[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: OpenWebMail and false alerts?

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: OpenWebMail and false alerts?
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Wed, 8 Aug 2007 22:29:04 -0300
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=SWmEL+CULN1cb2IpQsUf1+rD1tjDA9fYc6gZydWXJy8LORTrU+IqLVVFSBadEJ4A09Fkdc9/ddd+xekMjK+94L8DBi5n6m+EEeUV6c5Xkz7oiTTrmtmKM6dycK7cS3Z90euJTgegFhZUMHlQ+rMj0B09RxFtEXfU6/rKxD3SetI=

Hi Albert,

Thanks for the log sample and information. I was reviewing them now
and it looks like the
problem is not related to OWM, but to the format of your apache access
log messages.
Because of that, they are being treated as syslog instead of web log...

Your samples start with the hostname followed by ip:
mail.premier-getfit.com 204.115.94.51 - - [06/Aug/2007:13:16:25 -0500] ...

While ossec expects (the ip at the beginning):
204.115.94.51 - - [06/Aug/2007:13:16:25 -0500] ...

Did you change the default apache logging format? If you can put it
back to the default
one, it should work.


Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On 8/6/07, Albert Croft <acroft@xxxxxxxxxxxxxxxx> wrote:
> I have a server on which OpenWebMail (OWM) is running to provide webmail
> access, and on which OSSEC is running in local mode. I have noticed a
> number of false positive results that appear to be triggered by the
> syslog "message too long" rule hitting on the access_log entries from
> OWM. ( access_log is located at /var/log/httpd/access_log ). ddcciidd in
> #ossec on freenode suggested I submit example log entries and
> notifications, to help improve the rules. Attached are the notifications
> I have received today, as well as the access_log entries related to OWM
> that I could find (tar-gzipped, separated by v-site).
>
> Please let me know if you need additional information.
>
> -Albert C.
>
>
>
> ---------- Forwarded message ----------
> From: OSSEC HIDS <ossecm@xxxxxxxxxxxxxxxxxxxxx>
> To: <ac.ids.not@xxxxxxxxxxxxx>
> Date: Mon, 06 Aug 2007 12:55:55 EDT
> Subject: OSSEC Notification - inhouse68 - Alert level 8
> OSSEC HIDS Notification.
> 2007 Aug 06 12:55:43
>
> Received From: inhouse68->/var/log/maillog
> Rule: 11 fired (level 8) -> "Excessive number of events (above normal)."
> Portion of the log(s):
>
> The average number of logs between 12:00 and 13:00 is 12797. We reached 16638.
>
>
>
>  --END OF NOTIFICATION
>
>
>
>
> ---------- Forwarded message ----------
> From: OSSEC HIDS <ossecm@xxxxxxxxxxxxxxxxxxxxx>
> To: <ac.ids.not@xxxxxxxxxxxxx>
> Date: Mon, 06 Aug 2007 13:03:20 EDT
> Subject: OSSEC Notification - inhouse68 - Alert level 13
> OSSEC HIDS Notification.
> 2007 Aug 06 13:03:07
>
> Received From: inhouse68->/var/log/httpd/access_log
> Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."
> Portion of the log(s):
>
> mail.ethhc.com 65.212.202.130 - - [06/Aug/2007:12:03:06 -0500] "GET /cgi-bin/openwebmail/openwebmail-main.pl?sessionid=bconner*mail.ethhc.com-session-0.722400802959786&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&action=movemessage&message_ids=%3C200707201727.l6KHRB6a009935%40inhouse68.groupm7.com%3E&message_id=%3CKilauea287283-13995-232626365-1-1001%40flonetwork.com%3E&destination=mail-trash&headers=simple&attmode=simple&messageaftermove=1 HTTP/1.1" 302 - "http://mail.ethhc.com/cgi-bin/openwebmail/openwebmail-read.pl?sessionid=bconner*mail.ethhc.com-session-0.722400802959786&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&message_id=%3C200707201727.l6KHRB6a009935%40inhouse68.groupm7.com%3E&action=readmessage&headers=simple&attmode=simple&db_chkstatus=1"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
>
>
>
>  --END OF NOTIFICATION
>
>
>
>
> ---------- Forwarded message ----------
> From: OSSEC HIDS <ossecm@xxxxxxxxxxxxxxxxxxxxx>
> To: <ac.ids.not@xxxxxxxxxxxxx>
> Date: Mon, 06 Aug 2007 13:18:50 EDT
> Subject: OSSEC Notification - inhouse68 - Alert level 13
> OSSEC HIDS Notification.
> 2007 Aug 06 13:18:36
>
> Received From: inhouse68->/var/log/httpd/access_log
> Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."
> Portion of the log(s):
>
> mail.premier-getfit.com 204.115.94.51 - - [06/Aug/2007:12:18:35 -0500] "GET /cgi-bin/openwebmail/openwebmail-send.pl?sessionid=jonathan*mail.premier-getfit.com-session-0.924653968847455&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&message_id=%3C8FC26B11B983D44081DB31C173F544DA34B43B%40postman.iconfitness.com%3E&showhtmlastext=1&compose_caller=read&action=composemessage&composetype=reply&convfrom=none.iso-8859-1 HTTP/1.0" 200 21849 "http://mail.premier-getfit.com/cgi-bin/openwebmail/openwebmail-read.pl?sessionid=jonathan*mail.premier-getfit.com-session-0.924653968847455&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&message_id=%3C8FC26B11B983D44081DB31C173F544DA34B43B%40postman.iconfitness.com%3E&action=readmessage&headers=simple&attmode=simple"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>
>
>
>  --END OF NOTIFICATION
>
>
>
>
> ---------- Forwarded message ----------
> From: OSSEC HIDS <ossecm@xxxxxxxxxxxxxxxxxxxxx>
> To: <ac.ids.not@xxxxxxxxxxxxx>
> Date: Mon, 06 Aug 2007 13:19:05 EDT
> Subject: OSSEC Notification - inhouse68 - Alert level 13
> OSSEC HIDS Notification.
> 2007 Aug 06 13:18:54
>
> Received From: inhouse68->/var/log/httpd/access_log
> Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."
> Portion of the log(s):
>
> mail.premier-getfit.com 204.115.94.51 - - [06/Aug/2007:12:18:51 -0500] "POST /cgi-bin/openwebmail/openwebmail-send.pl?sessionid=jonathan*mail.premier-getfit.com-session-0.924653968847455&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&message_id=%3C8FC26B11B983D44081DB31C173F544DA34B43B%40postman.iconfitness.com%3E&showhtmlastext=1&compose_caller=read&action=composemessage&composetype=reply&convfrom=none.iso-8859-1 HTTP/1.0" 302 - "http://mail.premier-getfit.com/cgi-bin/openwebmail/openwebmail-send.pl?sessionid=jonathan*mail.premier-getfit.com-session-0.924653968847455&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&message_id=%3C8FC26B11B983D44081DB31C173F544DA34B43B%40postman.iconfitness.com%3E&showhtmlastext=1&compose_caller=read&action=composemessage&composetype=reply&convfrom=none.iso-8859-1"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>
>
>
>  --END OF NOTIFICATION
>
>
>
>
> ---------- Forwarded message ----------
> From: OSSEC HIDS <ossecm@xxxxxxxxxxxxxxxxxxxxx>
> To: <ac.ids.not@xxxxxxxxxxxxx>
> Date: Mon, 06 Aug 2007 14:11:39 EDT
> Subject: OSSEC Notification - inhouse68 - Alert level 13
> OSSEC HIDS Notification.
> 2007 Aug 06 14:11:28
>
> Received From: inhouse68->/var/log/httpd/access_log
> Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."
> Portion of the log(s):
>
> mail.ethhc.com 65.212.202.130 - - [06/Aug/2007:13:11:27 -0500] "POST /cgi-bin/openwebmail/openwebmail-send.pl?sessionid=sbest*mail.ethhc.com-session-0.571230619055317&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&message_id=%3Cb0sge8yb2c1byjbfp4p54bxj29149e%40mta306.exprpt.com%3E&showhtmlastext=1&compose_caller=read&action=composemessage&composetype=forward&convfrom=none.iso-8859-1 HTTP/1.1" 302 - "http://mail.ethhc.com/cgi-bin/openwebmail/openwebmail-send.pl?sessionid=sbest*mail.ethhc.com-session-0.571230619055317&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&message_id=%3Cb0sge8yb2c1byjbfp4p54bxj29149e%40mta306.exprpt.com%3E&showhtmlastext=1&compose_caller=read&action=composemessage&composetype=forward&convfrom=none.iso-8859-1"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
>
>
>
>  --END OF NOTIFICATION
>
>
>
>
> ---------- Forwarded message ----------
> From: OSSEC HIDS <ossecm@xxxxxxxxxxxxxxxxxxxxx>
> To: <ac.ids.not@xxxxxxxxxxxxx>
> Date: Mon, 06 Aug 2007 14:16:39 EDT
> Subject: OSSEC Notification - inhouse68 - Alert level 13
> OSSEC HIDS Notification.
> 2007 Aug 06 14:16:27
>
> Received From: inhouse68->/var/log/httpd/access_log
> Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."
> Portion of the log(s):
>
> mail.premier-getfit.com 204.115.94.51 - - [06/Aug/2007:13:16:25 -0500] "GET /cgi-bin/openwebmail/openwebmail-main.pl?sessionid=kkinard*mail.premier-getfit.com-session-0.510241782832058&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&action=movemessage&message_ids=%3C20070803134214.931016%40rockymountainatv.com%3E&message_id=%3C200708021932.l72JWD38001121%40inhouse68.groupm7.com%3E&destination=mail-trash&headers=simple&attmode=simple&messageaftermove=1 HTTP/1.0" 302 - "http://mail.premier-getfit.com/cgi-bin/openwebmail/openwebmail-read.pl?sessionid=kkinard*mail.premier-getfit.com-session-0.510241782832058&folder=INBOX&page=1&longpage=0&sort=date&keyword=&searchtype=subject&message_id=%3C20070803134214.931016%40rockymountainatv.com%3E&action=readmessage&headers=simple&attmode=simple&db_chkstatus=1"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
>
>
>
>  --END OF NOTIFICATION
>
>
>
>
>

References:
- [ossec-list] OpenWebMail and false alerts?
  - From: Albert Croft

Prev by Date: [ossec-list] Re: rule chaining
Next by Date: [ossec-list] Re: Where can I find upgrade instructions?
Previous by thread: [ossec-list] OpenWebMail and false alerts?
Next by thread: [ossec-list] OSSEC v1.3 released
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.