Rule: 20152 question as it relates to active response

16 views
Skip to first unread message

Peter M. Abraham

unread,
Dec 14, 2009, 12:08:28 PM12/14/09
to ossec-list
Greetings:

Given the following alert...

Dec 13 23:07:24 web2 suhosin[18198]: ALERT - script tried to increase
memory_limit to 134217728 bytes which is above the allowed value
(attacker '[IP ADDRESS OF ALLEGED ATTACKER]', file '[full path to file
goes here]', line 65)


... if this rule was tied to an active response "as is" would ossec
know to block the [IP ADDRESS OF ALLEGED ATTACKER]?

If not, what modifications would I have to make?

Thank you.

oscar schneider

unread,
Dec 14, 2009, 1:53:05 PM12/14/09
to ossec...@googlegroups.com
1. Check if the alert level is high enough to trigger active response -> check rule alert level and compare /var/ossec/etc/ossec.conf for the minimum alert level to trigger an active response (i think default is level="7" or "6")
If the level of the rule is too low, you have 3 options.
a) make a trigger for an AR for the specific rule in your ossec.conf:
  <active-response>
    <!-- Firewall Drop response. Block the IP for
       - 600 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
    <command>firewall-drop</command>
    <location>local</location>
    <rules_id>{Rule id without quotation marks}</rules_id>
    <timeout>600</timeout>   
  </active-response>
b) set the alert level of the rule higher (not recommended) to fit the minimum alert level for AR, e.g. level="9"
c) copy the rule from the default rule file in /var/ossec/rules/  to your /var/ossec/rules/local_rules.xml, add an overwrite="yes" and increase the alert level there (e.g. level="9") in the <rule.. > section:
<rule id={the rule id WITH quotes} level="9" overwrite="yes"> as first line of your rule definition

Then restart ossec.

2. Run the part of the logfile through /var/ossec/bin/ossec-logtest, check if there is a srcip decoded. If there isn't you need to write a decoder, i.e. adding a section in /var/ossec/etc/decoders.xml that matches your log format, see http://www.madirish.net/?article=434 and have a look at http://www.ossec.net/wiki/Know_How:Regex_Readme as well as http://www.ossec.net/wiki/Decoder_rules_relation

Test the decoder by running your logs through ossec-logtest.
As soon as you got your decoder decoding the srcip right: Restart ossec.

Of course active response has to be enabled on your install.

Kind regards,

oscar

Daniel Cid

unread,
Dec 16, 2009, 1:58:20 PM12/16/09
to ossec...@googlegroups.com
Hi,

This log is already supported by default on OSSEC. Plus, if you
enabled active response the attacker
IP would be blocked by default too (since this alert is treated as an
IDS event).

This is the output of log-test:

# /var/ossec/bin/ossec-logtest
Dec 13 23:07:24 web2 suhosin[18198]: ALERT - script tried to increase
memory_limit to 134217728 bytes which is above the allowed value
(attacker '1.2.3.4', file '/lala', line 65)


**Phase 1: Completed pre-decoding.
full event: 'Dec 13 23:07:24 web2 suhosin[18198]: ALERT -
script tried to increase memory_limit to 134217728 bytes which is
above the allowed value (attacker '1.2.3.4', file '/lala', line 65)'
hostname: 'web2'
program_name: 'suhosin'
log: 'ALERT - script tried to increase memory_limit to
134217728 bytes which is above the allowed value (attacker '1.2.3.4',
file '/lala', line 65)'

**Phase 2: Completed decoding.
decoder: 'suhosin'
id: 'script tried to increase memory_limit to 134217728 bytes
which is above the allowed value'
srcip: '1.2.3.4'

**Phase 3: Completed filtering (rules).
Rule id: '20100'
Level: '8'
Description: 'First time this IDS alert is generated.'
**Alert to be generated.


Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

Peter M. Abraham

unread,
Dec 16, 2009, 2:56:37 PM12/16/09
to ossec-list
Greetings Daniel:

Thank you.

Peter M. Abraham

unread,
Dec 19, 2009, 2:51:41 PM12/19/09
to ossec-list
Greetings:

Given

OSSEC HIDS Notification.
2009 Dec 18 12:15:06

Received From: (web2.dynamicnet.net) abc.def.ghi.jkl->/var/log/
messages
Rule: 20152 fired (level 10) -> "Multiple IDS alerts for same id."
Portion of the log(s):

Dec 18 12:15:05 web2 suhosin[18068]: ALERT - script tried to increase


memory_limit to 134217728 bytes which is above the allowed value

(attacker '94.142.130.11', file '[FULL PATH TO PHP APPLICATION]', line
65)
Dec 18 12:15:03 web2 suhosin[19599]: ALERT - script tried to increase


memory_limit to 134217728 bytes which is above the allowed value

(attacker '94.142.130.11', file '[FULL PATH TO PHP APPLICATION]', line
65)
Dec 18 12:15:01 web2 suhosin[19599]: ALERT - script tried to increase


memory_limit to 134217728 bytes which is above the allowed value

(attacker '94.142.130.11', file '[FULL PATH TO PHP APPLICATION]', line
65)
Dec 18 12:15:01 web2 suhosin[19599]: ALERT - script tried to increase


memory_limit to 134217728 bytes which is above the allowed value

(attacker '94.142.130.11', file '[FULL PATH TO PHP APPLICATION]', line
65)
Dec 18 12:14:59 web2 suhosin[7803]: ALERT - script tried to increase


memory_limit to 134217728 bytes which is above the allowed value

(attacker '94.142.130.11', file '[FULL PATH TO PHP APPLICATION]', line
65)
Dec 18 12:14:59 web2 suhosin[7803]: ALERT - script tried to increase


memory_limit to 134217728 bytes which is above the allowed value

(attacker '94.142.130.11', file '[FULL PATH TO PHP APPLICATION]', line
65)
Dec 18 12:14:57 web2 suhosin[8417]: ALERT - script tried to increase


memory_limit to 134217728 bytes which is above the allowed value

(attacker '94.142.130.11', file '[FULL PATH TO PHP APPLICATION]', line
65)
Dec 18 12:14:57 web2 suhosin[8417]: ALERT - script tried to increase


memory_limit to 134217728 bytes which is above the allowed value

(attacker '94.142.130.11', file '[FULL PATH TO PHP APPLICATION]', line
65)
Dec 18 12:14:54 web2 suhosin[17942]: ALERT - script tried to increase


memory_limit to 134217728 bytes which is above the allowed value

(attacker '94.142.130.11', file '[FULL PATH TO PHP APPLICATION]', line
65)
Dec 18 12:14:54 web2 suhosin[17942]: ALERT - script tried to increase


memory_limit to 134217728 bytes which is above the allowed value

(attacker '94.142.130.11', file '[FULL PATH TO PHP APPLICATION]', line
65)

--END OF NOTIFICATION


Is there a reason why

<group name="ids,suhosin,">
<rule id="990003" level="13">
<if_sid>20152</if_sid>
<match>suhosin</match>
<description>Multiple Suhosin IDS events from same source ip.</
description>
</rule>
</group>

would not kick off?

Thank you.

Reply all
Reply to author
Forward
0 new messages