Will app get blocked on heavy mysql queries?

[frwa onto]

Hi,

    I have centos server. I have managed to install ossec 2.8.1. It mainly runs a socket programming app. For every instance of a connection it will receive data and insert into mysql db. What I worried in what scenario will it block the access to this local mysql db as I can see there some rules for mysql? Sorry very new to these.

[Santiago Bassett]

Are you running an agent or the manager? I don't think OSSEC would block access to your mysql db.

On Mon, Nov 9, 2015 at 8:19 AM, frwa onto <frwa...@gmail.com> wrote:

Hi,

    I have centos server. I have managed to install ossec 2.8.1. It mainly runs a socket programming app. For every instance of a connection it will receive data and insert into mysql db. What I worried in what scenario will it block the access to this local mysql db as I can see there some rules for mysql? Sorry very new to these.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[frwa onto]

Hi Santiago,

                   I am just running as standalone so its not a manager or agent. I have another machine for instance I am using the older ossec 2.7.1 in that one I have tried say I got my phpymadmin and when I start browsing huge data ossec will block me an only after some time I can login here is the active response log as below.

Tue Nov 10 11:48:12 MYT 2015 /var/ossec/active-response/bin/firewall-drop.sh add - 10.212.134.200 1447127292.12356 31106

Tue Nov 10 11:48:12 MYT 2015 /var/ossec/active-response/bin/host-deny.sh add - 10.212.134.200 1447127292.12356 31106

Tue Nov 10 11:58:42 MYT 2015 /var/ossec/active-response/bin/host-deny.sh delete - 10.212.134.200 1447127292.12356 31106

Tue Nov 10 11:58:42 MYT 2015 /var/ossec/active-response/bin/firewall-drop.sh delete - 10.212.134.200 1447127292.12356 31106

I dont know what trigger is exactly but I know due to my browsing of huge data and also how to overcome this issue? In my older version I saw this error too 

ossec-execd: INFO: Active response command not present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this system.

This is my worry on the new machine using 2.8.1 the app might get block from accessing the data.

[Ryan Schulze]

Sounds like you may want to look into fine tuning your active response and/or rules.

[frwa onto]

Hi Ryan,

             I am not too good in tuning up my active response or rules. Any tips on how to go about it? 

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/rdsEIi60ciM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

[Santiago Bassett]

You can find info here:

http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.active-response.html

If unsure I suggest to disable it at /var/ossec/etc/ossec.conf 

  <active-response>

    <disabled>yes</disabled>

  </active-response>

[frwa onto]

Hi Santiago,

                  This will just block the active response right. But in my case why is it that when I try to get huge data the active response comes into effect. I cant see which rule is fired to activate the active response? Is there any work around together with the active response being active?

[frwa onto]

Hi All,

         Any solution to my issue with regards to mysql? I cant see which rule is triggered to generate the active response? Or is that active response cant work together in my scenario?

[dan (ddp)]

On Mon, Nov 9, 2015 at 11:11 PM, frwa onto <frwa...@gmail.com> wrote:
> Hi Santiago,
> I am just running as standalone so its not a manager or
> agent. I have another machine for instance I am using the older ossec 2.7.1

2.7.1 is way too old to provide much support for.

> in that one I have tried say I got my phpymadmin and when I start browsing
> huge data ossec will block me an only after some time I can login here is
> the active response log as below.
>
> Tue Nov 10 11:48:12 MYT 2015 /var/ossec/active-response/bin/firewall-drop.sh
> add - 10.212.134.200 1447127292.12356 31106

So rule 31106 is triggering the AR.
<rule id="31106" level="6">
<if_sid>31103, 31104, 31105</if_sid>
<id>^200</id>
<description>A web attack returned code 200 (success).</description>
<group>attack,</group>
</rule>

You'll have to go through 31103-31105 to try and get a more specific
understanding of what is triggering the alert.
(All of this is taken from a 2.8.3+ system, so details may be
different from 2.7.1)

[Ryan Schulze]

That depends on how you set up your active response. IIRC the default is to trigger for any rule 7 or higher. So just check which rules level 7 or higher were triggered by you (e.g. bei checking the alert logs or your emails).

Since you mentioned phpmyadmin I'd guess maybe one of the SQL injection rules if phpmyadmin transfers certain requests as a GET (making it show up in the webserver logs).

[frwa onto]

Hi Dan,

           Yes you are right the 31106 rule doesnt not exist even in my current 2.8.1. In my 2.8.1 I see the rules are starting with 50100 and is there any specific reason why the older rules have been removed.  I guess that I should upgrade the older machine with the new 2.8.1 ? Just for knowledge sake must I always uninstall and install a new version of Ossec or just replace the rules xml file?  Also why in the 2.7.1. when the AR is activated I dont see which rules is trigger in ossec log file itself? 

You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/rdsEIi60ciM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

[frwa onto]

Hi Ryan,

            I can see something like this in my ossec /var/ossec/logs/alerts alerts.log .

** Alert 1447389519.1118: mail  - web,accesslog,attack,

2015 Nov 13 12:38:39 ********->/var/log/httpd/access_log

Rule: 31106 (level 6) -> 'A web attack returned code 200 (success).'

Src IP: 10.212.*****

10.212.******* - - [13/Nov/2015:12:37:49 +0800] "POST /*********/****.php?..."

In my active-responses.log I can see this.

Fri Nov 13 12:38:40 MYT 2015 /var/ossec/active-response/bin/host-deny.sh add - 10.212.*****1447389519.1118 31106

Fri Nov 13 12:38:40 MYT 2015 /var/ossec/active-response/bin/firewall-drop.sh add - 10.212.****** 1447389519.1118 31106

So the only way to relate both the logs is it via the rule number 31106? So this rule also relate to post activity ?

[dan (ddp)]

On Fri, Nov 13, 2015 at 12:00 AM, frwa onto <frwa...@gmail.com> wrote:
> Hi Ryan,

> I can see something like this in my ossec /var/ossec/logs/alerts
> alerts.log .
>
> ** Alert 1447389519.1118: mail - web,accesslog,attack,
> 2015 Nov 13 12:38:39 ********->/var/log/httpd/access_log
> Rule: 31106 (level 6) -> 'A web attack returned code 200 (success).'
> Src IP: 10.212.*****
> 10.212.******* - - [13/Nov/2015:12:37:49 +0800] "POST
> /*********/****.php?..."
>
>
> In my active-responses.log I can see this.
>
> Fri Nov 13 12:38:40 MYT 2015 /var/ossec/active-response/bin/host-deny.sh add
> - 10.212.*****1447389519.1118 31106
> Fri Nov 13 12:38:40 MYT 2015 /var/ossec/active-response/bin/firewall-drop.sh
> add - 10.212.****** 1447389519.1118 31106
>
>
> So the only way to relate both the logs is it via the rule number 31106? So

Yes, you should match up the rule id, the source ip, and the
timestamps (there will probably be a few seconds difference in the
TS).

> this rule also relate to post activity ?
>

No clue. Let's look:

<rule id="31106" level="6">
<if_sid>31103, 31104, 31105</if_sid>
<id>^200</id>
<description>A web attack returned code 200 (success).</description>
<group>attack,</group>
</rule>

So this rule requires a 200 response from the webserver, and traffic
that triggers 31103, 31104, or 31105. What do those rules look for?
Let's find out:
<rule id="31103" level="6">
<if_sid>31100,31108</if_sid>
<url>=select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url>
<url>union+|where+|null,null|xp_cmdshell</url>
<description>SQL injection attempt.</description>
<group>attack,sql_injection,</group>
</rule>
So this rule is looking for something sql related, hoping to catch
sqli. Does that apply to the POST you see (it's obfuscated beyond my
ability to decode)?

If not, let's try 31104:
<rule id="31104" level="6">
<if_sid>31100</if_sid>

<!-- Attempt to do directory transversal, simple sql injections,
- or access to the etc or bin directory (unix). -->
<url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|</url>
<url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|/boot.ini|</url>
<url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%20|</url>
<url>exec%20|../..//|%5C../%5C|././././|2e%2e%5c%2e|\x5C\x5C</url>
<description>Common web attack.</description>
<group>attack,</group>
</rule>

Ok, so directory traversal. It's an oldie, but a goodie. Again, the
log sample you posted is too obfuscated for me to be able to tell if
this applies. But you should be able to see if those patterns in the
<url> options are in the POST.

Since it's still not clear, we'll peek at 31105:
<rule id="31105" level="6">
<if_sid>31100</if_sid>
<url>%3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url>
<url>%20ONLOAD=|INPUT%20|iframe%20</url>
<description>XSS (Cross Site Scripting) attempt.</description>
<group>attack,</group>
</rule>

Ooooh, XSS. Fun stuff. You can look at the <url> options to see if
those apply to your POST.

If none of these apply, we'll need to see the actual log message to
determine what's going on (you can even send it off list to me, but
make sure you tell me that's what you're doing at the beginning of the
email so I don't get too confused.).

Once you've determined why these rules are firing, you can start to
tune your rules to allow this behavior (if it's not malicious).

[dan (ddp)]

On Thu, Nov 12, 2015 at 11:20 PM, frwa onto <frwa...@gmail.com> wrote:
> Hi Dan,
> Yes you are right the 31106 rule doesnt not exist even in my
> current 2.8.1. In my 2.8.1 I see the rules are starting with 50100 and is
> there any specific reason why the older rules have been removed. I guess

Unless you removed the files in /var/ossec/rules, that rule should be
there. It should be in the web_rules.xml file.

> that I should upgrade the older machine with the new 2.8.1 ? Just for
> knowledge sake must I always uninstall and install a new version of Ossec or

You should download the source (if you installed via source) and run
the install.sh script. It should detect your current installation and
offer to upgrade. NOTE: It will overwrite the rules files (except
local_rules.xml or any you've added), as well as decoder.xml (but not
local_decoder.xml).

> just replace the rules xml file? Also why in the 2.7.1. when the AR is
> activated I dont see which rules is trigger in ossec log file itself?
>

The ossec.log does not log this information.

[frwa onto]

Hi Dan,

           Regarding this.

"Unless you removed the files in /var/ossec/rules, that rule should be

there. It should be in the web_rules.xml file.'

No I did not remove anything. The 2.8.1 is install in a new machine infact.

"You should download the source (if you installed via source) and run
the install.sh script. It should detect your current installation and
offer to upgrade. NOTE: It will overwrite the rules files (except
local_rules.xml or any you've added), as well as decoder.xml (but not
local_decoder.xml)."

In my case I just download this two files ossec-hids-server-2.8.1-48.el6.art.x86_64.rpm and ossec-hids-2.8.1-48.el6.art.x86_64.rpm from atomicorp site and just run yum command on them and it installed ossec. So now in my old machine what is the correct method to replace the older 2.7.1 to 2.8.1 ? Should I remain it and just copy the rules folder from 2.8.1 into 2.7.1 ? Please advice I might be doing it wrong?

[dan (ddp)]

On Sat, Nov 14, 2015 at 12:15 AM, frwa onto <frwa...@gmail.com> wrote:
> Hi Dan,
> Regarding this.
>
> "Unless you removed the files in /var/ossec/rules, that rule should be
> there. It should be in the web_rules.xml file.'
>
> No I did not remove anything. The 2.8.1 is install in a new machine infact.
>
>
> "You should download the source (if you installed via source) and run
> the install.sh script. It should detect your current installation and
> offer to upgrade. NOTE: It will overwrite the rules files (except
> local_rules.xml or any you've added), as well as decoder.xml (but not
> local_decoder.xml)."
>
> In my case I just download this two files
> ossec-hids-server-2.8.1-48.el6.art.x86_64.rpm and
> ossec-hids-2.8.1-48.el6.art.x86_64.rpm from atomicorp site and just run yum
> command on them and it installed ossec. So now in my old machine what is the
> correct method to replace the older 2.7.1 to 2.8.1 ? Should I remain it and
> just copy the rules folder from 2.8.1 into 2.7.1 ? Please advice I might be
> doing it wrong?
>

I don't know much about the RPMs, but I do know that just copying the
rules from 2.8.1 to a 2.7.1 machine is the wrong way to upgrade. You
should upgrade OSSEC, not just the rules. I am guessing your package
manager should be able to help you with that.

[frwa onto]

Hi Dan,

          Ok thank you for the confirmation. I think I will yum uninstall the older one and replace with the new rpm.