Thanks so much Dan.
The error was simple, but i couldn't see. Thanks so much. I edit the decoder and now the action work. Em quarta-feira, 18 de maio de 2016 15:49:12 UTC-3, dan (ddpbsd) escreveu: > > On Wed, May 18, 2016 at 2:33 PM, Patrick Müller > <patrick...@gmail.com <javascript:>> wrote: > > Hi guys. > > > > > > My configuration is Freebsd-10.2 with ossec-hids-local-2.8.3 installed > via > > ports. > > > > > > I have this custom configuration for a active reponse which block web > > attacks. > > > > > > <active-response> > > > > <command>ipfw-www</command> > > > > <location>local</location> > > > > <timeout>43200</timeout> > > > > <rules_id>30202,31151</rules_id> > > > > </active-response> > > > > > > This is my test with logtest > > > > > > **Phase 1: Completed pre-decoding. > > > > full event: '[Wed May 18 10:50:29.541536 2016] [:error] [pid > 1173] > > [client ip:54252] [client ip] ModSecurity: Access denied with code 403 > > (phase 2). Match of "rx > > > (^/file\\\\?file=/etc/cccam\\\\.cfg$|event=update_asl_config|^/etc/(?:js/|\\\\?)|^/index\\\\.php\\\\?module=asl&event=|^/etc/img/)" > > > > against "REQUEST_URI" required. [file > > > "/usr/local/etc/apache24/Includes/modsecurity2/activated_rules/10_asl_rules.conf"] > > > > [line "219"] [id "390709"] [rev "26"] [msg "Atomicorp.com WAF Rules: > Attempt > > to access protected file remotely"] [data "../etc/"] [severity > "CRITICAL"] > > [hostname "site-name"] [uri "/home/home.php"] [unique_id > > "VzxzJZKkXAIAAASV6VUAAAAH"]' > > > > hostname: 'host' > > > > program_name: '(null)' > > > > log: the same of full event > > > > > > **Phase 2: Completed decoding. > > > > decoder: 'apache-errorlog' > > > > There is no IP address for your script to block (assuming it needs one). > > > > > **Phase 3: Completed filtering (rules). > > > > Rule id: '30202' > > > > Level: '10' > > > > Description: 'Multiple attempts blocked by Mod Security.' > > > > **Alert to be generated. > > > > > > My problem no in file that execute the action to block, because the rule > > 31151 work. > > > > > > My alert in active-reponse. > > /usr/local/ossec-hids/active-response/bin/ipfw-www.sh add - ip > > 1463590617.6659091 31151 > > > > > > Debug mode of logtest > > > > > > 2016/05/18 15:09:13 4 : rule:30202, level 10, timeout: 0 > > > > 2016/05/18 15:09:14 3 : rule:31151, level 9, timeout: 0 > > > > > > > > If the logtest can decode correctly my event log and know the rule, the > > active response work for others rules, where is my error? Why the rule > to > > block this action don’t work? > > > > > > Any idea is welcome. Thanks > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
