Re: [ossec-list] segmentation fault
On Mon, Dec 17, 2012 at 10:31 PM, Carrie Poole wrote: > The segfaults in /var/log/messages are: > Dec 17 15:45:24 abeossecpr kernel: ossec-remoted[6378]: segfault at > 02d1 rip 0042191b rsp 7fff87247e90 error 4 > Dec 17 15:48:56 abeossecpr kernel: ossec-remoted[6627]: segfault at > 02d1 rip 0042191b rsp 7fff76959dc0 error 4 > > ~ Carrie > Ok, I was thinking the segfaults were on the agents. Please post the remote section of the ossec.conf. > -Original Message- > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] > On Behalf Of dan (ddp) > Sent: Monday, December 17, 2012 10:06 PM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] segmentation fault > > On Mon, Dec 17, 2012 at 7:17 PM, Carrie Poole > wrote: >> Line 138 in ossec.conf is the active response, which is disabled: >> >> >> >> >> >> yes >> >> >> >> host-deny >> >> local >> >> 6 >> >> 600 >> >> >> >> >> >> yes >> >> >> >> firewall-drop >> >> local >> >> 6 >> >> 600 >> >> >> > > So it looks like line 138 in ossec-control should be something like: > for i in ${SDAEMONS}; do > > which goes through the list of daemons and tries to start them. One of > them is failing, and you have to figure out which one. > >> All of the ossec logs on the agent say they can't reach the server, >> but this wasn't the case last week. The ossec server log doesn't say >> anything, it acts as if the agents aren't even there. It does syscheck > >> but no longer sees the agents. >> >> > > Check the system logs, Linux usually logs segfaults. You could also see > which daemons are running after the segfault. If no traffic is passing > between the agents and the server, ossec-agentd may have crashed. But > real troubleshooting can't really happen until the basics are taken care > of, namely finding out which daemon is crashing. > >> >> >> >> ~ Carrie >> >> >> >> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] > >> On Behalf Of dan (ddp) >> Sent: Monday, December 17, 2012 4:41 PM >> To: ossec-list@googlegroups.com >> Subject: Re: [ossec-list] segmentation fault >> >> >> >> >> On Dec 17, 2012 4:37 PM, "Carrie Poole" >> >> wrote: >>> >>> I'm getting segmentation faults across all of my agents when > restarting. >>> Nothing is showing connected anymore. >>> >>> >>> >>> >>> >>> /var/ossec/bin/ossec-control: line 138: 24910 Segmentation fault >>> ${DIR}/bin/${i} >>> >>> >> >> What's line 138 in ossec-control? >> Anything in the ossec.log for the failing agent? >> >>> >>> Line 138 in ossec.conf is the active response, which is disabled. >>> >>> >>> >>> I have checked the ossec.conf and agent.conf for any mistakes and >>> haven't found any. This was an issue on only a few agents last week, >>> and now it is happening across all agents after the 2,6 upgrade. All >>> agents are showing not connected. None of the configuration files > have changed. >>> >>> >>> >>> Any help would be appreciated! >>> >>> >>> >>> Ossec V 2.6 RedHat Linux (server and agents with 5 windows agents) >>> >>> >>> >>> >>> >>> >>> >>> Carrie P >>> >>> >>> >>> CONFIDENTIALITY NOTICE: This e-mail is confidential and intended >>> solely for the use of the individual or entity to which it is > addressed. >>> If >>> you are not the intended recipient, be advised that you have received > >>> this email in error and that any use, dissemination, forwarding, >>> printing or copying of this e-mail is strictly prohibited. If you >>> received this e-mail in error, please delete it from your computer >>> and contact the sender. >> >> CONFIDENTIALITY NOTICE: This e-mail is confidential and intended >> solely for the use of the individual or entity to which it is >> addressed. If you are not the intended recipient, be advised that you > >> have received this email in error and that any use, dissemination, >> forwarding, printing or copying of this e-mail is strictly prohibited. > >> If you received this e-mail in error, please delete it from your >> computer and contact the sender. > CONFIDENTIALITY NOTICE: This e-mail is confidential and intended > solely for the use of the individual or entity to which it is addressed. If > you are not the intended recipient, be advised that you have received > this email in error and that any use, dissemination, forwarding, printing > or copying of this e-mail is strictly prohibited. If you received this e-mail > in error, please delete it from your computer and contact the sender. >
RE: [ossec-list] segmentation fault
This is the only line that matches the segfault error in the logs: testconfig() { # We first loop to check the config. for i in ${SDAEMONS}; do ${DIR}/bin/${i} -t ${DEBUG_CLI}; if [ $? != 0 ]; then echo "${i}: Configuration error. Exiting" unlock; exit 1; fi done ~ Carrie -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Monday, December 17, 2012 10:06 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] segmentation fault On Mon, Dec 17, 2012 at 7:17 PM, Carrie Poole wrote: > Line 138 in ossec.conf is the active response, which is disabled: > > > > > > yes > > > > host-deny > > local > > 6 > > 600 > > > > > > yes > > > > firewall-drop > > local > > 6 > > 600 > > > So it looks like line 138 in ossec-control should be something like: for i in ${SDAEMONS}; do which goes through the list of daemons and tries to start them. One of them is failing, and you have to figure out which one. > All of the ossec logs on the agent say they can't reach the server, > but this wasn't the case last week. The ossec server log doesn't say > anything, it acts as if the agents aren't even there. It does syscheck > but no longer sees the agents. > > Check the system logs, Linux usually logs segfaults. You could also see which daemons are running after the segfault. If no traffic is passing between the agents and the server, ossec-agentd may have crashed. But real troubleshooting can't really happen until the basics are taken care of, namely finding out which daemon is crashing. > > > > ~ Carrie > > > > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] > On Behalf Of dan (ddp) > Sent: Monday, December 17, 2012 4:41 PM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] segmentation fault > > > > > On Dec 17, 2012 4:37 PM, "Carrie Poole" > > wrote: >> >> I'm getting segmentation faults across all of my agents when restarting. >> Nothing is showing connected anymore. >> >> >> >> >> >> /var/ossec/bin/ossec-control: line 138: 24910 Segmentation fault >> ${DIR}/bin/${i} >> >> > > What's line 138 in ossec-control? > Anything in the ossec.log for the failing agent? > >> >> Line 138 in ossec.conf is the active response, which is disabled. >> >> >> >> I have checked the ossec.conf and agent.conf for any mistakes and >> haven't found any. This was an issue on only a few agents last week, >> and now it is happening across all agents after the 2,6 upgrade. All >> agents are showing not connected. None of the configuration files have changed. >> >> >> >> Any help would be appreciated! >> >> >> >> Ossec V 2.6 RedHat Linux (server and agents with 5 windows agents) >> >> >> >> >> >> >> >> Carrie P >> >> >> >> CONFIDENTIALITY NOTICE: This e-mail is confidential and intended >> solely for the use of the individual or entity to which it is addressed. >> If >> you are not the intended recipient, be advised that you have received >> this email in error and that any use, dissemination, forwarding, >> printing or copying of this e-mail is strictly prohibited. If you >> received this e-mail in error, please delete it from your computer >> and contact the sender. > > CONFIDENTIALITY NOTICE: This e-mail is confidential and intended > solely for the use of the individual or entity to which it is > addressed. If you are not the intended recipient, be advised that you > have received this email in error and that any use, dissemination, > forwarding, printing or copying of this e-mail is strictly prohibited. > If you received this e-mail in error, please delete it from your > computer and contact the sender. CONFIDENTIALITY NOTICE: This e-mail is confidential and intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please delete it from your computer and contact the sender.
RE: [ossec-list] segmentation fault
The segfaults in /var/log/messages are: Dec 17 15:45:24 abeossecpr kernel: ossec-remoted[6378]: segfault at 02d1 rip 0042191b rsp 7fff87247e90 error 4 Dec 17 15:48:56 abeossecpr kernel: ossec-remoted[6627]: segfault at 02d1 rip 0042191b rsp 7fff76959dc0 error 4 ~ Carrie -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Monday, December 17, 2012 10:06 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] segmentation fault On Mon, Dec 17, 2012 at 7:17 PM, Carrie Poole wrote: > Line 138 in ossec.conf is the active response, which is disabled: > > > > > > yes > > > > host-deny > > local > > 6 > > 600 > > > > > > yes > > > > firewall-drop > > local > > 6 > > 600 > > > So it looks like line 138 in ossec-control should be something like: for i in ${SDAEMONS}; do which goes through the list of daemons and tries to start them. One of them is failing, and you have to figure out which one. > All of the ossec logs on the agent say they can't reach the server, > but this wasn't the case last week. The ossec server log doesn't say > anything, it acts as if the agents aren't even there. It does syscheck > but no longer sees the agents. > > Check the system logs, Linux usually logs segfaults. You could also see which daemons are running after the segfault. If no traffic is passing between the agents and the server, ossec-agentd may have crashed. But real troubleshooting can't really happen until the basics are taken care of, namely finding out which daemon is crashing. > > > > ~ Carrie > > > > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] > On Behalf Of dan (ddp) > Sent: Monday, December 17, 2012 4:41 PM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] segmentation fault > > > > > On Dec 17, 2012 4:37 PM, "Carrie Poole" > > wrote: >> >> I'm getting segmentation faults across all of my agents when restarting. >> Nothing is showing connected anymore. >> >> >> >> >> >> /var/ossec/bin/ossec-control: line 138: 24910 Segmentation fault >> ${DIR}/bin/${i} >> >> > > What's line 138 in ossec-control? > Anything in the ossec.log for the failing agent? > >> >> Line 138 in ossec.conf is the active response, which is disabled. >> >> >> >> I have checked the ossec.conf and agent.conf for any mistakes and >> haven't found any. This was an issue on only a few agents last week, >> and now it is happening across all agents after the 2,6 upgrade. All >> agents are showing not connected. None of the configuration files have changed. >> >> >> >> Any help would be appreciated! >> >> >> >> Ossec V 2.6 RedHat Linux (server and agents with 5 windows agents) >> >> >> >> >> >> >> >> Carrie P >> >> >> >> CONFIDENTIALITY NOTICE: This e-mail is confidential and intended >> solely for the use of the individual or entity to which it is addressed. >> If >> you are not the intended recipient, be advised that you have received >> this email in error and that any use, dissemination, forwarding, >> printing or copying of this e-mail is strictly prohibited. If you >> received this e-mail in error, please delete it from your computer >> and contact the sender. > > CONFIDENTIALITY NOTICE: This e-mail is confidential and intended > solely for the use of the individual or entity to which it is > addressed. If you are not the intended recipient, be advised that you > have received this email in error and that any use, dissemination, > forwarding, printing or copying of this e-mail is strictly prohibited. > If you received this e-mail in error, please delete it from your > computer and contact the sender. CONFIDENTIALITY NOTICE: This e-mail is confidential and intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please delete it from your computer and contact the sender.
Re: [ossec-list] web_rules.xml , is triggering alert , but we are not geting email
On Mon, Dec 17, 2012 at 3:49 PM, Dhinakaran G wrote: > Hi all, > > In web_rules.xml rule is triggering alert that are stored in the log , but > not reaching our email notication , any idea. > > here the file: > > > > web-log > Access log messages grouped. > > > > 31100 > ^2|^3 > is_simple_http_request > Ignored URLs (simple queries). > > > > 31100 > ^4 > Web server 400 error code. > > > > 31101 > .jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$|.js$ > is_simple_http_request > Ignored extensions on 400 error codes. > > > > 31100 > > ='|select%20|select+|insert%20|%20from%20|%20where%20|union%20| > union+|where+|null,null|xp_cmdshell > SQL injection attempt. > attack,sql_injection, > > > > 31100 > > > %027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..| > cmd.exe|root.exe|_mem_bin|msadc|/winnt/| > /x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%20| > cat%20|exec%20|rm%20 > Common web attack. > attack, > > > > 31100 > > %3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20| > %20ONLOAD=|INPUT%20|iframe%20 > XSS (Cross Site Scripting) attempt. > attack, > > > > 31103, 31104, 31105 > ^200 > A web attack returned code 200 (success). > > attack, > > > > 31100 > ?-d|?-s|?-a|?-b|?-w > PHP CGI-bin vulnerability attempt. > attack, > > > > 31100 > +as+varchar(8000) > > %2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\) > MSSQL Injection attempt (/ur.php, urchin.js) > attack, > > > > > > 31103, 31104, 31105 > ^/search.php?search=|^/index.php?searchword= > Ignored URLs for the web attacks > > > > 31100 > URL too long. Higher than allowed on most > browsers. Possible attack. > invalid_access, > > > > > 31100 > ^50 > Web server 500 error code (server error). > > > > 31120 > ^501 > Web server 501 error code (Not Implemented). > > > 31120 > ^500 > alert_by_email > Web server 500 error code (Internal Error). > system_error, > > > > 31120 > ^503 > alert_by_email > Web server 503 error code (Service > unavailable). > > > > > > 31101 > is_valid_crawler > Ignoring google/msn/yahoo bots. > > > > > > 31101 > > Multiple web server 400 error codes > from same source ip. > web_scan,recon, > > > > 31103 > > Multiple SQL injection attempts from same > souce ip. > attack,sql_injection, > > > > 31104 > > Multiple common web attacks from same souce > ip. > attack, > > > > 31105 > > Multiple XSS (Cross Site Scripting) attempts > from same souce ip. > attack, > > > > 31121 > > Multiple web server 501 error code (Not > Implemented). > web_scan,recon, > > > > 31122 > > Multiple web server 500 error code (Internal > Error). > system_error, > > > > 31123 > > Multiple web server 503 error code (Service > unavailable). > web_scan,recon, > > > > log: > > > > > root@ossec-server:/var/ossec/logs/alerts# tail -f alerts.log > Rule: 31101 (level 5) -> 'Web server 400 error code.' > Src IP: 10.91.27.83 > 10.91.27.83 - - [18/Dec/2012:02:17:50 +0530] "GET /_hostmanager/healthcheck > HTTP/1.1" 404 543 "-" "ELB-HealthChecker/1.0" > > ** Alert 1355777301.244484: - web,accesslog, > 2012 Dec 18 02:18:21 ossec-server->/var/log/apache2/access.log > Rule: 31101 (level 5) -> 'Web server 400 error code.' > Src IP: 10.91.27.83 > 10.91.27.83 - - [18/Dec/2012:02:18:20 +0530] "GET /_hostmanager/healthcheck > HTTP/1.1" 404 543 "-" "ELB-HealthChecker/1.0" > > ** Alert 1355777331.244789: - web,accesslog, > 2012 Dec 18 02:18:51 ossec-server->/var/log/apache2/access.log > Rule: 31101 (level 5) -> 'Web server 400 error code.' > Src IP: 10.91.27.83 > 10.91.27.83 - - [18/Dec/2012:02:18:50 +0530] "GET /_hostmanager/healthcheck > HTTP/1.1" 404 543 "-" "ELB-HealthChecker/1.0" > > Are you sure level 5 alerts should trigger emails? The default is 7.
Re: [ossec-list] segmentation fault
On Mon, Dec 17, 2012 at 7:17 PM, Carrie Poole wrote: > Line 138 in ossec.conf is the active response, which is disabled: > > > > > > yes > > > > host-deny > > local > > 6 > > 600 > > > > > > yes > > > > firewall-drop > > local > > 6 > > 600 > > > So it looks like line 138 in ossec-control should be something like: for i in ${SDAEMONS}; do which goes through the list of daemons and tries to start them. One of them is failing, and you have to figure out which one. > All of the ossec logs on the agent say they can’t reach the server, but this > wasn’t the case last week. The ossec server log doesn’t say anything, it > acts as if the agents aren’t even there. It does syscheck but no longer sees > the agents. > > Check the system logs, Linux usually logs segfaults. You could also see which daemons are running after the segfault. If no traffic is passing between the agents and the server, ossec-agentd may have crashed. But real troubleshooting can't really happen until the basics are taken care of, namely finding out which daemon is crashing. > > > > ~ Carrie > > > > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On > Behalf Of dan (ddp) > Sent: Monday, December 17, 2012 4:41 PM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] segmentation fault > > > > > On Dec 17, 2012 4:37 PM, "Carrie Poole" > wrote: >> >> I’m getting segmentation faults across all of my agents when restarting. >> Nothing is showing connected anymore. >> >> >> >> >> >> /var/ossec/bin/ossec-control: line 138: 24910 Segmentation fault >> ${DIR}/bin/${i} >> >> > > What's line 138 in ossec-control? > Anything in the ossec.log for the failing agent? > >> >> Line 138 in ossec.conf is the active response, which is disabled. >> >> >> >> I have checked the ossec.conf and agent.conf for any mistakes and haven’t >> found any. This was an issue on only a few agents last week, and now it is >> happening across all agents after the 2,6 upgrade. All agents are showing >> not connected. None of the configuration files have changed. >> >> >> >> Any help would be appreciated! >> >> >> >> Ossec V 2.6 RedHat Linux (server and agents with 5 windows agents) >> >> >> >> >> >> >> >> Carrie P >> >> >> >> CONFIDENTIALITY NOTICE: This e-mail is confidential and intended >> solely for the use of the individual or entity to which it is addressed. >> If >> you are not the intended recipient, be advised that you have received >> this email in error and that any use, dissemination, forwarding, printing >> or copying of this e-mail is strictly prohibited. If you received this >> e-mail >> in error, please delete it from your computer and contact the sender. > > CONFIDENTIALITY NOTICE: This e-mail is confidential and intended > solely for the use of the individual or entity to which it is addressed. If > you are not the intended recipient, be advised that you have received > this email in error and that any use, dissemination, forwarding, printing > or copying of this e-mail is strictly prohibited. If you received this > e-mail > in error, please delete it from your computer and contact the sender.
RE: [ossec-list] segmentation fault
Line 138 in ossec.conf is the active response, which is disabled: yes host-deny local 6 600 yes firewall-drop local 6 600 All of the ossec logs on the agent say they can't reach the server, but this wasn't the case last week. The ossec server log doesn't say anything, it acts as if the agents aren't even there. It does syscheck but no longer sees the agents. ~ Carrie From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Monday, December 17, 2012 4:41 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] segmentation fault On Dec 17, 2012 4:37 PM, "Carrie Poole" wrote: > > I'm getting segmentation faults across all of my agents when restarting. Nothing is showing connected anymore. > > > > > > /var/ossec/bin/ossec-control: line 138: 24910 Segmentation fault ${DIR}/bin/${i} > > What's line 138 in ossec-control? Anything in the ossec.log for the failing agent? > > Line 138 in ossec.conf is the active response, which is disabled. > > > > I have checked the ossec.conf and agent.conf for any mistakes and haven't found any. This was an issue on only a few agents last week, and now it is happening across all agents after the 2,6 upgrade. All agents are showing not connected. None of the configuration files have changed. > > > > Any help would be appreciated! > > > > Ossec V 2.6 RedHat Linux (server and agents with 5 windows agents) > > > > > > > > Carrie P > > > > CONFIDENTIALITY NOTICE: This e-mail is confidential and intended > solely for the use of the individual or entity to which it is addressed. If > you are not the intended recipient, be advised that you have received > this email in error and that any use, dissemination, forwarding, printing > or copying of this e-mail is strictly prohibited. If you received this e-mail > in error, please delete it from your computer and contact the sender. CONFIDENTIALITY NOTICE: This e-mail is confidential and intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please delete it from your computer and contact the sender.
Re: [ossec-list] segmentation fault
On Dec 17, 2012 4:37 PM, "Carrie Poole" wrote: > > I’m getting segmentation faults across all of my agents when restarting. Nothing is showing connected anymore. > > > > > > /var/ossec/bin/ossec-control: line 138: 24910 Segmentation fault ${DIR}/bin/${i} > > What's line 138 in ossec-control? Anything in the ossec.log for the failing agent? > > Line 138 in ossec.conf is the active response, which is disabled. > > > > I have checked the ossec.conf and agent.conf for any mistakes and haven’t found any. This was an issue on only a few agents last week, and now it is happening across all agents after the 2,6 upgrade. All agents are showing not connected. None of the configuration files have changed. > > > > Any help would be appreciated! > > > > Ossec V 2.6 RedHat Linux (server and agents with 5 windows agents) > > > > > > > > Carrie P > > > > CONFIDENTIALITY NOTICE: This e-mail is confidential and intended > solely for the use of the individual or entity to which it is addressed. If > you are not the intended recipient, be advised that you have received > this email in error and that any use, dissemination, forwarding, printing > or copying of this e-mail is strictly prohibited. If you received this e-mail > in error, please delete it from your computer and contact the sender.
[ossec-list] Segmentation faults
I’m getting segmentation faults across all of my agents when restarting. Nothing is showing connected anymore. /var/ossec/bin/ossec-control: line 138: 24910 Segmentation fault ${DIR}/bin/${i} Line 138 in ossec.conf is the active response, which is disabled: yes host-deny local 6 600 yes firewall-drop local 6 600 I have checked the ossec.conf and agent.conf for any mistakes and haven’t found any, and since this was working properly for a while, I'm pretty positive that's not the issue. This was an issue on only a few agents last week, and now it is happening across all agents after the 2.6 upgrade. All agents are showing not connected. None of the configuration files have changed. Any help would be appreciated! Ossec V 2.6 RedHat Linux (server and agents with 5 windows agents)
[ossec-list] segmentation fault
I'm getting segmentation faults across all of my agents when restarting. Nothing is showing connected anymore. /var/ossec/bin/ossec-control: line 138: 24910 Segmentation fault ${DIR}/bin/${i} Line 138 in ossec.conf is the active response, which is disabled. I have checked the ossec.conf and agent.conf for any mistakes and haven't found any. This was an issue on only a few agents last week, and now it is happening across all agents after the 2,6 upgrade. All agents are showing not connected. None of the configuration files have changed. Any help would be appreciated! Ossec V 2.6 RedHat Linux (server and agents with 5 windows agents) Carrie P CONFIDENTIALITY NOTICE: This e-mail is confidential and intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please delete it from your computer and contact the sender.
[ossec-list] web_rules.xml , is triggering alert , but we are not geting email
Hi all, In web_rules.xml rule is triggering alert that are stored in the log , but not reaching our email notication , any idea. here the file: web-log Access log messages grouped. 31100 ^2|^3 is_simple_http_request Ignored URLs (simple queries). 31100 ^4 Web server 400 error code. 31101 .jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$|.js$ is_simple_http_request Ignored extensions on 400 error codes. 31100 ='|select%20|select+|insert%20|%20from%20|%20where%20|union%20| union+|where+|null,null|xp_cmdshell SQL injection attempt. attack,sql_injection, 31100 %027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..| cmd.exe|root.exe|_mem_bin|msadc|/winnt/| /x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%20| cat%20|exec%20|rm%20 Common web attack. attack, 31100 %3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20| %20ONLOAD=|INPUT%20|iframe%20 XSS (Cross Site Scripting) attempt. attack, 31103, 31104, 31105 ^200 A web attack returned code 200 (success). attack, 31100 ?-d|?-s|?-a|?-b|?-w PHP CGI-bin vulnerability attempt. attack, 31100 +as+varchar(8000) %2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\) MSSQL Injection attempt (/ur.php, urchin.js) attack, 31103, 31104, 31105 ^/search.php?search=|^/index.php?searchword= Ignored URLs for the web attacks 31100 URL too long. Higher than allowed on most browsers. Possible attack. invalid_access, 31100 ^50 Web server 500 error code (server error). 31120 ^501 Web server 501 error code (Not Implemented). 31120 ^500 alert_by_email Web server 500 error code (Internal Error). system_error, 31120 ^503 alert_by_email Web server 503 error code (Service unavailable). 31101 is_valid_crawler Ignoring google/msn/yahoo bots. 31101 Multiple web server 400 error codes from same source ip. web_scan,recon, 31103 Multiple SQL injection attempts from same souce ip. attack,sql_injection, 31104 Multiple common web attacks from same souce ip. attack, 31105 Multiple XSS (Cross Site Scripting) attempts from same souce ip. attack, 31121 Multiple web server 501 error code (Not Implemented). web_scan,recon, 31122 Multiple web server 500 error code (Internal Error). system_error, 31123 Multiple web server 503 error code (Service unavailable). web_scan,recon, log: root@ossec-server:/var/ossec/logs/alerts# tail -f alerts.log Rule: 31101 (level 5) -> 'Web server 400 error code.' Src IP: 10.91.27.83 10.91.27.83 - - [18/Dec/2012:02:17:50 +0530] "GET /_hostmanager/healthcheck HTTP/1.1" 404 543 "-" "ELB-HealthChecker/1.0" ** Alert 1355777301.244484: - web,accesslog, 2012 Dec 18 02:18:21 ossec-server->/var/log/apache2/access.log Rule: 31101 (level 5) -> 'Web server 400 error code.' Src IP: 10.91.27.83 10.91.27.83 - - [18/Dec/2012:02:18:20 +0530] "GET /_hostmanager/healthcheck HTTP/1.1" 404 543 "-" "ELB-HealthChecker/1.0" ** Alert 1355777331.244789: - web,accesslog, 2012 Dec 18 02:18:51 ossec-server->/var/log/apache2/access.log Rule: 31101 (level 5) -> 'Web server 400 error code.' Src IP: 10.91.27.83 10.91.27.83 - - [18/Dec/2012:02:18:50 +0530] "GET /_hostmanager/healthcheck HTTP/1.1" 404 543 "-" "ELB-HealthChecker/1.0"
[ossec-list] Re: Rule Frequency problem
You should take a look at this patch: https://groups.google.com/forum/?fromgroups=#!search/accumulator/ossec-dev/NfQaFREyCHI/ycoRVq6YD_gJ On Thursday, December 13, 2012 8:21:51 AM UTC-8, Mike Hubbard wrote: > > Hello - > I am trying to construct a set of rules that cause a change in behavior if > a certain thing happens. > My first rule catches a particular line from a log file and has an ID of > 100500. > Then I have a set of rules that look something like this: > > 100500 > 550 > /a/file/im/interested/in > Acceptable update of > /a/file/im/interested/in > > > 100500 > 550 > /a/differentfile/im/interested/in > Acceptable update of > /a/differentfile/im/interested/in > > > This works just great - the first time through. If, within the 5 minute > period, one of the files is modified, then either rule 100524 or 100525 > triggers. > But that is the end of my show. I've been interpreting frequency and > timeframe as count of alerts within the time period - but it appears to me > that my count of alerts is being reset after the first composite rule > fires. Is it not "legal" to have multiple rules watching the frequency of > some other rule? Is there some other simpler problem here with my rules? > > Thank you > >