Hi Jesus!
So, sorry! My bad! Like you said, my last example did work - I made a typo
in the string I used to test the rule :(
Thanks for looking into it though and also explaining the group
concatenation!
Best regards,
Fredrik
On Friday, February 19, 2016 at 2:06:51 PM UTC+1, Jesus
Hi Fredrik,
OSSEC concatenates groups using ','. So you need the last ',' in group tag.
Now you rule has the groups: web,accesslog,access_allowed. If you don't use
the last comma you will have: web,accesslogaccess_allowed.
That rule is working for me:
10.10.10.01 example.com -
Hi again :)
Looking at your previous example I put this together while looking in the
book where rule hierarchies are discussed. As an exemple if I wanted to
make an exception to webrule 31108 and say to ignore 2xx and 3xx code
unless a specific URL is requested (GET). I placed the below in
There are a couple of ways to track connected devices.
It depends on where DHCP lives. If it's on a windows computer, add DHCP
logs to your OSSEC configuration.
%windir%\sysnative\Dhcp\DhcpSrvLog-%a.log
syslog
Then inside your DHCP MMC, right click on the IPV4 scope and go to
Thanks again Jesus! Will try and get my test rule working as per your
instruction. In my case I would need to make an exception to rule 31108
given the current result from ossec_logtest (previous example). I would
like to ignore URLs (simple queries) for the most part, but not for a
specific
Hi Fredrik,
user-created rules are defined in *local_rules.xml* and the range is from
10 to 11. If you want to change the behaviour of a rule you have to
use the option *overwrite*. Using the *overwrite *option instructs rule
engine to use the local rule definition instead of the one
Good example! Definitely helpful! Thanks!
One thing, I know I read about it somewhere, but how do I group my entries
in the local_rules file to make them fire. Say for example that I would
like to change the behavior of the 31008 rule with an exception? Will go
back through the collection of
Hi Fredik,
In a decoder you can use *program_name *or *prematch*:
-
- *program_name*: Executes the decoder if the program_name matches the
"syslog" program name.
- *prematch*: Executes the decoder if prematch matches any portion of
the log field.
Then, you should use *regex*:
eesh... hotkeys got away from me and I posted too fast.
Sure..
You can do some active response stuff on ID 400... That's fun to do!
For me personally, I took a fingerprint of all the web vulnerability
scanners and made it into a CDB list. This was from Nexpose, OpenVAS, and
a pilfered some
Sure..
You can do some active response stuff on ID 400... That's fun to do!
For me personally, I took a fingerprint of all the web vulnerability
scanners and made it into a CDB list. This was from Nexpose, OpenVAS, and
a pilfered some extras from old logs... put those all in a CDB list and
Hi Brent,
Just mentioned in post to Jesus that I have been (still am) learning as I
go :) Your recommendation to stick with the three fields url, srcip and ID
makes sense in my case as well. I noticed that the logging settings in
IIS7.5 looks somewhat different, but as expected all options
Hi Jesus!
Thanks for the update! Learning as I go here - thanks again for your
efforts!
I have tried your updated exampled and got the expected result. As Brent
pointed out, I'm probably extracting to many fields for alerts I may come
up with. Anyway, with all your help I should have enough
Fredrik,
The stuff you cooked up has some issues. If you want those fields
extracted and were going to use them for alerts, I'd go with Jesus' 2nd
recommendation. It's a good expansion of the default IIS logging decoders
from the OSSEC git repository.
If you change your logging per the
Hi Fredik,
You can turn up the logging in IIS as said Brent. Anyway, I think you don't
need to update OSSEC. Just update the decoder. I changed it to extract the
fields you need:
windows-date-format
web-log
true
^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+
POST
*^(\d+.\d+.\d+.\d+)
Guys! Thanks both for taking the time to respond! So, if I understand this
correctly I could use default IIS logging and go with Jesus suggestion -
this would require updating the OSSEC binaries though, correct? as you
suggest Brent, having a look at the logging settings in IIS makes sense
You could use the decoder "web-accesslog-iis-default" as base to do your
decoder:
windows-date-format
web-log
true
^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+
POST
(\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.*
(\d\d\d) \S+ \S+ \S+
url,srcip,id
Example:
2016-02-02 08:45:31 10.32.10.14 GET
In order to get OSSEC to work with IIS logs, you have to basically enable
all the Extended logging options... Be sure to check the "use local time
for file naming and rollover" - otherwise your OSSEC will be dark for a few
hours while it catches up with IIS's GMT time.
17 matches
Mail list logo