Maybe a problem with a squid logs??

94 views

Skip to first unread message

carlopmart

unread,

Feb 24, 2011, 3:21:31 PM2/24/11

to ossec...@googlegroups.com

Hi all,

I have included a squid proxy server on our monitoring logs via OSSEC. But, I have
receiving a lot of alerts in 30 minutes (75 more ore less). All alerts are like this:

OSSEC HIDS Notification.
2011 Feb 24 21:00:45

Received From: (rhelclunode02) 172.25.50.15->/var/log/squid/anon/proxy-anon-access.log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

1298577645.051 3 work01.mydomain.com TCP_DENIED/403 4005 GEThttp://feedads.g.doubleclick.net/~a/3tvrTRqbOyfw7K11Fel0SLcLBMM/0/di - NONE/- text/html

I have configured a policy under squid server to block adservers, certain sites, etc
... This TCP_DENIED is correct, because .doubleclick.net domain is in the blacklist.
But why rule 1002 is fired?? I see the rule and contains BAD_WORDS variable that
includes "denied" word. Is that the problem??

Maybe I have defined bad my logfiles under agent.conf??

<localfile>
<log_format>squid</log_format>
<location>/var/log/squid/anon/*.log</location>
</localfile>

Thanks.

--
CL Martinez
carlopmart {at} gmail {d0t} com

dan (ddp)

unread,

Feb 24, 2011, 3:41:42 PM2/24/11

to ossec...@googlegroups.com

On Thu, Feb 24, 2011 at 3:21 PM, carlopmart <carlo...@gmail.com> wrote:
> Hi all,
>
> I have included a squid proxy server on our monitoring logs via OSSEC. But,
> I have receiving a lot of alerts in 30 minutes (75 more ore less). All
> alerts are like this:
>
> OSSEC HIDS Notification.
> 2011 Feb 24 21:00:45
>
> Received From: (rhelclunode02)
> 172.25.50.15->/var/log/squid/anon/proxy-anon-access.log
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> 1298577645.051 3 work01.mydomain.com TCP_DENIED/403 4005
> GEThttp://feedads.g.doubleclick.net/~a/3tvrTRqbOyfw7K11Fel0SLcLBMM/0/di -
> NONE/- text/html
>

Can you double check the spacing in this message? It seems off. Here's
the decoder:
<decoder name="squid-accesslog">
<type>squid</type>
<prematch>^\d+ \d+.\d+.\d+.\d+ </prematch>
<regex>^\d+ (\d+.\d+.\d+.\d+) (\w+)/(\d+) \d+ \w+ (\S+) </regex>
<order>srcip,action,id,url</order>
</decoder>

According to the decoder the decimal (.) in 1298577645.051 could make
this not match. Having multiple spaces between 1298577645.051 and 3
could also cause this problem. It looks like the 3 may be part of the
initial 1298577645.051, but I can't be sure. Your log also has a
hostname where I'm guessing an IP address would normally be, so that
will have to be accounted for... I think this is all easily fixable.

If the spacing and decimal points above are common in your logs, send
me (obfuscate them, send privately if you want) a few more samples.
I'll fix-up the decoder.

Reply all

Reply to author

Forward

0 new messages