[ossec-list] Re: Why don't my rules do anything?

2016-02-25 Thread James Culver 
Thank you, this is helpful. Now it works with and without GET parameters. 
However, it only works if Apache records a hostname and not just "-" in the 
hostname position. And Apache doesn't always do that (in fact, in our logs, 
it never does it).

On Thursday, February 25, 2016 at 9:42:17 AM UTC-7, Jesus Linares wrote:
>
> Keep in mind that rule 31108 is for http codes 2xx and 3xx. If you want to 
> log that request with 4xx or 5xx codes you should add these rules (31101, 
> 31120...).
>
> It's working, but I'm thinking on a better way to do this.
>
> Regards.
> Jesus Linares.
>
>
> On Thursday, February 25, 2016 at 5:36:34 PM UTC+1, Jesus Linares wrote:
>>
>> That is because with GET parameters is not a simple query (rule 31108):
>>
>> **Phase 1: Completed pre-decoding.
>>full event: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] 
>> "GET /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 
>> 200 Text...'
>>hostname: 'LinMV'
>>program_name: '(null)'
>>log: '10.10.10.10 hostname - [25/Feb/2016:10:10:10 -0500] "GET 
>> /icons/whatever/?C=http://5.6.7.8/requeststringtest.php; HTTP/1.1" 200 
>> Text...'
>>
>>
>> **Phase 2: Completed decoding.
>>decoder: 'web-accesslog'
>>srcip: '10.10.10.10'
>>url: '/icons/whatever/?C=http://5.6.7.8/requeststringtest.php;'
>>id: '200'
>>
>>
>> **Rule debugging:
>> Trying rule: 4 - Generic template for all web rules.
>>*Rule 4 matched.
>>*Trying child rules.
>> Trying rule: 31100 - Access log messages grouped.
>>*Rule 31100 matched.
>>*Trying child rules.
>> 
>> *Trying rule: 31108 - Ignored URLs (simple queries).Trying rule: 
>> 31511 - Blacklisted user agent (wget).*
>>
>>
>> This is working:
>>
>>   
>>   
>> *31100,31108*
>> requeststringtest.php
>> request string test 2
>>   
>>
>>
>> Regards.
>> Jesus Linares.
>>
>>
>> On Thursday, February 25, 2016 at 5:11:48 PM UTC+1, James Culver wrote:
>>>
>>> Thanks. I have tested your version of the rule, and it works *so long 
>>> as* there aren't GET parameters in the requested URI.
>>>
>>> For example, the following request triggers an alert:
>>> 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET 
>>> /icons/whatever/requeststringtest.php HTTP/1.1" 20068393 blahblahblah
>>>
>>> However, this request is ignored:
>>> 1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET /icons/whatever/?C=
>>> http://5.6.7.8/requeststringtest.php HTTP/1.1" 20068393 blahblahblah
>>>
>>> Any ideas why that is?
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Why don't my rules do anything?

2016-02-25 Thread James Culver 
Thanks. I have tested your version of the rule, and it works *so long as* 
there aren't GET parameters in the requested URI.

For example, the following request triggers an alert:
1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET 
/icons/whatever/requeststringtest.php HTTP/1.1" 20068393 blahblahblah

However, this request is ignored:
1.2.3.4 - -[25/Feb/2016:08:43:08 -0700] "GET 
/icons/whatever/?C=http://5.6.7.8/requeststringtest.php HTTP/1.1" 20068393 
blahblahblah

Any ideas why that is?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Why don't my rules do anything?

2016-02-25 Thread James Culver 
I have added the following rules to local_rules.conf:
  
31100
requeststringtest.php
request string test 2
alert_by_email
  

  
100060

request string test 2
alert_by_email
  
but OSSEC doesn't care at all. It counts the rules as being enabled, but no 
matter how many times or how fast i go to http : // 
server.ip/whatever?X=requeststringtest.php (or any URL that includes the 
string), OSSEC completely ignores it. The out of the box rules work fine. 
If I port scan, ssh or HTTP brute-force, or pull too many 400 or 500 
errors, then the appropriate rules fire. But this rule doesn't do anything. 
What am I doing wrong?

OSSEC 2.8.2
CentOS 6
Apache

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.