[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: IIS rule to alert on blank cs-host

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: IIS rule to alert on blank cs-host
From: "List Subscriptions" <lists.canuck.eh@xxxxxxxxx>
Date: Mon, 23 Apr 2007 11:41:39 -0400
Content-disposition: inline
Content-transfer-encoding: 7bit
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Now3AQVqzB6SthgAsfFSWavN0ahyeAV4bi6P5aIa2YsjGoeIemAMfYF+6z6lbuwgRIIEPuvgrpW1rEysE51XyR4Xi2opWTY22ko5kErp8Fpn23OF1FZPnsQt/KWqxwIBWg4jJ1dvnOt6EekAZMZdH2FYK6nFDSG9jQ12qJxyx7Q=


That's exactly what I want to do so I've added a rule to the
local_rules.xml but I can't seem to get it to fire.

<group name="web,local,">
 <rule id="123456" level="10">
   <regex>HTTP/1.1 \d+.\d+.\d+.\d+ \S+</regex>
   <description>Website accessed by IP not hostname</description>
 </rule>
</group>

Any ideas?


On 4/20/07, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:

On IIS, when someone access a site via the IP address, the cs-host
field is populated
with the ip address instead of the hostname. So you can look for an ip
instead of a
blank cs-host entry.

You don't need to change the decoder for that, but just create a rule
that looks for an
IP in the cs-host. A simple way to do it is with the following regex
(just create a
local rule using that):

<regex>HTTP/1.0 \d+.\d+.\d+.\d+ \S+</regex>

Basically it looks for the http version followed by a cs-host that is
composed of an
IP address.

Hope it helps.

--
Daniel B. Cid
dcid ( at  ) ossec.net

On 4/19/07, List Subscriptions <lists.canuck.eh@xxxxxxxxx> wrote:
>
> In order to troubleshoot a web app I would like to have an IIS rule to
> alert when someone accesses a web page by IP address rather then
> hostname.  I believe this should be possible by having a rule that
> alerts on blank cs-host field.  Unfortunately I'm quite new to OSSEC
> and don't know how to accomplish this.  I believe modifications need
> to be made to both decoder.xml and a rules file.
>
> First I need to add cs-host to the following decoder, right?
>
> <decoder name="web-accesslog-iis6">
>   <parent>windows-date-format</parent>
>   <type>web-log</type>
>   <use_own_name>true</use_own_name>
>   <prematch offset="after_parent">^W3SVC\d+ \S+ \S+ \S+ </prematch>
>   <regex offset="after_prematch">^(\S+) \S+ \d+ \S+ (\d+.\d+.\d+.\d+) </regex>
>   <regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex>
>   <order>url, srcip, id</order>
> </decoder>
>
> Then write a rule looking for blank cs-host, right?
>
> Thanks in advance!
>

Follow-Ups:
- [ossec-list] Re: IIS rule to alert on blank cs-host
  - From: List Subscriptions

References:
- [ossec-list] IIS rule to alert on blank cs-host
  - From: List Subscriptions
- [ossec-list] Re: IIS rule to alert on blank cs-host
  - From: Daniel Cid

Prev by Date: [ossec-list] Ossec Windows Agent and NIC Teaming
Next by Date: [ossec-list] Re: IIS rule to alert on blank cs-host
Previous by thread: [ossec-list] Re: IIS rule to alert on blank cs-host
Next by thread: [ossec-list] Re: IIS rule to alert on blank cs-host
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.