[ossec-list] Apache Rules don't Trigger Active Response
Hi guys. My configuration is Freebsd-10.2 with ossec-hids-local-2.8.3 installed via ports. I have this custom configuration for a active reponse which block web attacks. ipfw-www local 43200 *30202,31151* *This is my test with logtest * **Phase 1: Completed pre-decoding. full event: '[Wed May 18 10:50:29.541536 2016] [:error] [pid 1173] [client ip:54252] [client ip] ModSecurity: Access denied with code 403 (phase 2). Match of "rx (^/file?file=/etc/cccam.cfg$|event=update_asl_config|^/etc/(?:js/|?)|^/index.php?module=asl&event=|^/etc/img/)" against "REQUEST_URI" required. [file "/usr/local/etc/apache24/Includes/modsecurity2/activated_rules/10_asl_rules.conf"] [line "219"] [id "390709"] [rev "26"] [msg "Atomicorp.com WAF Rules: Attempt to access protected file remotely"] [data "../etc/"] [severity "CRITICAL"] [hostname "site-name"] [uri "/home/home.php"] [unique_id "VzxzJZKkXAIAAASV6VUH"]' hostname: 'host' program_name: '(null)' log: the same of full event **Phase 2: Completed decoding. decoder: 'apache-errorlog' **Phase 3: Completed filtering (rules). * Rule id: '30202'* Level: '10' Description: 'Multiple attempts blocked by Mod Security.' **Alert to be generated. *My problem no in file that execute the action to block, because the rule 31151 work. * My alert in active-reponse. /usr/local/ossec-hids/active-response/bin/ipfw-www.sh add - ip 1463590617.6659091 *31151* *Debug mode of logtest * *2016/05/18 15:09:13 4 : rule:30202, level 10, timeout: 0* *2016/05/18 15:09:14 3 : rule:31151, level 9, timeout: 0* If the logtest can decode correctly my event log and know the rule, the active response work for others rules, where is my error? Why the rule to block this action don’t work? Any idea is welcome. Thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Apache Rules don't Trigger Active Response
On Wed, May 18, 2016 at 2:33 PM, Patrick Müller wrote: > Hi guys. > > > My configuration is Freebsd-10.2 with ossec-hids-local-2.8.3 installed via > ports. > > > I have this custom configuration for a active reponse which block web > attacks. > > > > > ipfw-www > > local > > 43200 > > 30202,31151 > > > > > This is my test with logtest > > > **Phase 1: Completed pre-decoding. > >full event: '[Wed May 18 10:50:29.541536 2016] [:error] [pid 1173] > [client ip:54252] [client ip] ModSecurity: Access denied with code 403 > (phase 2). Match of "rx > (^/file?file=/etc/cccam.cfg$|event=update_asl_config|^/etc/(?:js/|?)|^/index.php?module=asl&event=|^/etc/img/)" > against "REQUEST_URI" required. [file > "/usr/local/etc/apache24/Includes/modsecurity2/activated_rules/10_asl_rules.conf"] > [line "219"] [id "390709"] [rev "26"] [msg "Atomicorp.com WAF Rules: Attempt > to access protected file remotely"] [data "../etc/"] [severity "CRITICAL"] > [hostname "site-name"] [uri "/home/home.php"] [unique_id > "VzxzJZKkXAIAAASV6VUH"]' > >hostname: 'host' > >program_name: '(null)' > >log: the same of full event > > > **Phase 2: Completed decoding. > >decoder: 'apache-errorlog' > There is no IP address for your script to block (assuming it needs one). > > **Phase 3: Completed filtering (rules). > >Rule id: '30202' > >Level: '10' > >Description: 'Multiple attempts blocked by Mod Security.' > > **Alert to be generated. > > > My problem no in file that execute the action to block, because the rule > 31151 work. > > > My alert in active-reponse. > /usr/local/ossec-hids/active-response/bin/ipfw-www.sh add - ip > 1463590617.6659091 31151 > > > Debug mode of logtest > > > 2016/05/18 15:09:13 4 : rule:30202, level 10, timeout: 0 > > 2016/05/18 15:09:14 3 : rule:31151, level 9, timeout: 0 > > > > If the logtest can decode correctly my event log and know the rule, the > active response work for others rules, where is my error? Why the rule to > block this action don’t work? > > > Any idea is welcome. Thanks > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Apache Rules don't Trigger Active Response
Thanks so much Dan. The error was simple, but i couldn't see. Thanks so much. I edit the decoder and now the action work. Em quarta-feira, 18 de maio de 2016 15:49:12 UTC-3, dan (ddpbsd) escreveu: > > On Wed, May 18, 2016 at 2:33 PM, Patrick Müller > > wrote: > > Hi guys. > > > > > > My configuration is Freebsd-10.2 with ossec-hids-local-2.8.3 installed > via > > ports. > > > > > > I have this custom configuration for a active reponse which block web > > attacks. > > > > > > > > > > ipfw-www > > > > local > > > > 43200 > > > > 30202,31151 > > > > > > > > > > This is my test with logtest > > > > > > **Phase 1: Completed pre-decoding. > > > >full event: '[Wed May 18 10:50:29.541536 2016] [:error] [pid > 1173] > > [client ip:54252] [client ip] ModSecurity: Access denied with code 403 > > (phase 2). Match of "rx > > > (^/file?file=/etc/cccam.cfg$|event=update_asl_config|^/etc/(?:js/|?)|^/index.php?module=asl&event=|^/etc/img/)" > > > > against "REQUEST_URI" required. [file > > > "/usr/local/etc/apache24/Includes/modsecurity2/activated_rules/10_asl_rules.conf"] > > > > [line "219"] [id "390709"] [rev "26"] [msg "Atomicorp.com WAF Rules: > Attempt > > to access protected file remotely"] [data "../etc/"] [severity > "CRITICAL"] > > [hostname "site-name"] [uri "/home/home.php"] [unique_id > > "VzxzJZKkXAIAAASV6VUH"]' > > > >hostname: 'host' > > > >program_name: '(null)' > > > >log: the same of full event > > > > > > **Phase 2: Completed decoding. > > > >decoder: 'apache-errorlog' > > > > There is no IP address for your script to block (assuming it needs one). > > > > > **Phase 3: Completed filtering (rules). > > > >Rule id: '30202' > > > >Level: '10' > > > >Description: 'Multiple attempts blocked by Mod Security.' > > > > **Alert to be generated. > > > > > > My problem no in file that execute the action to block, because the rule > > 31151 work. > > > > > > My alert in active-reponse. > > /usr/local/ossec-hids/active-response/bin/ipfw-www.sh add - ip > > 1463590617.6659091 31151 > > > > > > Debug mode of logtest > > > > > > 2016/05/18 15:09:13 4 : rule:30202, level 10, timeout: 0 > > > > 2016/05/18 15:09:14 3 : rule:31151, level 9, timeout: 0 > > > > > > > > If the logtest can decode correctly my event log and know the rule, the > > active response work for others rules, where is my error? Why the rule > to > > block this action don’t work? > > > > > > Any idea is welcome. Thanks > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Apache Rules don't Trigger Active Response
On Thu, May 19, 2016 at 9:25 AM, Patrick wrote: > Thanks so much Dan. > > > The error was simple, but i couldn't see. Thanks so much. > > > I edit the decoder and now the action work. > What changes did you make to the decoder? They might be able to be put into the tree. > > Em quarta-feira, 18 de maio de 2016 15:49:12 UTC-3, dan (ddpbsd) escreveu: >> >> On Wed, May 18, 2016 at 2:33 PM, Patrick Müller >> wrote: >> > Hi guys. >> > >> > >> > My configuration is Freebsd-10.2 with ossec-hids-local-2.8.3 installed >> > via >> > ports. >> > >> > >> > I have this custom configuration for a active reponse which block web >> > attacks. >> > >> > >> > >> > >> > ipfw-www >> > >> > local >> > >> > 43200 >> > >> > 30202,31151 >> > >> > >> > >> > >> > This is my test with logtest >> > >> > >> > **Phase 1: Completed pre-decoding. >> > >> >full event: '[Wed May 18 10:50:29.541536 2016] [:error] [pid >> > 1173] >> > [client ip:54252] [client ip] ModSecurity: Access denied with code 403 >> > (phase 2). Match of "rx >> > >> > (^/file?file=/etc/cccam.cfg$|event=update_asl_config|^/etc/(?:js/|?)|^/index.php?module=asl&event=|^/etc/img/)" >> > against "REQUEST_URI" required. [file >> > >> > "/usr/local/etc/apache24/Includes/modsecurity2/activated_rules/10_asl_rules.conf"] >> > [line "219"] [id "390709"] [rev "26"] [msg "Atomicorp.com WAF Rules: >> > Attempt >> > to access protected file remotely"] [data "../etc/"] [severity >> > "CRITICAL"] >> > [hostname "site-name"] [uri "/home/home.php"] [unique_id >> > "VzxzJZKkXAIAAASV6VUH"]' >> > >> >hostname: 'host' >> > >> >program_name: '(null)' >> > >> >log: the same of full event >> > >> > >> > **Phase 2: Completed decoding. >> > >> >decoder: 'apache-errorlog' >> > >> >> There is no IP address for your script to block (assuming it needs one). >> >> > >> > **Phase 3: Completed filtering (rules). >> > >> >Rule id: '30202' >> > >> >Level: '10' >> > >> >Description: 'Multiple attempts blocked by Mod Security.' >> > >> > **Alert to be generated. >> > >> > >> > My problem no in file that execute the action to block, because the rule >> > 31151 work. >> > >> > >> > My alert in active-reponse. >> > /usr/local/ossec-hids/active-response/bin/ipfw-www.sh add - ip >> > 1463590617.6659091 31151 >> > >> > >> > Debug mode of logtest >> > >> > >> > 2016/05/18 15:09:13 4 : rule:30202, level 10, timeout: 0 >> > >> > 2016/05/18 15:09:14 3 : rule:31151, level 9, timeout: 0 >> > >> > >> > >> > If the logtest can decode correctly my event log and know the rule, the >> > active response work for others rules, where is my error? Why the rule >> > to >> > block this action don’t work? >> > >> > >> > Any idea is welcome. Thanks >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Apache Rules don't Trigger Active Response
Log of apache 2.4.20_1 in FreeBSD is much more complex which the docoder expect, the standard config can’t understand. I add this instruction in prematch of decoder apache-errorlog. And now the decoder can understand the log *^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [:error] [pid \d+] [client \d+.\d+.\d+.\d+:\d+]* ^[warn] |^[notice] |^[error] |^[:error] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [:error] [pid \d+] [client \d+.\d+.\d+.\d+:\d+] > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
