Re: [ossec-list] Re: Source Leak Scan Increase(?)
On Tue, Sep 25, 2018 at 10:12 AM Fredrik Hilmersson wrote: > > The reason why I'm wondering about the above is that my access log keep > getting spammed by these scripts and rule 31151 doesn't seem to register the > multiple 404's from same source ip. > > My question is shouldn't rule 31151 be triggered i.e., by the example below? > > Rule 31151 is set to: > > Frequency = 12 "frequency" is weird. It requires frequency + 2 to trigger. > Timeframe = 90 > > This is from access.log (12 entries example, there's more from same source > IP. All from 30-100 different requests): > > IP - - [24/Sep/2018:14:10:30 +0200] "GET /webdav/ HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:32 +0200] "GET /java.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:32 +0200] "GET /_query.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:33 +0200] "GET /test.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:34 +0200] "GET /db_cts.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:34 +0200] "GET /db_pma.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:35 +0200] "GET /logon.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:35 +0200] "GET /help-e.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:36 +0200] "GET /license.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:36 +0200] "GET /log.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:36 +0200] "GET /hell.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:37 +0200] "GET /pmd_online.php HTTP/1.1" 404 162 > "-" "Mozilla/5.0" > > Den fredag 7 september 2018 kl. 14:22:17 UTC+2 skrev Fredrik Hilmersson: >> >> Hello, >> >> I noticed recently that my cloud servers has got increased requests for a >> long range of php files from same source IP. If i'm not the only one, I >> started to collect the page requests to a list. However, I seen that some of >> the requests get caught for instance by PSAD and matching signatures. I >> think the web_appsec_rules.xml might need an update though to decrease the >> amount of incoming requests. More information: >> https://github.com/featzor/ossec-rules >> >> Kind regards, >> Fredrik > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Source Leak Scan Increase(?)
The reason why I'm wondering about the above is that my access log keep getting spammed by these scripts and rule 31151 doesn't seem to register the multiple 404's from same source ip. My question is shouldn't rule 31151 be triggered i.e., by the example below? Rule 31151 is set to: Frequency = 12 Timeframe = 90 This is from access.log (12 entries example, there's more from same source IP. All from 30-100 different requests): IP - - [24/Sep/2018:14:10:30 +0200] "GET /webdav/ HTTP/1.1" 404 162 "-" "Mozilla/5.0" IP - - [24/Sep/2018:14:10:32 +0200] "GET /java.php HTTP/1.1" 404 162 "-" "Mozilla/5.0" IP - - [24/Sep/2018:14:10:32 +0200] "GET /_query.php HTTP/1.1" 404 162 "-" "Mozilla/5.0" IP - - [24/Sep/2018:14:10:33 +0200] "GET /test.php HTTP/1.1" 404 162 "-" "Mozilla/5.0" IP - - [24/Sep/2018:14:10:34 +0200] "GET /db_cts.php HTTP/1.1" 404 162 "-" "Mozilla/5.0" IP - - [24/Sep/2018:14:10:34 +0200] "GET /db_pma.php HTTP/1.1" 404 162 "-" "Mozilla/5.0" IP - - [24/Sep/2018:14:10:35 +0200] "GET /logon.php HTTP/1.1" 404 162 "-" "Mozilla/5.0" IP - - [24/Sep/2018:14:10:35 +0200] "GET /help-e.php HTTP/1.1" 404 162 "-" "Mozilla/5.0" IP - - [24/Sep/2018:14:10:36 +0200] "GET /license.php HTTP/1.1" 404 162 "-" "Mozilla/5.0" IP - - [24/Sep/2018:14:10:36 +0200] "GET /log.php HTTP/1.1" 404 162 "-" "Mozilla/5.0" IP - - [24/Sep/2018:14:10:36 +0200] "GET /hell.php HTTP/1.1" 404 162 "-" "Mozilla/5.0" IP - - [24/Sep/2018:14:10:37 +0200] "GET /pmd_online.php HTTP/1.1" 404 162 "-" "Mozilla/5.0" Den fredag 7 september 2018 kl. 14:22:17 UTC+2 skrev Fredrik Hilmersson: > > Hello, > > I noticed recently that my cloud servers has got increased requests for a > long range of php files from same source IP. If i'm not the only one, I > started to collect the page requests to a list. However, I seen that some > of the requests get caught for instance by PSAD and matching signatures. I > think the web_appsec_rules.xml might need an update though to decrease the > amount of incoming requests. More information: > https://github.com/featzor/ossec-rules > > Kind regards, > Fredrik > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'
Hi all, i'm trying to install OSSEC 3.0 (by RPM http://www.ossec.net/docs/manual/installation/installation-package.html#rpm-installation) on Centos7 but cannot start ossec-remoted 2018/09/25 04:41:07 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2018/09/25 04:41:07 rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2018/09/25 04:41:20 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2018/09/25 04:41:20 rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. i follow the Doc from http://www.ossec.net/docs/faq/unexpected.html#what-does-1210-queue-not-accessible-mean still not work 1. add new agent 2. restart ossec-server & ossec-agent i check ossec-analysisd is OK (bin/ossec-analysisd -df) and ERROR should caused by ossec-remoted not start correctly i know this is OLD question but i cannot google a workable solution please any can help? thanks. bellow is my server info: [root@ip-10-23-207-85 ossec]# cat /proc/version Linux version 3.10.0-862.11.6.el7.x86_64 (buil...@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Tue Aug 14 21:49:04 UTC 2018 [root@ip-10-23-207-85 ossec]# cat /etc/ossec-init.conf DIRECTORY="/var/ossec" VERSION="3.0.0" DATE="Tue Jul 17 17:28:33 EDT 2018" TYPE="server" [root@ip-10-23-207-85 ossec]# bin/ossec-remoted -df 2018/09/25 05:03:37 ossec-remoted: DEBUG: Starting ... 2018/09/25 05:03:37 ossec-remoted: INFO: Started (pid: 19473). [root@ip-10-23-207-85 ossec]# 2018/09/25 05:03:37 ossec-remoted: DEBUG: Forking remoted: '0'. 2018/09/25 05:03:37 ossec-remoted: INFO: Started (pid: 19474). 2018/09/25 05:03:38 ossec-remoted: DEBUG: Running manager_init 2018/09/25 05:03:41 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'. 2018/09/25 05:03:41 ossec-remoted(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up.. [root@ip-10-23-207-85 ossec]# service ossec-hids status ossec-monitord not running... ossec-logcollector not running... ossec-remoted not running... ossec-syscheckd not running... ossec-analysisd is running... ossec-maild is running... ossec-execd is running... [root@ip-10-23-207-85 centos]# /var/ossec/bin/agent_control -l OSSEC HIDS agent_control. List of available agents: ID: 000, Name: ip-10-23-207-85.usw2.cs-htc.co (server), IP: 127.0.0.1, Active/Local ID: 1026, Name: ip-10-23-196-173, IP: any, Never connected bellow is my agent info (AWS AMI: amzn-ami-hvm-2017.09.1.20180115-x86_64-gp2 ): [root@ip-10-23-196-173 ossec]# cat /proc/version Linux version 4.14.42-52.37.amzn1.x86_64 (mockbuild@gobi-build-64011) (gcc version 7.2.1 20170915 (Red Hat 7.2.1-2) (GCC)) #1 SMP Tue May 22 00:41:10 UTC 2018 [root@ip-10-23-196-173 ossec]# cat /etc/ossec-init.conf DIRECTORY="/var/ossec" VERSION="3.0.0" DATE="Tue Jul 17 17:47:43 EDT 2018" TYPE="agent" [root@ip-10-23-196-173 ossec]# service ossec-hids status ossec-logcollector is running... ossec-syscheckd is running... ossec-agentd is running... ossec-execd is running... ps. network TCP1515 & UDP 1514 is open ps. if i add agent on older linux first it's work. (AWS AMI: amzn-ami-hvm-2016.09.1.20161221-x86_64-gp2 Linux version 4.4.35-33.55.amzn1.x86_64 (mockbuild@gobi-build-60006) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Tue Dec 6 20:30:04 UTC 2016) ,ossec-server can start ossec-remoted after i add agent and restart it, but when i add agent on new AWS AMI: amzn-ami-hvm-2017.09.1.20180115-x86_64-gp2 the agent always show 'Never connected' -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.