------------ > >> >> >>> >>> errors > >> >> >>> >>> |3940 | > >> >> >>> >>> syslog > >> >> >>> >>> |3940 | > >> >> >>> >>> > >> >> >>> >>> Top entries for 'Location': > >> >> >>> >>> ------------------------------------------------ > >> >> >>> >>> ubuntu->stdin > >> >> >>> >>> |3940 | > >> >> >>> >>> > >> >> >>> >>> > >> >> >>> >>> Top entries for 'Rule': > >> >> >>> >>> ------------------------------------------------ > >> >> >>> >>> 1002 - Unknown problem somewhere in the system. > >> >> >>> >>> |3864 | > >> >> >>> >>> 1003 - Non standard syslog message (size too large). > >> >> >>> >>> |76 | > >> >> >>> >>> > >> >> >>> >>> Thank you for your help. > >> >> >>> >>> > >> >> >>> >>> > >> >> >>> >>> Em domingo, 8 de fevereiro de 2015 22:25:22 UTC-2, Rodrigo > >> >> >>> >>> Montoro > >> >> >>> >>> (Sp0oKeR) escreveu: > >> >> >>> >>>> > >> >> >>> >>>> Hi Ricardo, > >> >> >>> >>>> > >> >> >>> >>>> I think modsec isn't apache format, could you share some > alert > >> >> >>> >>>> samples > >> >> >>> >>>> from your log file ? > >> >> >>> >>>> > >> >> >>> >>>> A good way to test if ossec will work with your log format > is > >> >> >>> >>>> using > >> >> >>> >>>> logtest > >> >> >>> >>>> > >> >> >>> >>>> > >> >> >>> >>>> > >> >> >>> >>>> > http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html > >> >> >>> >>>> > >> >> >>> >>>> About active-response, how is configured your ossec.conf ? > >> >> >>> >>>> could > >> >> >>> >>>> you > >> >> >>> >>>> share ? Anyway OSSEC won't block any attack, only take some > >> >> >>> >>>> action > >> >> >>> >>>> from some > >> >> >>> >>>> attack. Looking into /var/ossec/log/ you could see under > >> >> >>> >>>> active-response > >> >> >>> >>>> log. > >> >> >>> >>>> > >> >> >>> >>>> Let me know if this helps. > >> >> >>> >>>> > >> >> >>> >>>> Thanks > >> >> >>> >>>> > >> >> >>> >>>> On Sun, Feb 8, 2015 at 9:11 PM, Ricardo Galossi > >> >> >>> >>>> <chacal...@gmail.com> > >> >> >>> >>>> wrote: > >> >> >>> >>>>> > >> >> >>> >>>>> Hi there guys, > >> >> >>> >>>>> I'm facing a problem with ossec, I hope you can help me. > I've > >> >> >>> >>>>> configured my ossec to monitoring apache and modsecurity's > >> >> >>> >>>>> log > >> >> >>> >>>>> of > >> >> >>> >>>>> my chroot. > >> >> >>> >>>>> I put the lines below on ossec.conf: > >> >> >>> >>>>> > >> >> >>> >>>>> <localfile> > >> >> >>> >>>>> <log_format>apache</log_format> > >> >> >>> >>>>> > >> >> >>> >>>>> > >> >> >>> >>>>> > <location>/var/chroot/var/log/apache2/modsec_audit.log</location> > >> >> >>> >>>>> </localfile> > >> >> >>> >>>>> > >> >> >>> >>>>> <localfile> > >> >> >>> >>>>> <log_format>apache</log_format> > >> >> >>> >>>>> <location>/var/chroot/var/log/apache2/error.log</location> > >> >> >>> >>>>> </localfile> > >> >> >>> >>>>> > >> >> >>> >>>>> The problem is that ossec doesn't block any attack. I > >> >> >>> >>>>> received > >> >> >>> >>>>> the > >> >> >>> >>>>> ossec's logs normally, but every log has the same ID, like > >> >> >>> >>>>> this: > >> >> >>> >>>>> > >> >> >>> >>>>> Received From: > Ubuntu->/var/chroot/var/log/apache2/error.log > >> >> >>> >>>>> Rule: 1002 fired (level 6) -> "Unknown problem somewhere > in > >> >> >>> >>>>> the > >> >> >>> >>>>> system." > >> >> >>> >>>>> Portion of the log(s): > >> >> >>> >>>>> > >> >> >>> >>>>> Thank you for your attention. > >> >> >>> >>>>> > >> >> >>> >>>>> > >> >> >>> >>>>> -- > >> >> >>> >>>>> > >> >> >>> >>>>> --- > >> >> >>> >>>>> You received this message because you are subscribed to > the > >> >> >>> >>>>> Google > >> >> >>> >>>>> Groups "ossec-list" group. > >> >> >>> >>>>> To unsubscribe from this group and stop receiving emails > from > >> >> >>> >>>>> it, > >> >> >>> >>>>> send > >> >> >>> >>>>> an email to ossec-list+...@googlegroups.com. > >> >> >>> >>>>> For more options, visit https://groups.google.com/d/optout. > > >> >> >>> >>>> > >> >> >>> >>>> > >> >> >>> >>>> > >> >> >>> >>>> > >> >> >>> >>>> -- > >> >> >>> >>>> Rodrigo Montoro (Sp0oKeR) > >> >> >>> >>>> http://spookerlabs.blogspot.com > >> >> >>> >>>> http://www.twitter.com/spookerlabs > >> >> >>> >>>> http://www.linkedin.com/in/spooker > >> >> >>> >>> > >> >> >>> >>> -- > >> >> >>> >>> > >> >> >>> >>> --- > >> >> >>> >>> You received this message because you are subscribed to the > >> >> >>> >>> Google > >> >> >>> >>> Groups > >> >> >>> >>> "ossec-list" group. > >> >> >>> >>> To unsubscribe from this group and stop receiving emails > from > >> >> >>> >>> it, > >> >> >>> >>> send an > >> >> >>> >>> email to ossec-list+...@googlegroups.com. > >> >> >>> >>> For more options, visit https://groups.google.com/d/optout. > >> >> >>> >> > >> >> >>> >> > >> >> >>> >> > >> >> >>> >> > >> >> >>> >> -- > >> >> >>> >> Rodrigo Montoro (Sp0oKeR) > >> >> >>> >> http://spookerlabs.blogspot.com > >> >> >>> >> http://www.twitter.com/spookerlabs > >> >> >>> >> http://www.linkedin.com/in/spooker > >> >> >>> > > >> >> >>> > -- > >> >> >>> > > >> >> >>> > --- > >> >> >>> > You received this message because you are subscribed to the > >> >> >>> > Google > >> >> >>> > Groups > >> >> >>> > "ossec-list" group. > >> >> >>> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >>> > send > >> >> >>> > an > >> >> >>> > email to ossec-list+...@googlegroups.com. > >> >> >>> > For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to ossec-list+...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
