Re: [ossec-list] OSSEC rule for Shellshock CGI attacks?
Michael, if you remove if_sid, will it match anything? I am trying now to play with it a bit and it doesn't match. I created vulnerable cgi script. All 40x attempts are matched by 31101. **Phase 1: Completed pre-decoding. full event: '111.111.111.111 - - [07/Oct/2014:12:53:51 +] GET /cgi-bin/test.cgi HTTP/1.1 404 1666 - () { test;};echo \\\Content-type: text/plain\\\; echo; echo; /bin/cat /etc/passwd' hostname: 'Ossec1' program_name: '(null)' log: '111.111.111.111 - - [07/Oct/2014:12:53:51 +] GET /cgi-bin/test.cgi HTTP/1.1 404 1666 - () { test;};echo \\\Content-type: text/plain\\\; echo; echo; /bin/cat /etc/passwd' **Phase 2: Completed decoding. decoder: 'web-accesslog' srcip: '111.111.111.111' url: '/cgi-bin/test.cgi' id: '404' **Rule debugging: Trying rule: 4 - Generic template for all web rules. *Rule 4 matched. *Trying child rules. Trying rule: 31100 - Access log messages grouped. *Rule 31100 matched. *Trying child rules. Trying rule: 31108 - Ignored URLs (simple queries). Trying rule: 31115 - URL too long. Higher than allowed on most browsers. Possible attack. Trying rule: 31103 - SQL injection attempt. Trying rule: 31104 - Common web attack. Trying rule: 31105 - XSS (Cross Site Scripting) attempt. Trying rule: 31110 - PHP CGI-bin vulnerability attempt. Trying rule: 31109 - MSSQL Injection attempt (/ur.php, urchin.js) Trying rule: 31164 - SQL injection attempt. Trying rule: 31165 - SQL injection attempt. Trying rule: 31501 - WordPress Comment Spam (coming from a fake search engine UA). Trying rule: 31502 - TimThumb vulnerability exploit attempt. Trying rule: 31503 - osCommerce login.php bypass attempt. Trying rule: 31504 - osCommerce file manager login.php bypass attempt. Trying rule: 31505 - TimThumb backdoor access attempt. Trying rule: 31506 - Cart.php directory transversal attempt. Trying rule: 31507 - MSSQL Injection attempt (ur.php, urchin.js). Trying rule: 31508 - Blacklisted user agent (known malicious user agent). Trying rule: 31511 - Blacklisted user agent (wget). Trying rule: 31512 - Uploadify vulnerability exploit attempt. Trying rule: 31513 - BBS delete.php exploit attempt. Trying rule: 31514 - Simple shell.php command execution. Trying rule: 31515 - PHPMyAdmin scans (looking for setup.php). Trying rule: 31516 - Suspicious URL access. Trying rule: 31550 - Anomaly URL query (attempting to pass null termination). Trying rule: 31101 - Web server 400 error code. *Rule 31101 matched. *Trying child rules. Trying rule: 31102 - Ignored extensions on 400 error codes. Trying rule: 31140 - Ignoring google/msn/yahoo bots. Trying rule: 31141 - Ignored 499's on nginx. Trying rule: 31151 - Multiple web server 400 error codes from same source ip. **Phase 3: Completed filtering (rules). Rule id: '31101' Level: '5' Description: 'Web server 400 error code.' **Alert to be generated. There is even bigger issue. When status code is 200, rule 31108 matches and attack is ignored **Phase 1: Completed pre-decoding. full event: '111.111.111.111 - - [07/Oct/2014:12:53:51 +] GET /cgi-bin/test.cgi HTTP/1.1 200 1666 - () { test;};echo \\\Content-type: text/plain\\\; echo; echo; /bin/cat /etc/passwd' hostname: 'Ossec1' program_name: '(null)' log: '111.111.111.111 - - [07/Oct/2014:12:53:51 +] GET /cgi-bin/test.cgi HTTP/1.1 200 1666 - () { test;};echo \\\Content-type: text/plain\\\; echo; echo; /bin/cat /etc/passwd' **Phase 2: Completed decoding. decoder: 'web-accesslog' srcip: '111.111.111.111' url: '/cgi-bin/test.cgi' id: '200' **Rule debugging: Trying rule: 4 - Generic template for all web rules. *Rule 4 matched. *Trying child rules. Trying rule: 31100 - Access log messages grouped. *Rule 31100 matched. *Trying child rules. Trying rule: 31108 - Ignored URLs (simple queries). *Rule 31108 matched. *Trying child rules. Trying rule: 31509 - CMS (WordPress or Joomla) login attempt. **Phase 3: Completed filtering (rules). Rule id: '31108' Level: '0' Description: 'Ignored URLs (simple queries).' Jan On Mon, Oct 6, 2014 at 5:52 PM, Michael Starks ossec-l...@michaelstarks.com wrote: On 2014-10-04 5:30, Jan Andrasko wrote: Hello Michael, Thanks for sharing this. Any specific reason for the '.+' after the '()'? You are right, '.*' is better. Thanks for pointing this out. Also, the ':' before ';' is not part of the exploit, so you may want to remove that. You are right again, there can be anything before ';'. I think there is a bug in either the OSSEC code or documentation, as I was getting some false-positives for this. The issue seems to be with the () characters, which, in my experience, need to be
[ossec-list] connection refused error after key exchange using ossec-authd
Hi, We have automated the OSSEC key distribution with the help of ossec-authd. Initially, it worked well with no issues. All the agents were getting the keys and able to communicate fine with the server. Lately, whenever I am trying to install OSSEC, the key distribution works correctly, but when trying to start OSSEC agent, we get following error 2014/10/07 10:27:53 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2014/10/07 10:27:53 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. On the server side, the agent showed up correctly under ./manage-agent. After checking bit further, I noticed that the key agent received from server using agent-auth (Under */etc/client.keys*), is different than the one extracted from ./manage-agent. If the new agent connected properly to server, and also got listed on the server, how could the key be different on both sides? If I do add the new key manually on the agent, it will start working fine.. Am I missing something here?.. Please advise.. Thanks, Abhi -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Authentication key file '/etc/client.keys' not found.
So it turns out the using prevars in the install process was uneeded. Uninstalling and reinstalling with it removed solved this issue. On Monday, October 6, 2014 5:15:46 AM UTC-4, dan (ddpbsd) wrote: On Oct 6, 2014 5:11 AM, Bryan Pearson bpea...@reverbnation.com javascript: wrote: I did a compile from source using srpm. I have now moved into install the agent on a box, and I am now getting the following message. I am a bit confused becuase ossec is lookig in the wrong place for the key file. I have already used the auto auth to connect the machines, but because the daemon wont start that wont connect. 2014/10/05 23:14:52 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800 2014/10/06 03:14:52 ossec-agentd(1410): INFO: Reading authentication keys file. 2014/10/06 03:14:52 ossec-agentd(1402): ERROR: Authentication key file '/etc/client.keys' not found. I believe the process chroots itself to /var/ossec. 2014/10/06 03:14:52 ossec-agentd(1750): ERROR: No remote connection configured. Exiting. 2014/10/05 23:14:52 ossec-rootcheck: Rootcheck disabled. Exiting. 2014/10/05 23:14:52 ossec-syscheckd: WARN: Rootcheck module disabled. 2014/10/05 23:14:59 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2014/10/05 23:14:59 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2014/10/05 23:15:01 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2014/10/05 23:15:01 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2014/10/05 23:15:07 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2014/10/05 23:15:07 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2014/10/05 23:15:20 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2014/10/05 23:15:20 ossec-syscheckd(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2014/10/05 23:33:49 ossec-agentd(4105): ERROR: No valid server IP found. 2014/10/05 23:33:49 ossec-agentd(1215): ERROR: No client configured. Exiting. 2014/10/05 23:33:49 ossec-execd: INFO: Started (pid: 98676). -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: OSSEC CON 2014 - Malware detection with OSSEC, video and slides available
Awesome. Thanks for sharing. I look forward to seeing the rest of the presentations when they get posted. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.