Hi Brent, thanks for the perfect explanations.
I just checked, my archives.log is 0 bytes, seems like it was log-rotated during the night. and in the monthly folder, e.g Oct or Sep are only checksum logs, e.g ossec-archive-01.log.sum But I've seen multiple requests from 1 IP address and put those requests into a txt file (I've attached it to this post) no idea why my archives.log is empty :( regards, theresa Am Montag, 5. Oktober 2015 20:02:29 UTC+2 schrieb Brent Morris: > > Yeah, you're in the neighborhood. > > First - can you post some content from your archives.log with those Apache > logs? I can help better if I can see what you're seeing. > > You need to see exactly what you're passing to the URL field using > ossec-logtest in order to make your cdb list correctly. Sometimes the > decoder puts extra characters in the URL field, such as a space and a > hyphen. At least that was my case. > > Here's a blurb from my cdb list.... nexpose makes the following requests > during a web audit. > > /spiffymcgee.cfm -:16 > /spiffymcgee.jsp -:16 > /jbossmq-httpil/ -:16 > /spiffymcgee.nsf -:16 > /spiffymcgee.jsp -:16 > /spiffymcgee.nsf -:16 > > The important bits are on the left side of the colon. I think I used > excel to autonumber and populate the right side of the colon. But you're > basically going to compare whatever is being passed to the URL field with > exactly the content on the left side of the colon. So you can see you'll > need to be creative in your ability to separate out the URLs from the rest > of the junk in your logs along with checking and removing valid URLs that > might be in the list. In your example #1 example, I would only use > "/pub/english.cgi > -:16" ..... there is a space and a hypen in my case when running the logs > against ossec-logtest. I can't emphasis enough that it needs to be EXACT. > Partial matches will not trigger the rule. > > The list will reside in /var/ossec/lists/urlblacklist > > then run ./ossec-makelists > > In your ossec.conf - add <list>lists/urlblacklist</list> inside > <ossec_config><rules> > > Add the rule to local_rules.xml > > Use ossec-logtest to verify new rule is working properly. > > Add the active response to ossec.conf > > restart ossec and test with a real request to a URL in the list. Verify > active response has done its deed. > > HTH! > -Brent > > > > > > > > > > > > On Monday, October 5, 2015 at 10:36:35 AM UTC-7, theresa mic-snare wrote: >> >> Hi Brent, >> >> thank you very much for your help and your explanations. >> >> I'm just getting started with OSSEC, most of this is all new to me, but >> I'm learning quickly ;) >> what does CDB stand for? I looked it up in the OSSEC docs and also >> googled it? does it stand for common database? >> according to the Docs I need to complile the CDB list with >> ossec-makelists , right? >> >> I want to understand this properly, and thus I want to document it for my >> thesis project -- so please correct me if I misunderstood you: >> >> >> 1. i will create a list with the HTTP request strings, e.g: GET >> /pub/english.cgi HTTP/1.0" 403 5 " >> https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo >> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7` and put >> it >> into a list/txt file. i.e urlblacklist.txt >> 2. then I will run ossec-makelists on this >> 3. then I will setup a rule to block those requests .... where does >> this go?! Is it a rule inside the rules directory??! >> >> <rule id="184780" level="12"> >> <if_sid>31151 <http://www.ossec.net/doc/search.html?q=rule-id-31151> >> </if_sid> >> <list field="url">lists/urlblacklist</list> >> <description>Web Vulnerability Scanner Detected</description> >> </rule> >> >> the rule that fired for me (according to my OSSEC WUI) was rule ID: 31151 >> <http://www.ossec.net/doc/search.html?q=rule-id-31151> >> >> 1. finally I will create a AR in my ossec.conf >> >> <command>firewall-drop</command> >> <location>server</location> >> <rules_id>184780</rules_id> >> <timeout>300</timeout> >> <repeated_offenders>2,10,60,120,1440</repeated_offenders> >> </active-response> >> >> Hopefully I'm not too far off.... >> >> thanks, >> theresa >> >> Am Montag, 5. Oktober 2015 18:55:16 UTC+2 schrieb Brent Morris: >>> >>> I'm not familiar with apache logs... but it looks like you are being >>> scanned with a web vulnerability scanner from an attacker in China. The >>> youtube string you see, I believe, is the user-agent string supplied by the >>> scanning host. >>> >>> Compile all the URL requests and setup a cdb list in OSSEC. Then setup >>> an active response based on the URL requested to block the offending IP >>> address. The rule will look something like the following. >>> >>> <rule id="184780" level="12"> >>> <if_sid>31100</if_sid> >>> <list field="url">lists/urlblacklist</list> >>> <description>Web Vulnerability Scanner Detected</description> >>> </rule> >>> >>> and active response... assumes firewall-drop command will actually block >>> the attacker at your perimeter. >>> >>> <command>firewall-drop</command> >>> <location>server</location> >>> <rules_id>184780</rules_id> >>> <timeout>300</timeout> >>> <repeated_offenders>2,10,60,120,1440</repeated_offenders> >>> </active-response> >>> >>> Now all you need is the list and testing :) >>> >>> >>> >>> >>> >>> On Monday, October 5, 2015 at 4:25:18 AM UTC-7, theresa mic-snare wrote: >>>> >>>> Hi all, >>>> >>>> it's my weekly ossec question post ;) >>>> >>>> maybe you can help shed some light onto this one, as I'm not really >>>> good with HTTP/Apache return codes. >>>> I have tons of these types of requests in my current Apache webserver >>>> log >>>> >>>> 125.122.211.198 - - [15/Sep/2015:00:50:58 +0200] "GET /admin.cgi >>>> HTTP/1.0" 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { >>>> goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 >>>> - >>>> 7`" >>>> 125.122.211.198 - - [15/Sep/2015:00:50:50 +0200] "GET >>>> /catalog/index.cgi HTTP/1.0" 403 5 >>>> "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo >>>> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`" >>>> 125.122.211.198 >>>> - - [15/Sep/2015:00:50:49 +0200] "GET /cart.cgi HTTP/1.0" 403 5 >>>> "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo >>>> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`" >>>> 125.122.211.198 >>>> - - [15/Sep/2015:00:50:49 +0200] "GET /cartcart.cgi HTTP/1.0" 403 5 >>>> "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo >>>> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`" >>>> 125.122.211.198 >>>> - - [15/Sep/2015:00:50:48 +0200] "GET /bigconf.cgi HTTP/1.0" 403 5 >>>> "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo >>>> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`" >>>> 125.122.211.198 >>>> - - [15/Sep/2015:00:50:47 +0200] "GET /bandwidth/index.cgi HTTP/1.0" >>>> 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo >>>> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`" >>>> 125.122.211.198 >>>> - - [15/Sep/2015:00:50:47 +0200] "GET >>>> /b2-include/b2edit.showposts.php >>>> HTTP/1.0" 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { >>>> goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 >>>> - >>>> 7`" >>>> 125.122.211.198 - - [15/Sep/2015:00:50:46 +0200] "GET >>>> /axis-cgi/buffer/command.cgi HTTP/1.0" 403 5 >>>> "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo >>>> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`" >>>> 125.122.211.198 >>>> - - [15/Sep/2015:00:50:45 +0200] "GET /apps/web/vs_diag.cgi HTTP/1.0" >>>> 403 5 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo >>>> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`" >>>> 125.122.211.198 >>>> - - [15/Sep/2015:00:50:45 +0200] "GET /analyse.cgi HTTP/1.0" 403 2790 >>>> "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { goo;}; echo >>>> Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`" >>>> 125.122.211.198 >>>> - - [15/Sep/2015:00:50:44 +0200] "GET /aktivate/cgi-bin/catgy.cgi >>>> HTTP/1.0" 404 8436 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() { >>>> goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 >>>> - >>>> 7`" >>>> 125.122.211.198 - - [15/Sep/2015:00:50:43 +0200] "GET /agora.cgi >>>> HTTP/1.0" 404 8436 "https://www.youtube.com/watch?v=FoUWHfh733Y" "() >>>> { >>>> goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 >>>> - >>>> 7`" >>>> >>>> what are these doing except trying to call a youtube video? >>>> I was once told that the GET requests are not as harmful as the POST >>>> requests... >>>> >>>> I suppose it's just some script kiddie running a webserver attack >>>> script. >>>> should I worry? >>>> >>>> how to block these? >>>> >>>> I have a couple of other request types as well, but they all follow the >>>> same pattern. >>>> >>>> best, >>>> theresa >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
attack.log
Description: Binary data