[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: feature request: whitelist

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: feature request: whitelist
From: Lars Scheithauer <larsscheithauer@xxxxxxxxxxxxxx>
Date: Sun, 11 Jun 2006 10:33:42 +0200
Organization: mindcluster.org

Morning, Daniel!

Thanks for the answers. Until yesterday, I was running the official version
(0.8) and upgraded to 0.8.3 after browsing through the mailarchive.

I first recognized, that ossec.net still has the 0.8-version online. Since
ossec is still beta, shouldn't the latest version be online most of the time?

To the points:
The 3013-rule about multiple 404s hasn't been fired since I upgraded, thanks
 a lot!

About the awstats-problem. It seems, that awstats writes an entry both to
syslog and to the apache-logs:

	[syslog]
Jun 11 09:00:03 (myServer)/USR/SBIN/CRON[17088]: (www-data) CMD
([ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r
 /var/log/apache/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats
 -update >/dev/null)
Jun 11 09:10:03 (myServer)/USR/SBIN/CRON[4704]: (www-data) CMD
([ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r
 /var/log/apache/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats
 -update >/dev/null)
Jun 11 09:20:02 (myServer)/USR/SBIN/CRON[4036]: (www-data) CMD
([ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r
 /var/log/apache/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats
 -update >/dev/null)
	[/syslog]

I just recognized, that the /var/log/apache-folder does not exist on my
system, since I use apache2 and the default logfolder is /var/log/apache2.
I'll see if a symlink helps there. That'll explain why awstats refused to
update properly. ;P

But the main problem is the apache-log, from what I see here. In the syslog,
there is not an entry triggered by the 102-rule, which just scans for certain
words like "error", if I'm correct. I believe, these lines trigger the 102:

	[access.log]
84.56.xxx.yyy - (username) [04/Jun/2006:10:22:54
+0200] "GET /cgi-bin/awstats.pl?framename=mainright&output=errors404
HTTP/1.1" 200
12636 "http://(myServer)/cgi-bin/awstats.pl?framename=mainright"
 "(BrowserInfo)" 84.57.xxx.yyy - (username) [05/Jun/2006:10:35:59
+0200] "GET /cgi-bin/awstats.pl?framename=mainright&output=errors404
HTTP/1.1" 200
13046 "http://(myServer)/cgi-bin/awstats.pl?framename=mainright&update=1"
 "(BrowserInfo)" 84.56.xxx.yyy - (username) [07/Jun/2006:12:56:33
+0200] "GET /cgi-bin/awstats.pl?framename=mainright&output=errors404
HTTP/1.1" 200
13352 "http://(myServer)/cgi-bin/awstats.pl?framename=mainright&update=1"
 "(BrowserInfo)" [/access.log]

Here's one of the mails:

	[OSSEC Hids Notification - Alert level 7]
Received From: /var/log/apache2/access.log
Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
Portion of the log(s):

84.56.xxx.yyy - (username) [07/Jun/2006:12:56:33
+0200] "GET /cgi-bin/awstats.pl?framename=mainright&output=errors404
HTTP/1.1" 200
13352 "http://(myServer)/cgi-bin/awstats.pl?framename=mainright&update=1"
 "(BrowserInfo)" [/OSSEC Hids Notification - Alert level 7]

I do not get any complaints about awstat-logs itself, since they are stored
 in another log-directory, which is not checked by OSSEC. So, it seems the
 syslog-rules also check the apache-logs. The rule is also fired with the new
 0.8.3-version.

Have a nice weekend,
Lars

Am Sonntag, 11. Juni 2006 02:45 schrieben Sie:
> Hi Lars,
>
> I will answer you inline..
>
> On 6/10/06, Lars Scheithauer <larsscheithauer@xxxxxxxxxxxxxx> wrote:
> > Good Evening, Everyone!
> >
> > I've been using ossec for about a week now and have one proposal for a
> > feature. Some rules (like the 102-rule) are very broad and trigger on a
> > lot of occasions. At my boxes, this frequently happens, since
> > errormessages in my programs often contain the word error in the URL,
> > hence the rule 102 fires whenever someone checks some errormessages out.
> > A very common program - awstats - also uses the term error in urls.
>
> This is strange. Your awstats logs should be treated as web logs and would
> not fire the 102 rule. This one is only meant for syslog messages as a
> catch- all (if nothing else matches). Can you provide a few sample of the
> ones that are firing? If you can also show examples of the alert messages
> it would help.
>
> > Is it possible to whitelist some programs or to check some rules only on
> > specific parts of the errorchannel? (since apache is already checked by
> > some rules, I would like to whitelist it at the syslog-module)
>
> What do you mean by that? By default, every event is assigned to one
> specific category (syslog, weblog, squid, ids, firewall or windows). Weblog
> events are not verified against the syslog signatures. This is all done
> in the decoders. If no decoder matches, by default it will be treated
> as syslog. I think your awstats logs are coming in a format that ossec
> does not understand. Can you show some samples to us?

-------------------------------------------------------

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

Prev by Date: [ossec-list] Re: feature request: whitelist
Next by Date: [ossec-list] fwlog question
Previous by thread: [ossec-list] Re: feature request: whitelist
Next by thread: [ossec-list] fwlog question
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.