Re: [ossec-list] OSSEC rule for Shellshock CGI attacks?
Michael,
if you remove if_sid, will it match anything? I am trying now to play
with it a bit and it doesn't match. I created vulnerable cgi script. All
40x attempts are matched by 31101.
**Phase 1: Completed pre-decoding.
full event: '111.111.111.111 - - [07/Oct/2014:12:53:51 +] GET
/cgi-bin/test.cgi HTTP/1.1 404 1666 - () { test;};echo
\\\Content-type: text/plain\\\; echo; echo; /bin/cat /etc/passwd'
hostname: 'Ossec1'
program_name: '(null)'
log: '111.111.111.111 - - [07/Oct/2014:12:53:51 +] GET
/cgi-bin/test.cgi HTTP/1.1 404 1666 - () { test;};echo
\\\Content-type: text/plain\\\; echo; echo; /bin/cat /etc/passwd'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '111.111.111.111'
url: '/cgi-bin/test.cgi'
id: '404'
**Rule debugging:
Trying rule: 4 - Generic template for all web rules.
*Rule 4 matched.
*Trying child rules.
Trying rule: 31100 - Access log messages grouped.
*Rule 31100 matched.
*Trying child rules.
Trying rule: 31108 - Ignored URLs (simple queries).
Trying rule: 31115 - URL too long. Higher than allowed on most
browsers. Possible attack.
Trying rule: 31103 - SQL injection attempt.
Trying rule: 31104 - Common web attack.
Trying rule: 31105 - XSS (Cross Site Scripting) attempt.
Trying rule: 31110 - PHP CGI-bin vulnerability attempt.
Trying rule: 31109 - MSSQL Injection attempt (/ur.php, urchin.js)
Trying rule: 31164 - SQL injection attempt.
Trying rule: 31165 - SQL injection attempt.
Trying rule: 31501 - WordPress Comment Spam (coming from a fake search
engine UA).
Trying rule: 31502 - TimThumb vulnerability exploit attempt.
Trying rule: 31503 - osCommerce login.php bypass attempt.
Trying rule: 31504 - osCommerce file manager login.php bypass attempt.
Trying rule: 31505 - TimThumb backdoor access attempt.
Trying rule: 31506 - Cart.php directory transversal attempt.
Trying rule: 31507 - MSSQL Injection attempt (ur.php, urchin.js).
Trying rule: 31508 - Blacklisted user agent (known malicious user
agent).
Trying rule: 31511 - Blacklisted user agent (wget).
Trying rule: 31512 - Uploadify vulnerability exploit attempt.
Trying rule: 31513 - BBS delete.php exploit attempt.
Trying rule: 31514 - Simple shell.php command execution.
Trying rule: 31515 - PHPMyAdmin scans (looking for setup.php).
Trying rule: 31516 - Suspicious URL access.
Trying rule: 31550 - Anomaly URL query (attempting to pass null
termination).
Trying rule: 31101 - Web server 400 error code.
*Rule 31101 matched.
*Trying child rules.
Trying rule: 31102 - Ignored extensions on 400 error codes.
Trying rule: 31140 - Ignoring google/msn/yahoo bots.
Trying rule: 31141 - Ignored 499's on nginx.
Trying rule: 31151 - Multiple web server 400 error codes from same
source ip.
**Phase 3: Completed filtering (rules).
Rule id: '31101'
Level: '5'
Description: 'Web server 400 error code.'
**Alert to be generated.
There is even bigger issue. When status code is 200, rule 31108 matches and
attack is ignored
**Phase 1: Completed pre-decoding.
full event: '111.111.111.111 - - [07/Oct/2014:12:53:51 +] GET
/cgi-bin/test.cgi HTTP/1.1 200 1666 - () { test;};echo
\\\Content-type: text/plain\\\; echo; echo; /bin/cat /etc/passwd'
hostname: 'Ossec1'
program_name: '(null)'
log: '111.111.111.111 - - [07/Oct/2014:12:53:51 +] GET
/cgi-bin/test.cgi HTTP/1.1 200 1666 - () { test;};echo
\\\Content-type: text/plain\\\; echo; echo; /bin/cat /etc/passwd'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '111.111.111.111'
url: '/cgi-bin/test.cgi'
id: '200'
**Rule debugging:
Trying rule: 4 - Generic template for all web rules.
*Rule 4 matched.
*Trying child rules.
Trying rule: 31100 - Access log messages grouped.
*Rule 31100 matched.
*Trying child rules.
Trying rule: 31108 - Ignored URLs (simple queries).
*Rule 31108 matched.
*Trying child rules.
Trying rule: 31509 - CMS (WordPress or Joomla) login attempt.
**Phase 3: Completed filtering (rules).
Rule id: '31108'
Level: '0'
Description: 'Ignored URLs (simple queries).'
Jan
On Mon, Oct 6, 2014 at 5:52 PM, Michael Starks ossec-l...@michaelstarks.com
wrote:
On 2014-10-04 5:30, Jan Andrasko wrote:
Hello Michael,
Thanks for sharing this. Any specific reason for the '.+' after the
'()'?
You are right, '.*' is better. Thanks for pointing this out.
Also, the ':' before ';' is not part of the exploit, so you may want
to remove that.
You are right again, there can be anything before ';'.
I think there is a bug in either the OSSEC code or documentation, as I was
getting some false-positives for this. The issue seems to be with the ()
characters, which, in my experience, need to be
[ossec-list] connection refused error after key exchange using ossec-authd
Hi, We have automated the OSSEC key distribution with the help of ossec-authd. Initially, it worked well with no issues. All the agents were getting the keys and able to communicate fine with the server. Lately, whenever I am trying to install OSSEC, the key distribution works correctly, but when trying to start OSSEC agent, we get following error 2014/10/07 10:27:53 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2014/10/07 10:27:53 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. On the server side, the agent showed up correctly under ./manage-agent. After checking bit further, I noticed that the key agent received from server using agent-auth (Under */etc/client.keys*), is different than the one extracted from ./manage-agent. If the new agent connected properly to server, and also got listed on the server, how could the key be different on both sides? If I do add the new key manually on the agent, it will start working fine.. Am I missing something here?.. Please advise.. Thanks, Abhi -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Authentication key file '/etc/client.keys' not found.
So it turns out the using prevars in the install process was uneeded. Uninstalling and reinstalling with it removed solved this issue. On Monday, October 6, 2014 5:15:46 AM UTC-4, dan (ddpbsd) wrote: On Oct 6, 2014 5:11 AM, Bryan Pearson bpea...@reverbnation.com javascript: wrote: I did a compile from source using srpm. I have now moved into install the agent on a box, and I am now getting the following message. I am a bit confused becuase ossec is lookig in the wrong place for the key file. I have already used the auto auth to connect the machines, but because the daemon wont start that wont connect. 2014/10/05 23:14:52 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800 2014/10/06 03:14:52 ossec-agentd(1410): INFO: Reading authentication keys file. 2014/10/06 03:14:52 ossec-agentd(1402): ERROR: Authentication key file '/etc/client.keys' not found. I believe the process chroots itself to /var/ossec. 2014/10/06 03:14:52 ossec-agentd(1750): ERROR: No remote connection configured. Exiting. 2014/10/05 23:14:52 ossec-rootcheck: Rootcheck disabled. Exiting. 2014/10/05 23:14:52 ossec-syscheckd: WARN: Rootcheck module disabled. 2014/10/05 23:14:59 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2014/10/05 23:14:59 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2014/10/05 23:15:01 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2014/10/05 23:15:01 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2014/10/05 23:15:07 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2014/10/05 23:15:07 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2014/10/05 23:15:20 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2014/10/05 23:15:20 ossec-syscheckd(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2014/10/05 23:33:49 ossec-agentd(4105): ERROR: No valid server IP found. 2014/10/05 23:33:49 ossec-agentd(1215): ERROR: No client configured. Exiting. 2014/10/05 23:33:49 ossec-execd: INFO: Started (pid: 98676). -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: OSSEC CON 2014 - Malware detection with OSSEC, video and slides available
Awesome. Thanks for sharing. I look forward to seeing the rest of the presentations when they get posted. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
