[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: IIS rule to alert on blank cs-host

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: IIS rule to alert on blank cs-host
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Fri, 20 Apr 2007 18:26:16 -0300
Content-disposition: inline
Content-transfer-encoding: 7bit
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=duw+IrJjAuIEhSt1D6sCOsiHi2Ph5gYY4iXMO7Y6Pe+4xM5yn+qqDnE4A7cOvKl2rp8zablFgOUbvPnybw/TuwS8fpkuZAuYBxFdvT1UZZuQwofT3dI75EsCdKouk9mrrJE1Q4lHrYx98nL1SH+oZJ4sR+5W9oIvLLhztq5aceY=


On IIS, when someone access a site via the IP address, the cs-host
field is populated
with the ip address instead of the hostname. So you can look for an ip
instead of a
blank cs-host entry.

You don't need to change the decoder for that, but just create a rule
that looks for an
IP in the cs-host. A simple way to do it is with the following regex
(just create a
local rule using that):

<regex>HTTP/1.0 \d+.\d+.\d+.\d+ \S+</regex>

Basically it looks for the http version followed by a cs-host that is
composed of an
IP address.

Hope it helps.

--
Daniel B. Cid
dcid ( at  ) ossec.net


On 4/19/07, List Subscriptions <lists.canuck.eh@xxxxxxxxx> wrote:


In order to troubleshoot a web app I would like to have an IIS rule to
alert when someone accesses a web page by IP address rather then
hostname.  I believe this should be possible by having a rule that
alerts on blank cs-host field.  Unfortunately I'm quite new to OSSEC
and don't know how to accomplish this.  I believe modifications need
to be made to both decoder.xml and a rules file.

First I need to add cs-host to the following decoder, right?

<decoder name="web-accesslog-iis6">
  <parent>windows-date-format</parent>
  <type>web-log</type>
  <use_own_name>true</use_own_name>
  <prematch offset="after_parent">^W3SVC\d+ \S+ \S+ \S+ </prematch>
  <regex offset="after_prematch">^(\S+) \S+ \d+ \S+ (\d+.\d+.\d+.\d+) </regex>
  <regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex>
  <order>url, srcip, id</order>
</decoder>

Then write a rule looking for blank cs-host, right?

Thanks in advance!

Follow-Ups:
- [ossec-list] Re: IIS rule to alert on blank cs-host
  - From: List Subscriptions

References:
- [ossec-list] IIS rule to alert on blank cs-host
  - From: List Subscriptions

Prev by Date: [ossec-list] Re: another local_rules.xml question
Next by Date: [ossec-list] Ossec Windows Agent and NIC Teaming
Previous by thread: [ossec-list] IIS rule to alert on blank cs-host
Next by thread: [ossec-list] Re: IIS rule to alert on blank cs-host
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.