Hi guys.
My configuration is Freebsd-10.2 with ossec-hids-local-2.8.3 installed via ports.
I have this custom configuration for a active reponse which block web attacks.
<active-response>
<command>ipfw-www</command>
<location>local</location>
<timeout>43200</timeout>
<rules_id>30202,31151</rules_id>
</active-response>
This is my test with logtest
**Phase 1: Completed pre-decoding.
full event: '[Wed May 18 10:50:29.541536 2016] [:error] [pid 1173] [client ip:54252] [client ip] ModSecurity: Access denied with code 403 (phase 2). Match of "rx (^/file\\\\?file=/etc/cccam\\\\.cfg$|event=update_asl_config|^/etc/(?:js/|\\\\?)|^/index\\\\.php\\\\?module=asl&event=|^/etc/img/)" against "REQUEST_URI" required. [file "/usr/local/etc/apache24/Includes/modsecurity2/activated_rules/10_asl_rules.conf"] [line "219"] [id "390709"] [rev "26"] [msg "Atomicorp.com WAF Rules: Attempt to access protected file remotely"] [data "../etc/"] [severity "CRITICAL"] [hostname "site-name"] [uri "/home/home.php"] [unique_id "VzxzJZKkXAIAAASV6VUAAAAH"]'
hostname: 'host'
program_name: '(null)'
log: the same of full event
**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
**Phase 3: Completed filtering (rules).
Rule id: '30202'
Level: '10'
Description: 'Multiple attempts blocked by Mod Security.'
**Alert to be generated.
My problem no in file that execute the action to block, because the rule 31151 work.
My alert in active-reponse. /usr/local/ossec-hids/active-response/bin/ipfw-www.sh add - ip 1463590617.6659091 31151
Debug mode of logtest
2016/05/18 15:09:13 4 : rule:30202, level 10, timeout: 0
2016/05/18 15:09:14 3 : rule:31151, level 9, timeout: 0
If the logtest can decode correctly my event log and know the rule, the active response work for others rules, where is my error? Why the rule to block this action don’t work?
Any idea is welcome. Thanks
Thanks so much Dan.
The error was simple, but i couldn't see. Thanks so much.
I edit the decoder and now the action work.