On Thu, May 19, 2016 at 9:25 AM, Patrick <patrickmulle...@gmail.com> wrote: > Thanks so much Dan. > > > The error was simple, but i couldn't see. Thanks so much. > > > I edit the decoder and now the action work. >
What changes did you make to the decoder? They might be able to be put into the tree. > > Em quarta-feira, 18 de maio de 2016 15:49:12 UTC-3, dan (ddpbsd) escreveu: >> >> On Wed, May 18, 2016 at 2:33 PM, Patrick Müller >> <patrick...@gmail.com> wrote: >> > Hi guys. >> > >> > >> > My configuration is Freebsd-10.2 with ossec-hids-local-2.8.3 installed >> > via >> > ports. >> > >> > >> > I have this custom configuration for a active reponse which block web >> > attacks. >> > >> > >> > <active-response> >> > >> > <command>ipfw-www</command> >> > >> > <location>local</location> >> > >> > <timeout>43200</timeout> >> > >> > <rules_id>30202,31151</rules_id> >> > >> > </active-response> >> > >> > >> > This is my test with logtest >> > >> > >> > **Phase 1: Completed pre-decoding. >> > >> > full event: '[Wed May 18 10:50:29.541536 2016] [:error] [pid >> > 1173] >> > [client ip:54252] [client ip] ModSecurity: Access denied with code 403 >> > (phase 2). Match of "rx >> > >> > (^/file\\\\?file=/etc/cccam\\\\.cfg$|event=update_asl_config|^/etc/(?:js/|\\\\?)|^/index\\\\.php\\\\?module=asl&event=|^/etc/img/)" >> > against "REQUEST_URI" required. [file >> > >> > "/usr/local/etc/apache24/Includes/modsecurity2/activated_rules/10_asl_rules.conf"] >> > [line "219"] [id "390709"] [rev "26"] [msg "Atomicorp.com WAF Rules: >> > Attempt >> > to access protected file remotely"] [data "../etc/"] [severity >> > "CRITICAL"] >> > [hostname "site-name"] [uri "/home/home.php"] [unique_id >> > "VzxzJZKkXAIAAASV6VUAAAAH"]' >> > >> > hostname: 'host' >> > >> > program_name: '(null)' >> > >> > log: the same of full event >> > >> > >> > **Phase 2: Completed decoding. >> > >> > decoder: 'apache-errorlog' >> > >> >> There is no IP address for your script to block (assuming it needs one). >> >> > >> > **Phase 3: Completed filtering (rules). >> > >> > Rule id: '30202' >> > >> > Level: '10' >> > >> > Description: 'Multiple attempts blocked by Mod Security.' >> > >> > **Alert to be generated. >> > >> > >> > My problem no in file that execute the action to block, because the rule >> > 31151 work. >> > >> > >> > My alert in active-reponse. >> > /usr/local/ossec-hids/active-response/bin/ipfw-www.sh add - ip >> > 1463590617.6659091 31151 >> > >> > >> > Debug mode of logtest >> > >> > >> > 2016/05/18 15:09:13 4 : rule:30202, level 10, timeout: 0 >> > >> > 2016/05/18 15:09:14 3 : rule:31151, level 9, timeout: 0 >> > >> > >> > >> > If the logtest can decode correctly my event log and know the rule, the >> > active response work for others rules, where is my error? Why the rule >> > to >> > block this action don’t work? >> > >> > >> > Any idea is welcome. Thanks >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
