On Tue, Feb 17, 2015 at 2:50 AM, Ricardo Galossi <chacalito2...@gmail.com> wrote: > Hi Christian, > I'm not using ossec to read modsecurity's log anymore. I've configured the > apache's log (access.log and error.log) on ossec, however, no one rule > matching with then. I've tried to use the versions 2.8 and 2.8.1, but any of > them worked. If you want to see the log files, they ate attach. For while > I'm using ossec 2.7, because this version matching with rule ID 31151. I'm > studying ossec's decoder to make my own decoder for when there is a > determinate sentence (ModSecurity: Access denied with code 403) on the > apache's error.log, ossec block the request source ip. >
Try the latest code in github, see if that works better. > Em segunda-feira, 16 de fevereiro de 2015 09:39:25 UTC-2, ChristianB > escreveu: >> >> I took a look at the file you send. As far as I am aware, ossec does not >> understand the modsec_audit log format. Mainly because it is a multiline >> log. This seemed to work for you in 2.7 because some of the lines also >> match the apache decoder and rule 31101. Thus triggering an AR. But this >> was sheer coincidence and not intended behavior. >> >> You should configure modsecurity to also print log messages to the >> apache error log and monitor this with ossec. There is a good chance >> that the apache decoder can also read modescurity related lines in there. >> >> Ossec basically needs a single line that has the information to identify >> a threat and block the attacker. With the modsec_audit log this is not >> possible. >> >> Regards >> Christian >> >> >> Am 16.02.2015 um 06:04 schrieb Ricardo Galossi: >> > Hi Christian, >> > Thanks for answer me, I've attached the modsecurity's log. I've tried to >> > use ossec 2.8, but it does not work, it only alert the rule ID 1002 >> > (syslog_rules). For while I'm using ossec 2.7, because this version >> > matching with rule ID 31151, when someone try attacking the site, modsec >> > block his request and ossec block his IP matching the rule ID 31151. >> > >> > Em quinta-feira, 12 de fevereiro de 2015 06:54:57 UTC-2, ChristianB >> > escreveu: >> > >> > Apache 2.4 style log messages are only supported in the master >> > branch on >> > github.com/ossec/ossec-hids <http://github.com/ossec/ossec-hids> or >> > the upcoming 2.9 release. >> > >> > It would be nice if you could provide some log messages of >> > ModSecurity >> > so we can try this out in the dev version. >> > >> > Regards >> > Christian >> > >> > Am 12.02.2015 um 00:03 schrieb Ricardo Galossi: >> > > Hi Dan, >> > > I'm so sorry for my delay, I was really busy yesterday. So, I've >> > > attached the output ossec-logtest in both versions of ossec 2.7 >> > and >> > > 2.8.1. The version 2.8.1 don't match with no one high level rules. >> > I'm a >> > > beginner ossec user, but I've taken a look on decoder.xml file and >> > got a >> > > doubt on apache decoder. The log example of this decoder is >> > "[error] >> > > [client 64.94.163.159] Client sent malformed Host header", >> > however, this >> > > style of log is from apache 2.2, on the other hand, the new >> > version of >> > > apache, 2.4, has a different log style, example "[:error] [pid >> > 6629] >> > > [client 172.16.10.57] ModSecurity: Warning. Operator EQ matched 0 >> > at >> > > REQUEST_HEADERS". I don't understand too much about decoder, >> > because >> > > that, I don't know if it could influence on the matching of the >> > rule. >> > > >> > > Thank you so much for help me. >> > > >> > > Em terça-feira, 10 de fevereiro de 2015 10:24:14 UTC-2, dan >> > (ddpbsd) >> > > escreveu: >> > > >> > > On Mon, Feb 9, 2015 at 3:42 PM, Ricardo Galossi >> > > <chacal...@gmail.com> wrote: >> > > > Hi Dan, >> > > > I installed ossec as "local". Yeah, the AR configuration is >> > > default. The >> > > > daemon ossec-execd is running normally and the firewall is >> > enable. >> > > I made >> > > > testes with both versions of ossec 2.7 and 2.8.1 within the >> > same VPS. >> > > > However, only the version 2.7 block the attacker based on >> > the rule >> > > ID 31151. >> > > > >> > > > If you want I can send you the logs of ossec 2.8.1. >> > > > >> > > > Thank you for your attention. >> > > > >> > > >> > > Run ossec-logtest, and paste the log message I used in it >> > multiple >> > > times. Let's see if 31151 or whatever fires (and see if the >> > output >> > > differs from what I saw with post 2.8.1). >> > > I'm hoping to have a chance to try active responses tonight. >> > > >> > > >> > > > Em segunda-feira, 9 de fevereiro de 2015 18:23:09 UTC-2, dan >> > (ddpbsd) >> > > > escreveu: >> > > >> >> > > >> On Mon, Feb 9, 2015 at 2:53 PM, Ricardo Galossi >> > > <chacal...@gmail.com> >> > > >> wrote: >> > > >> > Hi Dan, >> > > >> > The logs are in attach. >> > > >> > >> > > >> >> > > >> Ok, it looks like active response is being triggered by >> > rule 31151: >> > > >> Mon Feb 9 15:10:03 BRST 2015 >> > > >> /var/ossec/active-response/bin/host-deny.sh add - >> > 172.16.10.87 >> > > >> 1423501803.36643 31151 >> > > >> >> > > >> Using ossec-logtest, and pasting the log message in a few >> > times, >> > > does >> > > >> trigger 31151: >> > > >> 172.16.10.87 - - [09/Feb/2015:15:10:03 -0200] "GET >> > > >> /wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" >> > "Mozilla/5.00 >> > > >> (Nikto/2.1.6) (Evasions:None) (Test:map_codes)" >> > > >> >> > > >> >> > > >> **Phase 1: Completed pre-decoding. >> > > >> full event: '172.16.10.87 - - [09/Feb/2015:15:10:03 >> > -0200] >> > > "GET >> > > >> /wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" >> > "Mozilla/5.00 >> > > >> (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"' >> > > >> hostname: 'arrakis' >> > > >> program_name: '(null)' >> > > >> log: '172.16.10.87 - - [09/Feb/2015:15:10:03 -0200] >> > "GET >> > > >> /wordpress/KwJ55hQv.asmx HTTP/1.1" 403 1510 "-" >> > "Mozilla/5.00 >> > > >> (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"' >> > > >> >> > > >> **Phase 2: Completed decoding. >> > > >> decoder: 'web-accesslog' >> > > >> srcip: '172.16.10.87' >> > > >> url: '/wordpress/KwJ55hQv.asmx' >> > > >> id: '403' >> > > >> >> > > >> **Phase 3: Completed filtering (rules). >> > > >> Rule id: '31151' >> > > >> Level: '10' >> > > >> Description: 'Multiple web server 400 error codes >> > from >> > > same source >> > > >> ip.' >> > > >> **Alert to be generated. >> > > >> >> > > >> Since you didn't provide your AR configuration I'll have to >> > assume >> > > >> it's the default. Based on that, we get back to earlier >> > questions: >> > > >> Is ossec-execd running on the agent? >> > > >> Is the firewall enabled on the system? >> > > >> >> > > >> > Em segunda-feira, 9 de fevereiro de 2015 17:20:05 UTC-2, >> > dan >> > > (ddpbsd) >> > > >> > escreveu: >> > > >> >> >> > > >> >> On Mon, Feb 9, 2015 at 2:14 PM, Ricardo Galossi >> > > <chacal...@gmail.com> >> > > >> >> wrote: >> > > >> >> > Hi Dan, >> > > >> >> > I see. As soon as I get home I'll send the log files. >> > Do you >> > > want >> > > >> >> > only >> > > >> >> > the >> > > >> >> > alert.log or something else? >> > > >> >> > >> > > >> >> >> > > >> >> I'd love to see the apache log messages that work in >> > OSSEC 2.7 >> > > but not >> > > >> >> in >> > > >> >> 2.8. >> > > >> >> >> > > >> >> > Em segunda-feira, 9 de fevereiro de 2015 17:00:38 >> > UTC-2, dan >> > > (ddpbsd) >> > > >> >> > escreveu: >> > > >> >> >> >> > > >> >> >> On Mon, Feb 9, 2015 at 1:39 PM, Ricardo Galossi >> > > >> >> >> <chacal...@gmail.com> >> > > >> >> >> wrote: >> > > >> >> >> > Hi guys, >> > > >> >> >> > I made some tests here with ossec 2.7. When I try >> > to scan >> > > the >> > > >> >> >> > target, >> > > >> >> >> > the >> > > >> >> >> > modsec delivery a 403 error page, so, ossec read >> > the apache >> > > >> >> >> > access.log >> > > >> >> >> > file >> > > >> >> >> > and match the rule with ID 31151 from web_rules.xml >> > and >> > > block the >> > > >> >> >> > attacker's >> > > >> >> >> > IP on iptables. Follow the rule below: >> > > >> >> >> > >> > > >> >> >> > <rule level="10" id="31151" timeframe="90" >> > frequency="12"> >> > > >> >> >> > <if_matched_sid>31101</if_matched_sid> >> > > >> >> >> > <same_source_ip/> >> > > >> >> >> > <description>Multiple web server 400 error codes >> > > </description> >> > > >> >> >> > <description>from same source ip.</description> >> > > >> >> >> > <group>web_scan,recon,</group> >> > > >> >> >> > </rule> >> > > >> >> >> > >> > > >> >> >> > The question is, why doesn't happen the same thing >> > on >> > > ossec 2.8.1? >> > > >> >> >> > There is some problem if I used the version 2.7? >> > > >> >> >> > >> > > >> >> >> >> > > >> >> >> It's hard to tell without log samples. >> > > >> >> >> >> > > >> >> >> > Em segunda-feira, 9 de fevereiro de 2015 15:47:31 >> > UTC-2, >> > > Ricardo >> > > >> >> >> > Galossi >> > > >> >> >> > escreveu: >> > > >> >> >> >> >> > > >> >> >> >> Hi Dan, >> > > >> >> >> >> Thank you for your attention. I'm at work now, and >> > I'm >> > > not able >> > > >> >> >> >> to >> > > >> >> >> >> access >> > > >> >> >> >> my VPS from here, but tonight when I leave the >> > company >> > > I'll send >> > > >> >> >> >> you >> > > >> >> >> >> the log >> > > >> >> >> >> file. >> > > >> >> >> >> >> > > >> >> >> >> Em segunda-feira, 9 de fevereiro de 2015 15:42:46 >> > UTC-2, >> > > dan >> > > >> >> >> >> (ddpbsd) >> > > >> >> >> >> escreveu: >> > > >> >> >> >>> >> > > >> >> >> >>> On Mon, Feb 9, 2015 at 12:39 PM, Ricardo Galossi >> > > >> >> >> >>> <chacal...@gmail.com> wrote: >> > > >> >> >> >>> > Hi Rodrigo, >> > > >> >> >> >>> > I've seen the file syslog_rules.xml to see the >> > rule >> > > with ID >> > > >> >> >> >>> > 1002, >> > > >> >> >> >>> > I >> > > >> >> >> >>> > understood the rule perfectly. As you said I've >> > > changed the >> > > >> >> >> >>> > field >> > > >> >> >> >>> > <match> of >> > > >> >> >> >>> > rules with ID 30200 and 30201 for "ModSecurity: >> > Access >> > > >> >> >> >>> > denied". >> > > >> >> >> >>> > I've >> > > >> >> >> >>> > also >> > > >> >> >> >>> > changed the level of drop in my ossec.conf to >> > level 2. >> > > >> >> >> >>> > Although, >> > > >> >> >> >>> > unfortunately it doesn't solve my problem. It's >> > like >> > > apache >> > > >> >> >> >>> > rules >> > > >> >> >> >>> > doesn't >> > > >> >> >> >>> > match with any log record, just the rule ID >> > 1002 from >> > > >> >> >> >>> > syslog_rules. >> > > >> >> >> >>> > >> > > >> >> >> >>> >> > > >> >> >> >>> Can you provide a log sample? >> > > >> >> >> >>> >> > > >> >> >> >>> >> > > >> >> >> >>> > On the other hand, I made a laboratory with >> > ossec 2.7 >> > > and it >> > > >> >> >> >>> > works >> > > >> >> >> >>> > perfectly. I made a scan with Nikto and ossec >> > blocked >> > > >> >> >> >>> > normally. >> > > >> >> >> >>> > >> > > >> >> >> >>> > Em segunda-feira, 9 de fevereiro de 2015 >> > 09:00:41 UTC-2, >> > > >> >> >> >>> > Rodrigo >> > > >> >> >> >>> > Montoro >> > > >> >> >> >>> > (Sp0oKeR) escreveu: >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> Hi there! >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> Rule 1002 is triggering because "error" word >> > in the >> > > alert >> > > >> >> >> >>> >> and >> > > >> >> >> >>> >> no >> > > >> >> >> >>> >> specific >> > > >> >> >> >>> >> decoder for this alert >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> #./ossec-logtest >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> 2015/02/09 10:26:45 ossec-testrule: INFO: >> > Reading local >> > > >> >> >> >>> >> decoder >> > > >> >> >> >>> >> file. >> > > >> >> >> >>> >> 2015/02/09 10:26:45 ossec-testrule: INFO: >> > Started (pid: >> > > >> >> >> >>> >> 28969). >> > > >> >> >> >>> >> ossec-testrule: Type one log per line. >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> [Mon Feb 09 00:11:26.954264 2015] [:error] >> > [pid >> > > 4242] [client >> > > >> >> >> >>> >> 37.128.148.180] ModSecurity: Access denied >> > with code >> > > 403 >> > > >> >> >> >>> >> (phase >> > > >> >> >> >>> >> 1). >> > > >> >> >> >>> >> Match of >> > > >> >> >> >>> >> "rx ^0$" against >> > "REQUEST_HEADERS:Content-Length" >> > > required. >> > > >> >> >> >>> >> [file >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> >> > > >> > >> > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] >> > >> > > >> > > >> >> >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg >> > "Request >> > > Containing >> > > >> >> >> >>> >> Content, >> > > >> >> >> >>> >> but >> > > >> >> >> >>> >> Missing Content-Type header"] [severity >> > "NOTICE"] [ver >> > > >> >> >> >>> >> "OWASP_CRS/2.2.9"] >> > > >> >> >> >>> >> [maturity "9"] [accuracy "9"] [hostname >> > > "www.ubuntu.com.br <http://www.ubuntu.com.br> >> > <http://www.ubuntu.com.br>"] >> > > >> >> >> >>> >> [uri >> > > >> >> >> >>> >> "/nyet.gif"] [unique_id >> > "VNglXmiDNHMAABCSoYkAAAAH"] >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> **Phase 1: Completed pre-decoding. >> > > >> >> >> >>> >> full event: '[Mon Feb 09 >> > 00:11:26.954264 2015] >> > > >> >> >> >>> >> [:error] >> > > >> >> >> >>> >> [pid >> > > >> >> >> >>> >> 4242] >> > > >> >> >> >>> >> [client 37.128.148.180] ModSecurity: Access >> > denied >> > > with code >> > > >> >> >> >>> >> 403 >> > > >> >> >> >>> >> (phase 1). >> > > >> >> >> >>> >> Match of "rx ^0$" against >> > > "REQUEST_HEADERS:Content-Length" >> > > >> >> >> >>> >> required. >> > > >> >> >> >>> >> [file >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> >> > > >> > >> > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] >> > >> > > >> > > >> >> >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg >> > "Request >> > > Containing >> > > >> >> >> >>> >> Content, >> > > >> >> >> >>> >> but >> > > >> >> >> >>> >> Missing Content-Type header"] [severity >> > "NOTICE"] [ver >> > > >> >> >> >>> >> "OWASP_CRS/2.2.9"] >> > > >> >> >> >>> >> [maturity "9"] [accuracy "9"] [hostname >> > > "www.ubuntu.com.br <http://www.ubuntu.com.br> >> > <http://www.ubuntu.com.br>"] >> > > >> >> >> >>> >> [uri >> > > >> >> >> >>> >> "/nyet.gif"] [unique_id >> > "VNglXmiDNHMAABCSoYkAAAAH"]' >> > > >> >> >> >>> >> hostname: 'spookerlabs' >> > > >> >> >> >>> >> program_name: '(null)' >> > > >> >> >> >>> >> log: '[Mon Feb 09 00:11:26.954264 2015] >> > > [:error] [pid >> > > >> >> >> >>> >> 4242] >> > > >> >> >> >>> >> [client >> > > >> >> >> >>> >> 37.128.148.180] ModSecurity: Access denied >> > with code >> > > 403 >> > > >> >> >> >>> >> (phase >> > > >> >> >> >>> >> 1). >> > > >> >> >> >>> >> Match of >> > > >> >> >> >>> >> "rx ^0$" against >> > "REQUEST_HEADERS:Content-Length" >> > > required. >> > > >> >> >> >>> >> [file >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> >> > > >> > >> > "/etc/apache2/ModSecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] >> > >> > > >> > > >> >> >> >>> >> [line "84"] [id "960904"] [rev "2"] [msg >> > "Request >> > > Containing >> > > >> >> >> >>> >> Content, >> > > >> >> >> >>> >> but >> > > >> >> >> >>> >> Missing Content-Type header"] [severity >> > "NOTICE"] [ver >> > > >> >> >> >>> >> "OWASP_CRS/2.2.9"] >> > > >> >> >> >>> >> [maturity "9"] [accuracy "9"] [hostname >> > > "www.ubuntu.com.br <http://www.ubuntu.com.br> >> > <http://www.ubuntu.com.br>"] >> > > >> >> >> >>> >> [uri >> > > >> >> >> >>> >> "/nyet.gif"] [unique_id >> > "VNglXmiDNHMAABCSoYkAAAAH"]' >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> **Phase 2: Completed decoding. >> > > >> >> >> >>> >> No decoder matched. >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> **Phase 3: Completed filtering (rules). >> > > >> >> >> >>> >> Rule id: '1002' >> > > >> >> >> >>> >> Level: '2' >> > > >> >> >> >>> >> Description: 'Unknown problem somewhere >> > in the >> > > >> >> >> >>> >> system.' >> > > >> >> >> >>> >> **Alert to be generated. >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> Rule 1002 >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> <var >> > > name="BAD_WORDS">core_dumped|failure|error|attack|bad >> > > >> >> >> >>> >> |illegal >> > > >> >> >> >>> >> >> > |denied|refused|unauthorized|fatal|failed|Segmentation >> > > >> >> >> >>> >> Fault|Corrupted</var> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> <rule id="1002" level="2"> >> > > >> >> >> >>> >> <match>$BAD_WORDS</match> >> > > >> >> >> >>> >> <options>alert_by_email</options> >> > > >> >> >> >>> >> <description>Unknown problem somewhere in >> > the >> > > >> >> >> >>> >> system.</description> >> > > >> >> >> >>> >> </rule> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> Since this rule is level 2 it's not going to >> > trigger an >> > > >> >> >> >>> >> active >> > > >> >> >> >>> >> response >> > > >> >> >> >>> >> since your config said to alert only level 5 >> > or higher. >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> More info here >> > > >> >> >> >>> >> >> > > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ >> > <http://ossec-docs.readthedocs.org/en/latest/manual/ar/> >> > > <http://ossec-docs.readthedocs.org/en/latest/manual/ar/ >> > <http://ossec-docs.readthedocs.org/en/latest/manual/ar/>> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> Looking into Modsecurity rules, there are 2 >> > under >> > > apache >> > > >> >> >> >>> >> rules >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> <rule id="30200" level="6" noalert="1"> >> > > >> >> >> >>> >> <match>^mod_security-message: </match> >> > > >> >> >> >>> >> <description>Modsecurity >> > alert.</description> >> > > >> >> >> >>> >> </rule> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> <rule id="30201" level="6"> >> > > >> >> >> >>> >> <if_sid>30200</if_sid> >> > > >> >> >> >>> >> <match>^mod_security-message: Access >> > denied >> > > </match> >> > > >> >> >> >>> >> <description>Modsecurity access >> > > denied.</description> >> > > >> >> >> >>> >> <group>access_denied,</group> >> > > >> >> >> >>> >> </rule> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> But I think need to update to ModSecurity: >> > Access >> > > denied >> > > >> >> >> >>> >> instead >> > > >> >> >> >>> >> of >> > > >> >> >> >>> >> mod_security-message: Access denied. >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> Do you have a raw log different from error ? >> > is this >> > > a common >> > > >> >> >> >>> >> modsec >> > > >> >> >> >>> >> error >> > > >> >> >> >>> >> log ? Maybe need to create a decoder for that. >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> Hope it helps. >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> On Mon, Feb 9, 2015 at 2:07 AM, Ricardo >> > Galossi >> > > >> >> >> >>> >> <chacal...@gmail.com> >> > > >> >> >> >>> >> wrote: >> > > >> >> >> >>> >>> >> > > >> >> >> >>> >>> Hello Rodrigo, >> > > >> >> >> >>> >>> Thank you so much for answer me. So, some >> > time ago >> > > I've had >> > > >> >> >> >>> >>> an >> > > >> >> >> >>> >>> installation of ossec with the same >> > configuration, >> > > the ossec >> > > >> >> >> >>> >>> read >> > > >> >> >> >>> >>> the >> > > >> >> >> >>> >>> error.log of apache and blocked the attacks >> > on >> > > iptables with >> > > >> >> >> >>> >>> the >> > > >> >> >> >>> >>> active >> > > >> >> >> >>> >>> response. I really don't know if something >> > has >> > > changed in >> > > >> >> >> >>> >>> the >> > > >> >> >> >>> >>> last >> > > >> >> >> >>> >>> version >> > > >> >> >> >>> >>> of ossec, but it does't block any kind of >> > attack >> > > (ssh brute >> > > >> >> >> >>> >>> force, >> > > >> >> >> >>> >>> http >> > > >> >> >> >>> >>> attacks, etc). Follow below in attach my >> > ossec.conf >> > > and some >> > > >> >> >> >>> >>> alerts >> > > >> >> >> >>> >>> of >> > > >> >> >> >>> >>> alert.conf. My active-responses.log is empty. >> > > >> >> >> >>> >>> When I executed the command (cat >> > > >> >> >> >>> >>> /var/chroot/var/log/apache2/error.log | >> > > >> >> >> >>> >>> /var/ossec/bin/ossec-logtest -a | >> > > >> >> >> >>> >>> /var/ossec/bin/ossec-reportd) >> > > >> >> >> >>> >>> I >> > > >> >> >> >>> >>> received >> > > >> >> >> >>> >>> the following message: >> > > >> >> >> >>> >>> >> > > >> >> >> >>> >>> 2015/02/09 01:03:00 ossec-reportd: INFO: >> > Started (pid: >> > > >> >> >> >>> >>> 5038). >> > > >> >> >> >>> >>> 2015/02/09 01:03:00 ossec-testrule: INFO: >> > Reading >> > > local >> > > >> >> >> >>> >>> decoder >> > > >> >> >> >>> >>> file. >> > > >> >> >> >>> >>> 2015/02/09 01:03:00 ossec-testrule: INFO: >> > Started >> > > (pid: >> > > >> >> >> >>> >>> 5037). >> > > >> >> >> >>> >>> 2015/02/09 01:03:06 ossec-reportd: INFO: >> > Report >> > > completed. >> > > >> >> >> >>> >>> Creating >> > > >> >> >> >>> >>> output... >> > > >> >> >> >>> >>> >> > > >> >> >> >>> >>> Report completed. == >> > > >> >> >> >>> >>> >> > ------------------------------------------------ >> > > >> >> >> >>> >>> ->Processed alerts: 3940 >> > > >> >> >> >>> >>> ->Post-filtering alerts: 3940 >> > > >> >> >> >>> >>> ->First alert: 2015 Feb 09 01:03:00 >> > > >> >> >> >>> >>> ->Last alert: 2015 Feb 09 01:03:01 >> > > >> >> >> >>> >>> >> > > >> >> >> >>> >>> >> > > >> >> >> >>> >>> Top entries for 'Level': >> > > >> >> >> >>> >>> >> > ------------------------------------------------ >> > > >> >> >> >>> >>> Severity 6 >> > > >> >> >> >>> >>> |3864 | >> > > >> >> >> >>> >>> Severity 13 >> > > >> >> >> >>> >>> |76 | >> > > >> >> >> >>> >>> >> > > >> >> >> >>> >>> >> > > >> >> >> >>> >>> Top entries for 'Group': >> > > >> >> >> >>> >>> >> > ------------------------------------------------ >> > > >> >> >> >>> >>> errors >> > > >> >> >> >>> >>> |3940 | >> > > >> >> >> >>> >>> syslog >> > > >> >> >> >>> >>> |3940 | >> > > >> >> >> >>> >>> >> > > >> >> >> >>> >>> Top entries for 'Location': >> > > >> >> >> >>> >>> >> > ------------------------------------------------ >> > > >> >> >> >>> >>> ubuntu->stdin >> > > >> >> >> >>> >>> |3940 | >> > > >> >> >> >>> >>> >> > > >> >> >> >>> >>> >> > > >> >> >> >>> >>> Top entries for 'Rule': >> > > >> >> >> >>> >>> >> > ------------------------------------------------ >> > > >> >> >> >>> >>> 1002 - Unknown problem somewhere in the >> > system. >> > > >> >> >> >>> >>> |3864 | >> > > >> >> >> >>> >>> 1003 - Non standard syslog message (size too >> > large). >> > > >> >> >> >>> >>> |76 | >> > > >> >> >> >>> >>> >> > > >> >> >> >>> >>> Thank you for your help. >> > > >> >> >> >>> >>> >> > > >> >> >> >>> >>> >> > > >> >> >> >>> >>> Em domingo, 8 de fevereiro de 2015 22:25:22 >> > UTC-2, >> > > Rodrigo >> > > >> >> >> >>> >>> Montoro >> > > >> >> >> >>> >>> (Sp0oKeR) escreveu: >> > > >> >> >> >>> >>>> >> > > >> >> >> >>> >>>> Hi Ricardo, >> > > >> >> >> >>> >>>> >> > > >> >> >> >>> >>>> I think modsec isn't apache format, could >> > you >> > > share some >> > > >> >> >> >>> >>>> alert >> > > >> >> >> >>> >>>> samples >> > > >> >> >> >>> >>>> from your log file ? >> > > >> >> >> >>> >>>> >> > > >> >> >> >>> >>>> A good way to test if ossec will work with >> > your >> > > log format >> > > >> >> >> >>> >>>> is >> > > >> >> >> >>> >>>> using >> > > >> >> >> >>> >>>> logtest >> > > >> >> >> >>> >>>> >> > > >> >> >> >>> >>>> >> > > >> >> >> >>> >>>> >> > > >> >> >> >>> >>>> >> > > >> >> >> >>> >>>> >> > > >> > >> > http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html >> > >> > <http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html> >> > >> > > >> > >> > <http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html >> > >> > <http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html>> >> > >> > > >> > > >> >> >> >>> >>>> >> > > >> >> >> >>> >>>> About active-response, how is configured >> > your >> > > ossec.conf ? >> > > >> >> >> >>> >>>> could >> > > >> >> >> >>> >>>> you >> > > >> >> >> >>> >>>> share ? Anyway OSSEC won't block any attack, >> > only >> > > take some >> > > >> >> >> >>> >>>> action >> > > >> >> >> >>> >>>> from some >> > > >> >> >> >>> >>>> attack. Looking into /var/ossec/log/ you >> > could see >> > > under >> > > >> >> >> >>> >>>> active-response >> > > >> >> >> >>> >>>> log. >> > > >> >> >> >>> >>>> >> > > >> >> >> >>> >>>> Let me know if this helps. >> > > >> >> >> >>> >>>> >> > > >> >> >> >>> >>>> Thanks >> > > >> >> >> >>> >>>> >> > > >> >> >> >>> >>>> On Sun, Feb 8, 2015 at 9:11 PM, Ricardo >> > Galossi >> > > >> >> >> >>> >>>> <chacal...@gmail.com> >> > > >> >> >> >>> >>>> wrote: >> > > >> >> >> >>> >>>>> >> > > >> >> >> >>> >>>>> Hi there guys, >> > > >> >> >> >>> >>>>> I'm facing a problem with ossec, I hope you >> > can >> > > help me. >> > > >> >> >> >>> >>>>> I've >> > > >> >> >> >>> >>>>> configured my ossec to monitoring apache >> > and >> > > modsecurity's >> > > >> >> >> >>> >>>>> log >> > > >> >> >> >>> >>>>> of >> > > >> >> >> >>> >>>>> my chroot. >> > > >> >> >> >>> >>>>> I put the lines below on ossec.conf: >> > > >> >> >> >>> >>>>> >> > > >> >> >> >>> >>>>> <localfile> >> > > >> >> >> >>> >>>>> <log_format>apache</log_format> >> > > >> >> >> >>> >>>>> >> > > >> >> >> >>> >>>>> >> > > >> >> >> >>> >>>>> >> > > >> >> >> >>> >>>>> >> > > >> > <location>/var/chroot/var/log/apache2/modsec_audit.log</location> >> > > >> >> >> >>> >>>>> </localfile> >> > > >> >> >> >>> >>>>> >> > > >> >> >> >>> >>>>> <localfile> >> > > >> >> >> >>> >>>>> <log_format>apache</log_format> >> > > >> >> >> >>> >>>>> >> > > <location>/var/chroot/var/log/apache2/error.log</location> >> > > >> >> >> >>> >>>>> </localfile> >> > > >> >> >> >>> >>>>> >> > > >> >> >> >>> >>>>> The problem is that ossec doesn't block any >> > > attack. I >> > > >> >> >> >>> >>>>> received >> > > >> >> >> >>> >>>>> the >> > > >> >> >> >>> >>>>> ossec's logs normally, but every log has >> > the same >> > > ID, like >> > > >> >> >> >>> >>>>> this: >> > > >> >> >> >>> >>>>> >> > > >> >> >> >>> >>>>> Received From: >> > > >> >> >> >>> >>>>> >> > Ubuntu->/var/chroot/var/log/apache2/error.log >> > > >> >> >> >>> >>>>> Rule: 1002 fired (level 6) -> "Unknown >> > problem >> > > somewhere >> > > >> >> >> >>> >>>>> in >> > > >> >> >> >>> >>>>> the >> > > >> >> >> >>> >>>>> system." >> > > >> >> >> >>> >>>>> Portion of the log(s): >> > > >> >> >> >>> >>>>> >> > > >> >> >> >>> >>>>> Thank you for your attention. >> > > >> >> >> >>> >>>>> >> > > >> >> >> >>> >>>>> >> > > >> >> >> >>> >>>>> -- >> > > >> >> >> >>> >>>>> >> > > >> >> >> >>> >>>>> --- >> > > >> >> >> >>> >>>>> You received this message because you are >> > > subscribed to >> > > >> >> >> >>> >>>>> the >> > > >> >> >> >>> >>>>> Google >> > > >> >> >> >>> >>>>> Groups "ossec-list" group. >> > > >> >> >> >>> >>>>> To unsubscribe from this group and stop >> > receiving >> > > emails >> > > >> >> >> >>> >>>>> from >> > > >> >> >> >>> >>>>> it, >> > > >> >> >> >>> >>>>> send >> > > >> >> >> >>> >>>>> an email to >> > ossec-list+...@googlegroups.com. >> > > >> >> >> >>> >>>>> For more options, visit >> > > >> >> >> >>> >>>>> https://groups.google.com/d/optout >> > <https://groups.google.com/d/optout> >> > > <https://groups.google.com/d/optout >> > <https://groups.google.com/d/optout>>. >> > > >> >> >> >>> >>>> >> > > >> >> >> >>> >>>> >> > > >> >> >> >>> >>>> >> > > >> >> >> >>> >>>> >> > > >> >> >> >>> >>>> -- >> > > >> >> >> >>> >>>> Rodrigo Montoro (Sp0oKeR) >> > > >> >> >> >>> >>>> http://spookerlabs.blogspot.com >> > <http://spookerlabs.blogspot.com> >> > > <http://spookerlabs.blogspot.com >> > <http://spookerlabs.blogspot.com>> >> > > >> >> >> >>> >>>> http://www.twitter.com/spookerlabs >> > <http://www.twitter.com/spookerlabs> >> > > <http://www.twitter.com/spookerlabs >> > <http://www.twitter.com/spookerlabs>> >> > > >> >> >> >>> >>>> http://www.linkedin.com/in/spooker >> > <http://www.linkedin.com/in/spooker> >> > > <http://www.linkedin.com/in/spooker >> > <http://www.linkedin.com/in/spooker>> >> > > >> >> >> >>> >>> >> > > >> >> >> >>> >>> -- >> > > >> >> >> >>> >>> >> > > >> >> >> >>> >>> --- >> > > >> >> >> >>> >>> You received this message because you are >> > > subscribed to the >> > > >> >> >> >>> >>> Google >> > > >> >> >> >>> >>> Groups >> > > >> >> >> >>> >>> "ossec-list" group. >> > > >> >> >> >>> >>> To unsubscribe from this group and stop >> > receiving >> > > emails >> > > >> >> >> >>> >>> from >> > > >> >> >> >>> >>> it, >> > > >> >> >> >>> >>> send an >> > > >> >> >> >>> >>> email to ossec-list+...@googlegroups.com. >> > > >> >> >> >>> >>> For more options, visit >> > > https://groups.google.com/d/optout >> > <https://groups.google.com/d/optout> >> > > <https://groups.google.com/d/optout >> > <https://groups.google.com/d/optout>>. >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> >> > > >> >> >> >>> >> -- >> > > >> >> >> >>> >> Rodrigo Montoro (Sp0oKeR) >> > > >> >> >> >>> >> http://spookerlabs.blogspot.com >> > <http://spookerlabs.blogspot.com> >> > > <http://spookerlabs.blogspot.com >> > <http://spookerlabs.blogspot.com>> >> > > >> >> >> >>> >> http://www.twitter.com/spookerlabs >> > <http://www.twitter.com/spookerlabs> >> > > <http://www.twitter.com/spookerlabs >> > <http://www.twitter.com/spookerlabs>> >> > > >> >> >> >>> >> http://www.linkedin.com/in/spooker >> > <http://www.linkedin.com/in/spooker> >> > > <http://www.linkedin.com/in/spooker >> > <http://www.linkedin.com/in/spooker>> >> > > >> >> >> >>> > >> > > >> >> >> >>> > -- >> > > >> >> >> >>> > >> > > >> >> >> >>> > --- >> > > >> >> >> >>> > You received this message because you are >> > subscribed >> > > to the >> > > >> >> >> >>> > Google >> > > >> >> >> >>> > Groups >> > > >> >> >> >>> > "ossec-list" group. >> > > >> >> >> >>> > To unsubscribe from this group and stop >> > receiving >> > > emails from >> > > >> >> >> >>> > it, >> > > >> >> >> >>> > send >> > > >> >> >> >>> > an >> > > >> >> >> >>> > email to ossec-list+...@googlegroups.com. >> > > >> >> >> >>> > For more options, visit >> > > https://groups.google.com/d/optout >> > <https://groups.google.com/d/optout> >> > > <https://groups.google.com/d/optout >> > <https://groups.google.com/d/optout>>. >> > > >> >> >> > >> > > >> >> >> > -- >> > > >> >> >> > >> > > >> >> >> > --- >> > > >> >> >> > You received this message because you are >> > subscribed to >> > > the Google >> > > >> >> >> > Groups >> > > >> >> >> > "ossec-list" group. >> > > >> >> >> > To unsubscribe from this group and stop receiving >> > emails >> > > from it, >> > > >> >> >> > send >> > > >> >> >> > an >> > > >> >> >> > email to ossec-list+...@googlegroups.com. >> > > >> >> >> > For more options, visit >> > > https://groups.google.com/d/optout >> > <https://groups.google.com/d/optout> >> > > <https://groups.google.com/d/optout >> > <https://groups.google.com/d/optout>>. >> > > >> >> > >> > > >> >> > -- >> > > >> >> > >> > > >> >> > --- >> > > >> >> > You received this message because you are subscribed >> > to the >> > > Google >> > > >> >> > Groups >> > > >> >> > "ossec-list" group. >> > > >> >> > To unsubscribe from this group and stop receiving >> > emails >> > > from it, >> > > >> >> > send >> > > >> >> > an >> > > >> >> > email to ossec-list+...@googlegroups.com. >> > > >> >> > For more options, visit >> > https://groups.google.com/d/optout >> > <https://groups.google.com/d/optout> >> > > <https://groups.google.com/d/optout >> > <https://groups.google.com/d/optout>>. >> > > >> > >> > > >> > -- >> > > >> > >> > > >> > --- >> > > >> > You received this message because you are subscribed to >> > the Google >> > > >> > Groups >> > > >> > "ossec-list" group. >> > > >> > To unsubscribe from this group and stop receiving emails >> > from >> > > it, send >> > > >> > an >> > > >> > email to ossec-list+...@googlegroups.com. >> > > >> > For more options, visit >> > https://groups.google.com/d/optout >> > <https://groups.google.com/d/optout> >> > > <https://groups.google.com/d/optout >> > <https://groups.google.com/d/optout>>. >> > > > >> > > > -- >> > > > >> > > > --- >> > > > You received this message because you are subscribed to the >> > Google >> > > Groups >> > > > "ossec-list" group. >> > > > To unsubscribe from this group and stop receiving emails >> > from it, >> > > send an >> > > > email to ossec-list+...@googlegroups.com. >> > > > For more options, visit https://groups.google.com/d/optout >> > <https://groups.google.com/d/optout> >> > > <https://groups.google.com/d/optout >> > <https://groups.google.com/d/optout>>. >> > > >> > > -- >> > > >> > > --- >> > > You received this message because you are subscribed to the Google >> > > Groups "ossec-list" group. >> > > To unsubscribe from this group and stop receiving emails from it, >> > send >> > > an email to ossec-list+...@googlegroups.com >> > > <mailto:ossec-list+unsubscr...@googlegroups.com>. >> > > For more options, visit https://groups.google.com/d/optout >> > <https://groups.google.com/d/optout>. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to ossec-list+...@googlegroups.com >> > <mailto:ossec-list+unsubscr...@googlegroups.com>. >> > For more options, visit https://groups.google.com/d/optout. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
