[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: Active Responses
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: Active Responses
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Tue, 16 Oct 2007 23:32:17 -0300
- Authentication-results: mx.google.com; spf=pass (google.com: domain of daniel.cid@xxxxxxxxx designates 66.249.82.228 as permitted sender) smtp.mail=daniel.cid@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=oRc9aczAuEjylqddzwIt1t1sablX4X11Phfp9NxArQg=; b=m5LF2CD0iSqwhHcpP+J3eJhwLwR1ICIJPmDkemXA5SimFgiGQBxMaRtF/P/Gf/qDqI756lcKroUlmd3na1ypMTBadPnRakzvdsSNTd130x+NeKaVKdMWLOS5oVhFcv3Kb79WF8bcrkWofBikkOKWyMGW1k7pvbX40y1L7IcPjgc=
Hi,
The rule fired because it matched the "rm%20" from the URL:
GET /uniform%20price%20list.doc
>From the rule:
<url>cat%|exec%|rm%20</url>
You should probably change it for your environment (as a local rule),
since it is
clearly a false positive.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/8/07, tswmmeejsdad@xxxxxxxxx <tswmmeejsdad@xxxxxxxxx> wrote:
>
> Hi There,
>
> Just fine tuning OSSEC and need a bit of help understanding why a
> particular rule was fired to trigger Active Response.
>
> Turns out that we like Peter's idea of just firing Active Repsonse
> based on the rules we set.
> Atleast this way we know which rules are being match to trigger Active
> Response.
>
> ----------
> Step 1.
> ----------
>
> I have done it like this in the ossec.conf file to match the rules I
> want to enable Active Response on.
>
> <!-- Active Response Config -->
> <active-response>
> <!-- This response is going to execute the host-deny
> - command for every matching rule.
> - The IP is going to be blocked for 600 seconds.
> -->
> <command>host-deny</command>
> <location>local</location>
> <rules_id>5551,5706,5712,5720,11210,30107,31103,31104</rules_id>
> <timeout>600</timeout>
> </active-response>
>
> <active-response>
> <!-- Firewall Drop response. Block the IP for
> - 600 seconds on the firewall (iptables,
> - ipfilter, etc).
> -->
> <command>firewall-drop</command>
> <location>local</location>
> <rules_id>5551,5706,5712,5720,11210,30107,31103,31104</rules_id>
> <timeout>600</timeout>
> </active-response>
>
> ----------
> Step 2.
> ----------
>
> "tail -f active-responses.log" to make sure it was just matching the
> rules we specified (which it was).
>
> Mon Oct 8 12:47:10 EST 2007 /usr/local/ossec/active-response/bin/host-
> deny.sh add - 58.168.238.226 1191811630.2518074 31104
> Mon Oct 8 12:47:10 EST 2007 /usr/local/ossec/active-response/bin/
> firewall-drop.sh add - 58.168.238.226 1191811630.2518074 31104
>
> I see IP address 58.168.238.226 has matched one of the rules (31104)
> and is now being blocked.
>
> ----------
> Step 3.
> ----------
>
> I then check alerts.log to see why rule 31104 was triggered and I
> can't work out why ???
> It doesn't seem to match any of the <url> tag and this is where I'm a
> bit lost.
>
> --------------------
> web_rules.xml
> --------------------
>
> <rule id="31104" level="6">
> <if_sid>31100</if_sid>
>
> <!-- Attempt to do directory transversal, simple sql injections,
> - or access to the etc or bin directory (unix). -->
> <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..</url>
> <url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|</url>
> <url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%|</
> url>
> <url>cat%|exec%|rm%20</url>
> <description>Common web attack.</description>
> <info>http://www.armbrustconsulting.com/LogEntries.html</info>
> <group>attack,</group>
> </rule>
>
> --------------
> alerts.log
> --------------
>
> Src IP: 58.168.238.226
> User: (none)
> 58.168.238.226 - - [08/Oct/2007:12:45:30 +1000] "GET /popblank.js HTTP/
> 1.1" 404 970 "http://www.marlboroughps.vic.edu.au/contents.htm";
> "Mozilla/4.0 (compatibl
> e; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
>
> ** Alert 1191811530.2512070: - web,accesslog,
> 2007 Oct 08 12:45:30 plesk2->/etc/httpd/logs/access_log
> Rule: 31101 (level 5) -> 'Web server 400 error code.'
> Src IP: 58.168.238.226
> User: (none)
> 58.168.238.226 - - [08/Oct/2007:12:45:30 +1000] "GET /popblank.js HTTP/
> 1.1" 404 970 "http://www.marlboroughps.vic.edu.au/contents.htm";
> "Mozilla/4.0 (compatibl
> e; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
>
> Src IP: 58.168.238.226
> User: (none)
> 58.168.238.226 - - [08/Oct/2007:12:47:10 +1000] "GET /uniform%20price
> %20list.doc HTTP/1.1" 404 970 "http://www.marlboroughps.vic.edu.au/";
> "Mozilla/4.0 (compat
> ible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
>
> ** Alert 1191811630.2518074: mail - web,accesslog,attack,
> 2007 Oct 08 12:47:10 plesk2->/etc/httpd/logs/access_log
> Rule: 31104 (level 6) -> 'Common web attack.'
> Src IP: 58.168.238.226
> User: (none)
> 58.168.238.226 - - [08/Oct/2007:12:47:10 +1000] "GET /uniform%20price
> %20list.doc HTTP/1.1" 404 970 "http://www.marlboroughps.vic.edu.au/";
> "Mozilla/4.0 (compat
> ible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
>
> --------------------
>
> Can someone please explain to me why rule 31104 was triggered???
>
> --------------------
>
> Thank you in advance.
>
>
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.