[ossec-list] Apache Rules don't Trigger Active Response

Wed, 18 May 2016 11:47:15 -0700 

Hi guys.


My configuration is Freebsd-10.2 with ossec-hids-local-2.8.3 installed via
ports.


I have this custom configuration for a active reponse which block web
attacks.


  <active-response>

  <command>ipfw-www</command>

    <location>local</location>

    <timeout>43200</timeout>

*<rules_id>30202,31151</rules_id>*

  </active-response>


*This is my test with logtest *


**Phase 1: Completed pre-decoding.

       full event: '[Wed May 18 10:50:29.541536 2016] [:error] [pid 1173]
[client ip:54252] [client ip] ModSecurity: Access denied with code 403
(phase 2). Match of "rx
(^/file\\\\?file=/etc/cccam\\\\.cfg$|event=update_asl_config|^/etc/(?:js/|\\\\?)|^/index\\\\.php\\\\?module=asl&event=|^/etc/img/)"
against "REQUEST_URI" required. [file
"/usr/local/etc/apache24/Includes/modsecurity2/activated_rules/10_asl_rules.conf"]
[line "219"] [id "390709"] [rev "26"] [msg "Atomicorp.com WAF Rules:
Attempt to access protected file remotely"] [data "../etc/"] [severity
"CRITICAL"] [hostname "site-name"] [uri "/home/home.php"] [unique_id
"VzxzJZKkXAIAAASV6VUAAAAH"]'

       hostname: 'host'

       program_name: '(null)'

       log: the same of full event


**Phase 2: Completed decoding.

       decoder: 'apache-errorlog'


**Phase 3: Completed filtering (rules).

*       Rule id: '30202'*

       Level: '10'

       Description: 'Multiple attempts blocked by Mod Security.'

**Alert to be generated.


*My problem no in file that execute the action to block, because the rule
31151 work. *


My alert in active-reponse.
/usr/local/ossec-hids/active-response/bin/ipfw-www.sh add - ip
1463590617.6659091 *31151*


*Debug mode of logtest *


*2016/05/18 15:09:13 4 : rule:30202, level 10, timeout: 0*

*2016/05/18 15:09:14 3 : rule:31151, level 9, timeout: 0*



If the logtest can decode correctly my event log and know the rule, the
active response work for others rules, where is my error? Why the rule to
block this action don’t work?

Any idea is welcome. Thanks

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to