Modsecurity

lmfigue...@gmail.com

unread,

Aug 21, 2017, 5:18:08 AM8/21/17

to Wazuh mailing list

Hi everyone;

I try to add modsec_audit to wazuh, but i known´t what is wrong or if i have to do something more to see logs in kibana.

I add in ossec.conf the next:

<log_format>apache</log_format>

<location>/logs/httpd/modsec_audit.log</location>

</localfile>

Anyone can help me ?

Thx in advance.

lmfigue...@gmail.com

unread,

Aug 21, 2017, 6:30:16 AM8/21/17

to Wazuh mailing list

Hi again

Now i see information in kibana, but my question is, if not possible see more granular info or it is not possible??

thx!!

lmfigue...@gmail.com

unread,

Aug 21, 2017, 6:50:51 AM8/21/17

to Wazuh mailing list

I see that,

<if_sid>30101</if_sid>

<match>mod_security: Access denied|ModSecurity: Access denied</match>

<description>ModSecurity: Access attempt blocked.</description>

<group>modsecurity,access_denied,pci_dss_10.2.4,</group>

</rule>

<if_matched_sid>30118</if_matched_sid>

<same_source_ip />

<description>ModSecurity: Multiple attempts blocked.</description>

<group>modsecurity,access_denied,pci_dss_10.2.4,pci_dss_11.4,</group>

</rule>

<if_sid>30101</if_sid>

<match>Resource temporarily unavailable:</match>

<description>Apache: without resources to run.</description>

<group>service_availability,pci_dss_10.6.1,</group>

</rule>

<match>^mod_security-message: </match>

<description>Modsecurity alert.</description>

<group>modsecurity,</group>

</rule>

<if_sid>30200</if_sid>

<match>^mod_security-message: Access denied </match>

<description>ModSecurity: access denied.</description>

<group>modsecurity,access_denied,pci_dss_10.2.4,</group>

</rule>

<if_matched_sid>30201</if_matched_sid>

<description>ModSecurity: Multiple attempts blocked.</description>

<group>modsecurity,access_denied,pci_dss_10.2.4,pci_dss_11.4,</group>

</rule>

and that :

<if_sid>30301</if_sid>

<match>ModSecurity: Warning</match>

<description>ModSecurity Warning messages grouped</description>

<group>modsecurity,</group>

</rule>

<if_sid>30301</if_sid>

<match>ModSecurity: Access denied</match>

<description>ModSecurity Access denied messages grouped</description>

<group>modsecurity,pci_dss_10.2.4,</group>

</rule>

<if_sid>30301</if_sid>

<match>ModSecurity: Audit log:</match>

<description>ModSecurity Audit log messages grouped</description>

<group>modsecurity,</group>

</rule>

<if_sid>30402</if_sid>

<description>ModSecurity rejected a query</description>

<group>modsecurity,</group>

</rule>

Its all about this or its possible see (if necessary) more information about it?

ern...@wazuh.com

unread,

Aug 21, 2017, 11:40:29 AM8/21/17

to Wazuh mailing list

Hello,

Actually there is no decoder for modsec_audit.log log file although you can extract the info from the standard apache error_log because there are bundled decoders for that, please edit your ossec.conf and set the localfile to your error_log file.

sample:

--------

<log_format>apache</log_format>

<location>/logs/httpd/error_log</location>

</localfile>

Also you can modify the apache decoder (file 0025-apache_decoders.xml) to extract more accurate information from the alert.

Please send us a sample of your error_log with the info that you want to extract and we can help you to modify the apache decoder to get the information that you need, also you can read more about custom decoders and rules in the Wazuh Documentation : https://documentation.wazuh.com/2.0/user-manual/ruleset/custom.html

Best regards!

lmfigue...@gmail.com

unread,

Aug 24, 2017, 6:45:07 AM8/24/17

to Wazuh mailing list

HI

Im looking the rules most use in my rules.

920220 URL Encoding Abuse Attack Attempt

920290 Empty Host Header

921150 HTTP Header Injection Attack via payload (CR/LF deteced)

932115 Remote Command Execution: Windows Command Injection

920280 Request Missing a Host Header

941140 XSS Filter - Category 4: Javascript URI Vector

942270 Looking for basic sql injection. Common attack string for mysql, oracle and others.

920420 Request content type is not allowed by policy

933150 PHP Injection Attack: High-Risk PHP Function Name Found

932110 Remote Command Execution: Windows Command Injection

911100 Method is not allowed by policy

920100 Invalid HTTP Request Line

942100 SQL Injection Attack Detected via libinjection

920430 HTTP protocol version is not allowed by policy

932100 Remote Command Execution: Unix Command Injection

932105 Remote Command Execution: Unix Command Injection

941170 NoScript XSS InjectionChecker: Attribute Injection

941210 IE XSS Filters - Attack Detected.

920170 GET or HEAD Request with Body Content.

932150 Remote Command Execution: Direct Unix Command Execution

933130 PHP Injection Attack: Variables Found

933160 PHP Injection Attack: High-Risk PHP Function Call Found

941180 Node-Validator Blacklist Keywords

920270 Invalid character in request (null character)

932160 Remote Command Execution: Unix Shell Code Found

931110 Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name …

930100 Path Traversal Attack (/../)

920440 URL file extension is restricted by policy

930120 OS File Access Attempt

941110 XSS Filter - Category 1: Script Tag Vector

941100 XSS Attack Detected via libinjection

941160 NoScript XSS InjectionChecker: HTML Injection

930110 Path Traversal Attack (/../)

931120 Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question …

913120 Found request filename/argument associated with security scanner

I think, the best way to add rules in ossec is create rules for each one , with match...something like this:

<if_sid>30101</if_sid>

<description>Path Traversal Attack (/../).</description>

<group>modsecurity</group>

</rule>

Someone has a better idea??

ern...@wazuh.com

unread,

Aug 24, 2017, 12:22:04 PM8/24/17

to Wazuh mailing list

Hi again,

We are suposing that you want to audit the OWASP mod_security ruleset with Wazuh,

First your need to edit the bundled apache decoder in /var/ossec/ruleset/decoders/0025-apache_decoders.xml adding this decoder:

<parent>apache-errorlog</parent>

<prematch offset="after_parent">[pid \d+:tid \d+] [client \S+] ModSecurity: \S+\.*[file \S+]</prematch>

<regex offset="after_parent">[client \S+] \.*[file \S+]\.*[line \S+]\.*[id "(\d+)"]</regex>

<order>owasp.id</order>

</decoder>

Note: you must insert this decoder before the "apache24-errorlog-ip-port" decoder definition for exactly match the OWASP messages.

After that you can add all the rules that you want in your local rules file /var/ossec/etc/rules/local_rules.xml

<if_sid>30401</if_sid>

<description>Host header is a numeric IP address</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Path Traversal Attack</description>

<group>modsecurity,</group>

</rule>

</group>

Mind that if you update Wazuh the /var/ossec/ruleset/decoders/0025-apache_decoders.xml will be replaced, so remember to edit it again

Please, tell us if this solve your question, best regards.

lmfigue...@gmail.com

unread,

Aug 29, 2017, 4:50:38 AM8/29/17

to Wazuh mailing list

Something must wrong, i see the rules in kibana wazuh app, but there isn´t alerts to see.

When i can , i upload my conf,decoders and rules to find errors.

Thx !!!

ern...@wazuh.com

unread,

Aug 29, 2017, 5:25:27 AM8/29/17

to Wazuh mailing list

Ok, feel free to share with us your configuration, we will do our best to help you

Best regards!

lmfigue...@gmail.com

unread,

Aug 29, 2017, 6:13:50 AM8/29/17

to Wazuh mailing list

*/modsec_audit.log*/--

[22/Aug/2017:09:31:18 +0200] WZvdxrdN-YLeTYvbJvLlOQAAAAs IPsource 49376 IP POrt

--6c5d9022-B--

DELETE /difj HTTP/1.1

Host: alioli.mer.sis.es:8080

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0

Accept: */*

Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: keep-alive

--6c5d9022-F--

HTTP/1.1 403 Forbidden

X-Frame-Options: SAMEORIGIN

Content-Length: 206

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1

--6c5d9022-E--

--6c5d9022-H--

Stopwatch: 1503387078937288 2196 (- - -)

Stopwatch2: 1503387078937288 2196; combined=1259, p1=790, p2=0, p3=141, p4=218, p5=110, sr=106, sw=0, l=0, gc=0

Response-Body-Transformed: Dechunked

Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.2.

Server: Apache/2.4.6 (Red Hat Enterprise Linux)

Engine-Mode: "ENABLED"

--6c5d9022-Z--

--a2970541-A--

*/ error.log */

[Thu Aug 24 10:29:02.188938 2017] [:error] [pid 37687] [client 10.22.200.68:54043] [client 10.22.200.68] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection"] [tag "event-correlation"] [hostname "carmona.es"] [uri "/Biblioteca/Legislacion/Sector_Industria_Quimica/Subsector_Conduccion_Sustancias"] [unique_id "WZ6OTnwD-c@LSP31z6eQmAAAAAA"], referer: http://carmona.es/Legislacion_Aplicable/Sector_Industria_Quimica/index.html

*/ decoder */

<!--

- Apache decoders

- Author: Daniel Cid.

- Updated by Wazuh, Inc. <sup...@wazuh.com>.

- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.

-->

<!--

- Will extract the srcip

- Examples:

- Without ID: Will extract the srcip and srcport (when it is available)

- [error] [client 80.230.208.105] Directory index forbidden by rule: /home/

- [error] [client 64.94.163.159] Client sent malformed Host header

- [error] [client 66.31.142.16] File does not exist: /var/www/html/default.ida

- [Sun Nov 23 18:49:01.713508 2014] [:error] [pid 15816] [client 141.8.147.9:51507] PHP Notice: A non well formed numeric value encountered in /path/to/file.php on line 123

- Feb 17 18:00:00 myhost httpd[18660]: [error] [client 12.34.56.78] File does not exist: /usr/local/htdocs/cache

- Feb 17 18:00:00 myhost httpd[23745]: [error] [client 12.34.56.78] PHP Notice:

- With IP + ID: Will extract the srcip, id, and srcport (when it is available)

- [Tue Sep 30 11:30:13.262255 2014] [core:error] [pid 20101] [client 99.47.227.95:34567] AH00037: Symbolic link not allowed or link target not accessible: /usr/share/awstats/icon/mime/document.png

- [Tue Sep 30 12:24:22.891366 2014] [proxy:warn] [pid 2331] [client 77.127.180.111:54082] AH01136: Unescaped URL path matched ProxyPass; ignoring unsafe nocanon, referer: http://www.easylinker.co.il/he/links.aspx?user=bguyb

- [Tue Sep 30 14:25:44.895897 2014] [authz_core:error] [pid 31858] [client 99.47.227.95:38870] AH01630: client denied by server configuration: /var/www/example.com/docroot/

- [Thu Oct 23 15:17:55.926067 2014] [ssl:info] [pid 18838] [client 36.226.119.49:2359] AH02008: SSL library error 1 in handshake (server www.example.com:443)

- ModSecurity

- [Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client 10.10.10.10] ModSecurity: Access denied with code 403 (phase 2). Text...

- [Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client 10.10.10.10:5555] ModSecurity: Access denied with code 403 (phase 2). Text...

- Others

- [notice] Apache configured

- [Thu Oct 23 15:17:55.926123 2014] [ssl:info] [pid 18838] SSL Library Error: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request -- speaking HTTP to HTTPS port!?

- [Tue Sep 30 12:11:21.258612 2014] [ssl:error] [pid 30473] AH02032: Hostname www.example.com provided via SNI and hostname ssl://www.example.com provided via HTTP are different

-->

<program_name>^httpd</program_name>

</decoder>

<prematch>^[warn] |^[notice] |^[error] </prematch>

</decoder>

<prematch>^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:warn] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:notice] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S*:error] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:info] </prematch>

</decoder>

<parent>apache-errorlog</parent>

<prematch offset="after_parent">[pid \d+:tid \d+] [client \S+] ModSecurity: \S+\.*[file \S+]</prematch>

<regex offset="after_parent">[client \S+] \.*[file \S+]\.*[line \S+]\.*[id "(\d+)"]</regex>

<order>owasp.id</order>

</decoder>

<parent>apache-errorlog</parent>

<prematch offset="after_parent">[client \S+:\d+] \S+:</prematch>

<regex offset="after_parent">[client (\S+):(\d+)] (\S+): </regex>

<order>srcip,srcport,id</order>

</decoder>

<parent>apache-errorlog</parent>

<prematch offset="after_parent">[client \S+] \S+:</prematch>

<regex offset="after_parent">[client (\S+)] (\S+): </regex>

<order>srcip,id</order>

</decoder>

<parent>apache-errorlog</parent>

<prematch offset="after_parent">[client</prematch>

<order>srcip,srcport</order>

</decoder>

*/ rules apache.xml */

<!--

- Apache rules

- Author: Daniel Cid.

- Contributed by: Ahmet Ozturk

- Ben Chavet <ben.c...@lullabot.com>

- Updated by Wazuh, Inc. <sup...@wazuh.com>.

- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.

-->

<decoded_as>apache-errorlog</decoded_as>

<description>Apache messages grouped.</description>

</rule>

<if_sid>30100</if_sid>

<match>^[error] </match>

<description>Apache error messages grouped.</description>

</rule>

<if_sid>30100</if_sid>

<description>Apache warn messages grouped.</description>

</rule>

<if_sid>30100</if_sid>

<match>^[notice] </match>

<description>Apache notice messages grouped.</description>

</rule>

<if_sid>30103</if_sid>

<match>exit signal Segmentation Fault</match>

<description>Apache: segmentation fault.</description>

<info type="link">http://www.securityfocus.com/infocus/1633</info>

<group>service_availability,pci_dss_6.5.2,pci_dss_6.6,</group>

</rule>

<if_sid>30101</if_sid>

<match>denied by server configuration</match>

<description>Apache: Attempt to access forbidden file or directory.</description>

<group>access_denied,pci_dss_6.5.8,pci_dss_10.2.4,</group>

</rule>

<if_sid>30101</if_sid>

<match>Directory index forbidden by rule</match>

<description>Apache: Attempt to access forbidden directory index.</description>

<group>access_denied,pci_dss_6.5.8,pci_dss_10.2.4,</group>

</rule>

<if_sid>30101</if_sid>

<match>Client sent malformed Host header</match>

<description>Apache: Code Red attack.</description>

<info type="link">http://www.cert.org/advisories/CA-2001-19.html</info>

<info type="text">CERT: Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL</info>

<group>automatic_attack,pci_dss_6.2,pci_dss_6.5.2,pci_dss_11.4,</group>

</rule>

<if_sid>30102</if_sid>

<match>authentication failed</match>

<description>Apache: User authentication failed.</description>

<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>

</rule>

<if_sid>30101</if_sid>

<regex>user \S+ not found|user \S+ in realm \.* not found</regex>

<description>Apache: Attempt to login using a non-existent user.</description>

<group>invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,</group>

</rule>

<if_sid>30101</if_sid>

<match>authentication failure</match>

<description>Apache: User authentication failed.</description>

<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>

</rule>

<if_sid>30101</if_sid>

<match>File does not exist: |</match>

<match>failed to open stream: No such file or directory|</match>

<match>Failed opening </match>

<description>Apache: Attempt to access an non-existent file (those are reported on the access.log).</description>

<group>unknown_resource,pci_dss_10.2.1,pci_dss_10.2.4,</group>

</rule>

<!-- [Tue Mar 07 12:05:15 2006] [error] [client 200.206.165.91] Invalid URI in request %3Bi%3A3%3Bi%3A0%3B%7D; usercookie[password]=d6ed9e1750d0b2aba6b3311cbec087d8; 45befd35f8a0f47b89ed8831f892b8dc=167c4e46a940cd2570b952eea527b27a; PHPSESSID=616hjdg7kj9bln37efsv7vt7g3

- [client 65.204.137.200] script '/var/www/html/xmlrpc.php' not found or unable to stat

-->

<if_sid>30101</if_sid>

<match>Invalid URI in request</match>

<description>Apache: Invalid URI (bad client request).</description>

<group>invalid_request,</group>

</rule>

<if_matched_sid>30115</if_matched_sid>

<same_source_ip />

<description>Apache: Multiple Invalid URI requests from same source.</description>

<group>invalid_request,pci_dss_10.2.4,pci_dss_11.4,</group>

</rule>

<if_sid>30101</if_sid>

<match>File name too long|request failed: URI too long</match>

<description>Apache: Invalid URI, file name too long.</description>

<group>invalid_request,pci_dss_10.2.4,</group>

</rule>

<if_sid>30101</if_sid>

<match>mod_security: Access denied|ModSecurity: Access denied</match>

<description>ModSecurity: Access attempt blocked.</description>

<group>modsecurity,access_denied,pci_dss_10.2.4,</group>

</rule>

<if_matched_sid>30118</if_matched_sid>

<same_source_ip />

<description>ModSecurity: Multiple attempts blocked.</description>

<group>modsecurity,access_denied,pci_dss_10.2.4,pci_dss_11.4,</group>

</rule>

<if_sid>30101</if_sid>

<match>Resource temporarily unavailable:</match>

<description>Apache: without resources to run.</description>

<group>service_availability,pci_dss_10.6.1,</group>

</rule>

<match>^mod_security-message: </match>

<description>Modsecurity alert.</description>

<group>modsecurity,</group>

</rule>

<if_sid>30200</if_sid>

<match>^mod_security-message: Access denied </match>

<description>ModSecurity: access denied.</description>

<group>modsecurity,access_denied,pci_dss_10.2.4,</group>

</rule>

<if_matched_sid>30201</if_matched_sid>

<description>ModSecurity: Multiple attempts blocked.</description>

<group>modsecurity,access_denied,pci_dss_10.2.4,pci_dss_11.4,</group>

</rule>

<if_sid>30100</if_sid>

<regex> [\S*:error] </regex>

<description>Apache error messages grouped.</description>

</rule>

<if_sid>30100</if_sid>

<description>Apache warn messages grouped.</description>

</rule>

<if_sid>30100</if_sid>

<regex> [\S+:notice] </regex>

<description>Apache notice messages grouped.</description>

</rule>

<if_sid>30303</if_sid>

<match>exit signal Segmentation Fault</match>

<description>Apache: segmentation fault.</description>

<info type="link">http://www.securityfocus.com/infocus/1633</info>

<group>service_availability,pci_dss_6.5.2,pci_dss_6.6,</group>

</rule>

<if_sid>30301</if_sid>

<description>Apache: Attempt to access forbidden file or directory.</description>

<group>access_denied,pci_dss_6.5.8,pci_dss_10.2.4,</group>

</rule>

<if_sid>30301</if_sid>

<description>Apache: Attempt to access forbidden directory index.</description>

<group>access_denied,pci_dss_6.5.8,pci_dss_10.2.4,</group>

</rule>

<if_sid>30301</if_sid>

<description>Apache: Client sent malformed Host header. Possible Code Red attack.</description>

<info type="link">http://www.cert.org/advisories/CA-2001-19.html</info>

<info type="text">CERT: Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL</info>

<group>automatic_attack,pci_dss_6.2,pci_dss_6.5.2,pci_dss_11.4,</group>

</rule>

<if_sid>30302</if_sid>

<description>Apache: User authentication failed.</description>

<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>

</rule>

<if_sid>30301</if_sid>

<description>Apache: Attempt to login using a non-existent user.</description>

<group>invalid_login,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,</group>

</rule>

<if_matched_sid>30309</if_matched_sid>

<same_source_ip/>

<description>Apache: Multiple authentication failures with invalid user.</description>

<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,</group>

</rule>

<if_sid>30301</if_sid>

<match>File does not exist: |</match>

<match>failed to open stream: No such file or directory|</match>

<match>Failed opening </match>

<description>Apache: Attempt to access an non-existent file (those are reported on the access.log).</description>

<group>unknown_resource,pci_dss_10.2.4,</group>

</rule>

<if_sid>30301</if_sid>

<description>Apache: Invalid URI (bad client request).</description>

<group>invalid_request,pci_dss_10.2.4,</group>

</rule>

<if_matched_sid>30315</if_matched_sid>

<same_source_ip />

<description>Apache: Multiple Invalid URI requests from same source.</description>

<group>invalid_request,pci_dss_10.2.4,pci_dss_11.4,</group>

</rule>

<if_sid>30301</if_sid>

<description>Apache: Invalid URI, file name too long.</description>

<group>invalid_request,pci_dss_10.2.4,</group>

</rule>

<if_sid>30301</if_sid>

<match>PHP Notice:</match>

<description>Apache: PHP Notice in Apache log</description>

</rule>

<if_sid>30301</if_sid>

<match>ModSecurity: Warning</match>

<description>ModSecurity Warning messages grouped</description>

<group>modsecurity,</group>

</rule>

<if_sid>30301</if_sid>

<match>ModSecurity: Access denied</match>

<description>ModSecurity Access denied messages grouped</description>

<group>modsecurity,pci_dss_10.2.4,</group>

</rule>

<if_sid>30301</if_sid>

<match>ModSecurity: Audit log:</match>

<description>ModSecurity Audit log messages grouped</description>

<group>modsecurity,</group>

</rule>

<if_sid>30402</if_sid>

<description>ModSecurity rejected a query</description>

<group>modsecurity,</group>

</rule>

<!--

Shellshock detected

Pattern: "(){:;};" (with spaces)

Code: 400

Decoder: web-accesslog_decoders.xml

Examples:

192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 404 292 "-" "() { :;};/usr/bin/perl ..."

-->

<if_sid>31101</if_sid>

<description>Apache: Shellshock attack attempt</description>

<info type="link">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271</info>

<group>attack,pci_dss_11.4,</group>

</rule>

</group>

*/ rules in localrules.xml for Modsecurity*/

<if_sid>30401</if_sid>

<description>URL Encoding Abuse Attack Attempt</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Empty Host Header</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>HTTP Header Injection Attack via payload (CR/LF deteced)</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Remote Command Execution: Windows Command Injection</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Request Missing a Host Header</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>XSS Filter - Category 4: Javascript URI Vector</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Looking for basic sql injection. Common attack string for mysql, oracle and others.</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Request content type is not allowed by policy</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>PHP Injection Attack: High-Risk PHP Function Name Found</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Remote Command Execution: Windows Command Injection</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Method is not allowed by policy</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Invalid HTTP Request Line</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>SQL Injection Attack Detected via libinjection</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>HTTP protocol version is not allowed by policy</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Remote Command Execution: Unix Command Injection</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Remote Command Execution: Unix Command Injection</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>NoScript XSS InjectionChecker: Attribute Injection</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>IE XSS Filters - Attack Detected.</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>GET or HEAD Request with Body Content.</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Remote Command Execution: Direct Unix Command Execution</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>PHP Injection Attack: Variables Found</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>PHP Injection Attack: High-Risk PHP Function Call Found</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Node-Validator Blacklist Keywords</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Invalid character in request (null character)</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Remote Command Execution: Unix Shell Code Found</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Possible Remote File Inclusion (RFI)Path Traversal Attack (/../)</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Path Traversal Attack (/../)</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>OS File Access Attempt</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>XSS Filter - Category 1: Script Tag Vector</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>XSS Attack Detected via libinjection</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>NoScript XSS InjectionChecker: HTML Injection</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Path Traversal Attackn</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question</description>

<group>modsecurity,</group>

</rule>

<if_sid>30401</if_sid>

<description>Found request filename/argument associated with security scanner</description>

<group>modsecurity,</group>

</rule>

I hope it can be of help.

If you needed anything else , please bre free to tell me.

Thanks for all.

ern...@wazuh.com

unread,

Aug 30, 2017, 5:03:59 AM8/30/17

to Wazuh mailing list

Hello again,

After a better analysis of your apache error_log message we decided to write a better decoder, please delete any previous edit and add the next decoder to the head section of the file /var/ossec/ruleset/decoders/0025-apache_decoders.xml (it is very important to add before the first apache-errorlog decoder definition because this is much more specific)

<prematch>ModSecurity:</prematch>

</decoder>

<parent>apache-errorlog-modsecurity</parent>

<order>modsecurity.file</order>

</decoder>

<parent>apache-errorlog-modsecurity</parent>

<order>modsecurity.line</order>

</decoder>

<parent>apache-errorlog-modsecurity</parent>

<order>modsecurity.id</order>

</decoder>

<parent>apache-errorlog-modsecurity</parent>

<order>modsecurity.msg</order>

</decoder>

<parent>apache-errorlog-modsecurity</parent>

<order>modsecurity.tag</order>

</decoder>

<parent>apache-errorlog-modsecurity</parent>

<regex>[hostname "(\.+)"]</regex>

<order>modsecurity.hostname</order>

</decoder>

<parent>apache-errorlog-modsecurity</parent>

<order>modsecurity.uri</order>

</decoder>

<parent>apache-errorlog-modsecurity</parent>

<regex>[unique_id "(\.+)"]</regex>

<order>modsecurity.unique_id</order>

</decoder>

After that, add to /var/ossec/etc/rules/local_rules.xml the lines

<decoded_as>apache-errorlog-modsecurity</decoded_as>

<description>Apache ModSecurity message.</description>

</rule>

</group>

We tested this with the /var/ossec/bin/ossec-logtest program and get this results:

error log:

[Thu Aug 24 10:29:02.188938 2017] [:error] [pid 37687] [client 10.22.200.68:54043] [client 10.22.200.68] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection"] [tag "event-correlation"] [hostname "carmona.es"] [uri "/Biblioteca/Legislacion/Sector_Industria_Quimica/Subsector_Conduccion_Sustancias"] [unique_id "WZ6OTnwD-c@LSP31z6eQmAAAAAA"], referer: http://carmona.es/Legislacion_Aplicable/Sector_Industria_Quimica/index.html

ossec-logtest:

error log:

[Mon Apr 29 11:53:07 2013] [error] [client x.x.x.x] ModSecurity: Rule 1cd7c28 [id "950901"][file "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "www.test.com"] [unique_id "UX3uo9rQFyUAAGmGCT4AAAAD"]

ossec-logtest:

error log:

[Mon Apr 29 11:53:07 2013] [error] [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Match of "streq 0" against "TX:MSC_PCRE_LIMITS_EXCEEDED" required. [file "/etc/httpd/conf.d/modsecurity.conf"] [line "93"] [msg "ModSecurity internal error flagged:

ossec-logtest:

As you can see now in the alert show specific modsecurity fields, but if you need even more specific data please send us your error_log file to improve the decoder.

Best regards!

ern...@wazuh.com

unread,

Aug 30, 2017, 5:32:40 AM8/30/17

to Wazuh mailing list

Sorry, in our last message we wrote a small mistake.

In the msg regex you must change the \d for \. to select text instead of digits:

<parent>apache-errorlog-modsecurity</parent>

<order>modsecurity.msg</order>

</decoder>

After this fix you can see the ModSecurity msg value, like in the next screenshot:

Best regards!

lmfigue...@gmail.com

unread,

Sep 5, 2017, 3:29:52 AM9/5/17

to Wazuh mailing list

Hi.

First, thanks for all.

I attach my 2 files, for show you like i do finally.I dont try deep yet, but i look id and new events in kibana, but for now only refered to 920-enforcement owasp in modsecurity, when security department try to attack this machines tell you if thaths all ok.

One more thing, i want to ask, its if is possible add options in kibana or logstah or elastic,(really i dont know where ) fot add filters to select this, beacuse i see the different modsecurity.id for example, but i can't filter for this.

Thanks again and one more time sorry for my poor english.

0025-apache_decoders.xml

0250-apache_rules.xml

ern...@wazuh.com

unread,

Sep 6, 2017, 1:08:04 PM9/6/17

to Wazuh mailing list

Hi again!

I'm proud that your finally get the specific modsecurity events in wazuh-app, congratulations!

As you can see in this screenshots you can filter for every field in the wazuh-app:

But if you can't use the new fields you need to refresh them. Please, enter in Management -> Index Patterns and click in the refres fields button, as you can see in this screenshot:

Best regards!

lmfigue...@gmail.com

unread,

Sep 8, 2017, 3:44:39 AM9/8/17

to Wazuh mailing list

Hi!

Im refer to this :

It´s without "zoom" options for modsecurity fields.

Thanks and all the best!

ern...@wazuh.com

unread,

Sep 14, 2017, 7:04:44 AM9/14/17

to Wazuh mailing list

Hi,

Did you refresh the Kibana index pattern fields?

In your screenshot the modsecurity fields have a question mark as icon instead of a specific type icon.

If not please, enter in Management -> Index Patterns and click in the "refresh fields" button, in my previous message you have a screenshot indicating what button is.

Please let me know if this solves your problem.

Best regards.

lmfigue...@gmail.com

unread,

Oct 3, 2017, 3:47:28 AM10/3/17

to Wazuh mailing list

Sorry for not answering before, I was on vacation.

I did what you told me, but actually the icon remains with the question mark instead of with a t like you. Greetings and thank you.

ern...@wazuh.com

unread,

Oct 16, 2017, 3:53:15 AM10/16/17

to Wazuh mailing list

Can you enter in Management -> Index Patterns search for "modsecurity.id" and send us a screenshot of the results?

Thank you!

lmfigue...@gmail.com

unread,

Oct 20, 2017, 3:59:05 AM10/20/17

to Wazuh mailing list

Hi!

If search for modsecurity.id is empty.

Thanks!

ern...@wazuh.com

unread,

Oct 20, 2017, 4:26:45 AM10/20/17

to Wazuh mailing list

If you can't see any result searching for "modsecurity.id" is because you need to refresh the fields, please enter in Management -> Index Patterns and click the "refresh fields" button and try again to search

Best regards!

lmfigue...@gmail.com

unread,

Oct 20, 2017, 6:30:01 AM10/20/17

to Wazuh mailing list

Yes, i do, but, nothing changes.

thx!

El lunes, 21 de agosto de 2017, 11:18:08 (UTC+2), lmfigue...@gmail.com escribió:

lmfigue...@gmail.com

unread,

Oct 24, 2017, 6:48:03 AM10/24/17

to Wazuh mailing list

Hi

Finally i remove .kibana and create a new index pattern.

Now all its ok and i have t in fields.

Thx for all and best regards

Reply all

Reply to author

Forward