Hi Brent, thank you very much for your help and your explanations.
I'm just getting started with OSSEC, most of this is all new to me, but I'm learning quickly ;) what does CDB stand for? I looked it up in the OSSEC docs and also googled it? does it stand for common database? according to the Docs I need to complile the CDB list with ossec-makelists , right? I want to understand this properly, and thus I want to document it for my thesis project -- so please correct me if I misunderstood you: 1. i will create a list with the HTTP request strings, e.g: GET /pub/english.cgi HTTP/1.0" 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7` and put it into a list/txt file. i.e urlblacklist.txt 2. then I will run ossec-makelists on this 3. then I will setup a rule to block those requests .... where does this go?! Is it a rule inside the rules directory??! <rule id="184780" level="12"> <if_sid>31151 <http://www.ossec.net/doc/search.html?q=rule-id-31151> </if_sid> <list field="url">lists/urlblacklist</list> <description>Web Vulnerability Scanner Detected</description> </rule> the rule that fired for me (according to my OSSEC WUI) was rule ID: 31151 <http://www.ossec.net/doc/search.html?q=rule-id-31151> 1. finally I will create a AR in my ossec.conf <command>firewall-drop</command> <location>server</location> <rules_id>184780</rules_id> <timeout>300</timeout> <repeated_offenders>2,10,60,120,1440</repeated_offenders> </active-response> Hopefully I'm not too far off.... thanks, theresa Am Montag, 5. Oktober 2015 18:55:16 UTC+2 schrieb Brent Morris: > > I'm not familiar with apache logs... but it looks like you are being > scanned with a web vulnerability scanner from an attacker in China. The > youtube string you see, I believe, is the user-agent string supplied by the > scanning host. > > Compile all the URL requests and setup a cdb list in OSSEC. Then setup an > active response based on the URL requested to block the offending IP > address. The rule will look something like the following. > > <rule id="184780" level="12"> > <if_sid>31100</if_sid> > <list field="url">lists/urlblacklist</list> > <description>Web Vulnerability Scanner Detected</description> > </rule> > > and active response... assumes firewall-drop command will actually block > the attacker at your perimeter. > > <command>firewall-drop</command> > <location>server</location> > <rules_id>184780</rules_id> > <timeout>300</timeout> > <repeated_offenders>2,10,60,120,1440</repeated_offenders> > </active-response> > > Now all you need is the list and testing :) > > > > > > On Monday, October 5, 2015 at 4:25:18 AM UTC-7, theresa mic-snare wrote: >> >> Hi all, >> >> it's my weekly ossec question post ;) >> >> maybe you can help shed some light onto this one, as I'm not really good >> with HTTP/Apache return codes. >> I have tons of these types of requests in my current Apache webserver log >> >> 125.122.211.198 - - [15/Sep/2015:00:50:58 +0200] "GET /admin.cgi >> HTTP/1.0" 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { >> goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - >> 7`" >> 125.122.211.198 - - [15/Sep/2015:00:50:50 +0200] "GET >> /catalog/index.cgi HTTP/1.0" 403 5 >> "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo >> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`" >> 125.122.211.198 >> - - [15/Sep/2015:00:50:49 +0200] "GET /cart.cgi HTTP/1.0" 403 5 >> "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo >> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`" >> 125.122.211.198 >> - - [15/Sep/2015:00:50:49 +0200] "GET /cartcart.cgi HTTP/1.0" 403 5 >> "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo >> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`" >> 125.122.211.198 >> - - [15/Sep/2015:00:50:48 +0200] "GET /bigconf.cgi HTTP/1.0" 403 5 >> "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo >> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`" >> 125.122.211.198 >> - - [15/Sep/2015:00:50:47 +0200] "GET /bandwidth/index.cgi HTTP/1.0" >> 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo >> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`" >> 125.122.211.198 >> - - [15/Sep/2015:00:50:47 +0200] "GET /b2-include/b2edit.showposts.php >> HTTP/1.0" 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { >> goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - >> 7`" >> 125.122.211.198 - - [15/Sep/2015:00:50:46 +0200] "GET >> /axis-cgi/buffer/command.cgi HTTP/1.0" 403 5 >> "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo >> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`" >> 125.122.211.198 >> - - [15/Sep/2015:00:50:45 +0200] "GET /apps/web/vs_diag.cgi HTTP/1.0" >> 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo >> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`" >> 125.122.211.198 >> - - [15/Sep/2015:00:50:45 +0200] "GET /analyse.cgi HTTP/1.0" 403 2790 >> "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo >> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`" >> 125.122.211.198 >> - - [15/Sep/2015:00:50:44 +0200] "GET /aktivate/cgi-bin/catgy.cgi >> HTTP/1.0" 404 8436 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { >> goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - >> 7`" >> 125.122.211.198 - - [15/Sep/2015:00:50:43 +0200] "GET /agora.cgi >> HTTP/1.0" 404 8436 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { >> goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - >> 7`" >> >> what are these doing except trying to call a youtube video? >> I was once told that the GET requests are not as harmful as the POST >> requests... >> >> I suppose it's just some script kiddie running a webserver attack script. >> should I worry? >> >> how to block these? >> >> I have a couple of other request types as well, but they all follow the >> same pattern. >> >> best, >> theresa >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.