Looking to take these logs from two seperate server applications and
perform alerts and possibly responses to them.
server 1:
2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24
Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0
200 0 0 15
2016-05-26 15:38:15 172.18.2.247 GET /wff - 443 - 10.18.100.24
Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/50.0.2661.102+Safari/537.36
404 0 2 203
Server 2:
2016-05-26 00:16:02 W3SVC1071858006 192.168.1.30 POST
/servlet/Router/Transaction/Erp - 80 - 10.13.100.4
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3)
200 0 0
2016-05-26 00:16:03 W3SVC1071858006 192.168.1.30 GET
/lawson/portal/drill/drsearch.css - 80 - 10.12.100.10
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3)
404 0 2
Right now I am just attempting to work with logs from Server1: to alert on
200 & 4040 errors for for web scans and alike but a beginning.
Entry in local_decoder.xml:
<decoder name="kronos-web">
<parent>windows-date-format</parent>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+
POST </prematch>
<regex offset="after_prematch">(\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.*
(\d\d\d) \S+ \S+ \S+</regex>
<order>url,srcip,id</order>
</decoder>
Entry in local_rules.xml
<group name="kronos-web,syslog,">
<rule id="100007" level="0">
<decoded_as>kronos-web</decoded_as>
<description>Grouping for Kronos web rules.</description>
</rule>
<rule id="100008" level="5">
<if_sid>100007</if_sid>
<id>404</id>
<description>IIS 7 Web Server 404 Error.</description>
<group>connection attempt,</group>
</rule>
<rule id="100009" level="5">
<if_sid>100007</if_sid>
<id>200</id>
<description>IIS 7 Web Server 200 Error.</description>
<group>connection attempt,</group>
</rule>
<rule id="100010" level="10" frequency="10" timeframe="60">
<if_matched_sid>100008,100009</if_matched_sid>
<description>Possible Kronos Web Scan/Attack Detected.</description>
<group>attacks,</group>
</rule>
</group>
When I run the logtest is get this output that I am getting the url,srcip
and id.. but is not getting to the rules I have created above...
**Phase 1: Completed pre-decoding.
full event: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443
- 10.18.100.24
Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0
200 0 0 15'
hostname: 'alamo'
program_name: '(null)'
log: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 -
10.18.100.24
Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0
200 0 0 15'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
url: '/wfc/portal -'
srcip: '10.18.100.24'
id: '200'
Am I missing something like a base idea behind this or a syntax thing I
really do not know...
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
