[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: feature request: whitelist

To: ossec-list@xxxxxxxxx, "Lars Scheithauer" <larsscheithauer@xxxxxxxxxxxxxx>
Subject: [ossec-list] Re: feature request: whitelist
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Sat, 10 Jun 2006 21:45:00 -0300

Hi Lars,

I will answer you inline..

On 6/10/06, Lars Scheithauer <larsscheithauer@xxxxxxxxxxxxxx> wrote:
>
> Good Evening, Everyone!
>
> I've been using ossec for about a week now and have one proposal for a
> feature. Some rules (like the 102-rule) are very broad and trigger on a lot
> of occasions. At my boxes, this frequently happens, since errormessages in my
> programs often contain the word error in the URL, hence the rule 102 fires
> whenever someone checks some errormessages out. A very common program -
> awstats - also uses the term error in urls.

This is strange. Your awstats logs should be treated as web logs and would
not fire the 102 rule. This one is only meant for syslog messages as a catch-
all (if nothing else matches). Can you provide a few sample of the ones that
are firing? If you can also show examples of the alert messages it would
help.

> Is it possible to whitelist some programs or to check some rules only on
> specific parts of the errorchannel? (since apache is already checked by some
> rules, I would like to whitelist it at the syslog-module)

What do you mean by that? By default, every event is assigned to one
specific category (syslog, weblog, squid, ids, firewall or windows). Weblog
events are not verified against the syslog signatures. This is all done
in the decoders. If no decoder matches, by default it will be treated
as syslog. I think your awstats logs are coming in a format that ossec
does not understand. Can you show some samples to us?

> Second point is rule 3013, which is fired a lot in high-traffic-times with
> missing robot.txts or favicon.icos. I would also like to have a whitelist
> there, is that already possible?

Yes, it is. If you download the latest version (
http://www.ossec.net/files/ossec-hids-0.8-3.tar.gz ) you will see that
we changed some rules IDs. The 3013 became 3014 and the 3013
is one to ignore some extensions. By default we ignore favicon.ico
and robots.txt, etc. You can add any other there if you need.

Part of the rule (look at /var/ossec/rules/apache_rules.xml )
  <rule id="3013" level="0">
    <if_sid>3012</if_sid>
    <match>.jpg|.gif|favicon.ico|.png|robots.txt|.css</match>
    <description>Ignored extensions on 400 error codes.</description>
  </rule>

  <rule id="3014" level="10" frequency="10" timeframe="120">
    <if_matched_sid>3012</if_matched_sid>
    <same_source_ip />
    <description>Multiple attempts to access non-existent </description>
    <description>files (web scan) from same source.</description>
  </rule>

> Thanks in advance,
> Lars
>

Hope it helps. Let us know if you need anything else.

--
Daniel B. Cid
dcid @ ( at ) ossec.net

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

References:
- [ossec-list] feature request: whitelist
  - From: Lars Scheithauer

Prev by Date: [ossec-list] feature request: whitelist
Next by Date: [ossec-list] Re: feature request: whitelist
Previous by thread: [ossec-list] feature request: whitelist
Next by thread: [ossec-list] Re: feature request: whitelist
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.