Apache Rules don't Trigger Active Response

[Patrick Müller]

Hi guys.

My configuration is Freebsd-10.2 with ossec-hids-local-2.8.3 installed via ports.

I have this custom configuration for a active reponse which block web attacks.

  <active-response> 

  <command>ipfw-www</command>

    <location>local</location>

    <timeout>43200</timeout> 

<rules_id>30202,31151</rules_id>

  </active-response>

This is my test with logtest 

**Phase 1: Completed pre-decoding.

       full event: '[Wed May 18 10:50:29.541536 2016] [:error] [pid 1173] [client ip:54252] [client ip] ModSecurity: Access denied with code 403 (phase 2). Match of "rx (^/file\\\\?file=/etc/cccam\\\\.cfg$|event=update_asl_config|^/etc/(?:js/|\\\\?)|^/index\\\\.php\\\\?module=asl&event=|^/etc/img/)" against "REQUEST_URI" required. [file "/usr/local/etc/apache24/Includes/modsecurity2/activated_rules/10_asl_rules.conf"] [line "219"] [id "390709"] [rev "26"] [msg "Atomicorp.com WAF Rules: Attempt to access protected file remotely"] [data "../etc/"] [severity "CRITICAL"] [hostname "site-name"] [uri "/home/home.php"] [unique_id "VzxzJZKkXAIAAASV6VUAAAAH"]'

       hostname: 'host'

       program_name: '(null)'

       log: the same of full event

**Phase 2: Completed decoding.

       decoder: 'apache-errorlog'

**Phase 3: Completed filtering (rules).

       Rule id: '30202'

       Level: '10'

       Description: 'Multiple attempts blocked by Mod Security.'

**Alert to be generated.

My problem no in file that execute the action to block, because the rule 31151 work. 

My alert in active-reponse. /usr/local/ossec-hids/active-response/bin/ipfw-www.sh add - ip 1463590617.6659091 31151

Debug mode of logtest 

2016/05/18 15:09:13 4 : rule:30202, level 10, timeout: 0

2016/05/18 15:09:14 3 : rule:31151, level 9, timeout: 0

If the logtest can decode correctly my event log and know the rule, the active response work for others rules, where is my error? Why the rule to block this action don’t work?

Any idea is welcome. Thanks

[dan (ddp)]

There is no IP address for your script to block (assuming it needs one).

>
> **Phase 3: Completed filtering (rules).
>
> Rule id: '30202'
>
> Level: '10'
>
> Description: 'Multiple attempts blocked by Mod Security.'
>
> **Alert to be generated.
>
>
> My problem no in file that execute the action to block, because the rule
> 31151 work.
>
>
> My alert in active-reponse.
> /usr/local/ossec-hids/active-response/bin/ipfw-www.sh add - ip
> 1463590617.6659091 31151
>
>
> Debug mode of logtest
>
>
> 2016/05/18 15:09:13 4 : rule:30202, level 10, timeout: 0
>
> 2016/05/18 15:09:14 3 : rule:31151, level 9, timeout: 0
>
>
>
> If the logtest can decode correctly my event log and know the rule, the
> active response work for others rules, where is my error? Why the rule to
> block this action don’t work?
>
>
> Any idea is welcome. Thanks
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Patrick]

Thanks so much Dan.

The error was simple, but i couldn't see. Thanks so much.

I edit the decoder and now the action work.

[dan (ddp)]

On Thu, May 19, 2016 at 9:25 AM, Patrick <patrick...@gmail.com> wrote:
> Thanks so much Dan.
>
>
> The error was simple, but i couldn't see. Thanks so much.
>
>
> I edit the decoder and now the action work.
>

What changes did you make to the decoder? They might be able to be put
into the tree.

[Patrick]

Log of apache 2.4.20_1 in FreeBSD is much more complex which the docoder expect, the standard config can’t understand. 

I add this instruction in prematch of decoder apache-errorlog. And now the decoder can understand the log

^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [:error] [pid \d+] [client \d+.\d+.\d+.\d+:\d+]

<prematch>^[warn] |^[notice] |^[error] |^[:error] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [:error] [pid \d+] [client \d+.\d+.\d+.\d+:\d+] </prematch>