HAProxy decoder search...

1,042 views
Skip to first unread message

Giorgio Biondi

unread,
Feb 3, 2020, 9:32:10 AM2/3/20
to Wazuh mailing list
Hi,

I have active-response on my system, with HAProxy for manage traffic to webserver..
I have noted the 'brute forse attack' on Wordpress can't detect/trigger AR..


I have a haproxy.log and I have pointed in the ossec.conf this file.. but no detect..

I have try to ossec-logtest and.. I understanding the issue: decorder miss...

[root@tech2srv33 bin]# ./ossec-logtest
2020/02/03 15:29:30 ossec-testrule: INFO: Started (pid: 3235).
ossec-testrule: Type one log per line.

Feb  3 15:16:21 localhost haproxy[30535]: 85.204.246.240:49470 [03/Feb/2020:15:16:20.110] FrontEndA node9a/srv30 0/0/0/901/901 200 6962 - - ---- 5/5/1/1/0 0/0 "POST /wp-login.php HTTP/1.1"


**Phase 1: Completed pre-decoding.
       full event: 'Feb  3 15:16:21 localhost haproxy[30535]: 85.204.246.240:49470 [03/Feb/2020:15:16:20.110] FrontEndA node9a/srv30 0/0/0/901/901 200 6962 - - ---- 5/5/1/1/0 0/0 "POST /wp-login.php HTTP/1.1"'
       timestamp: 'Feb  3 15:16:21'
       hostname: 'localhost'
       program_name: 'haproxy'
       log: '85.204.246.240:49470 [03/Feb/2020:15:16:20.110] FrontEndA node9a/srv30 0/0/0/901/901 200 6962 - - ---- 5/5/1/1/0 0/0 "POST /wp-login.php HTTP/1.1"'

**Phase 2: Completed decoding.
       No decoder matched.


Somebody have a decoder for this?

I have tons of '/wp-login'....

All the best

gb

Giorgio Biondi

unread,
Feb 3, 2020, 11:43:48 AM2/3/20
to Wazuh mailing list
Hi at all,

I have maked a "very simple decoder":

<decoder name="haproxy">
  <program_name>^haproxy</program_name>
</decoder>

<decoder name="haproxy">
  <parent>haproxy</parent>
  <regex>(\d+.\d+.\d+.\d+)</regex>
  <order>srcip</order>
</decoder>



And a very simple rule:


        <rule id="100011" level="3">
                <program_name>haproxy</program_name>
                <description>srcip</description>
        </rule>



        <rule id="100012" level="8" frequency="8" timeframe="30">
                <if_matched_sid>100011</if_matched_sid>
                <same_source_ip />
                <description>CMS (WordPress or Joomla) brute force attempt.</description>
                <group>pci_dss_6.5,pci_dss_11.4,pci_dss_6.5.10,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_SA.11,nist_800_53_SI.4,nist_800_53_AU.14,nist_800_53_AC.7,</group>
        </rule>


..and finally.. seems to work..

All the best..

gb

Giorgio Biondi

unread,
Feb 4, 2020, 1:47:25 AM2/4/20
to Wazuh mailing list
Hi,

here attack mitigated from Tokio:the first three try get a 100011 rule simply register a tentative, and after 3 the fourth get a 100012 (level 8) rule.. followed to 601 rule..ban this ip..

All the best

Feb 4, 2020 @ 07:39:54.402
3
-
Tokyo
601
54.250.87.247
Feb 4, 2020 @ 07:39:54.383
8
haproxy
Tokyo
100012
54.250.87.247
Feb 4, 2020 @ 07:39:54.381
3
haproxy
Tokyo
100011
54.250.87.247
Feb 4, 2020 @ 07:39:54.379
3
haproxy
Tokyo
100011
54.250.87.247
Feb 4, 2020 @ 07:39:54.376
3
haproxy
Tokyo
100011
54.250.87.247
 

Jose Manuel Garcia Rodriguez

unread,
Mar 26, 2020, 9:02:35 AM3/26/20
to Wazuh mailing list
Hi Giorgio,

I am glad to know that the problem is solved. Thank you for publishing to help people in a similar situation.We should considerate to add this decoder to wazuh: https://github.com/wazuh/wazuh-ruleset/issues/588
Regards.
Jose.

rukende...@gmail.com

unread,
Oct 20, 2020, 3:44:56 AM10/20/20
to Wazuh mailing list
Hi Giorgio,

I need your help to monitor HAproxy logs?

How can I see all the HAproxy logs in my wazuh manager? do i need to write rule for this?

Thanks
Rukender

Chema Martinez

unread,
Jan 4, 2021, 4:52:18 AM1/4/21
to Wazuh mailing list
This topic was addressed at https://groups.google.com/g/wazuh/c/GEg9ygvgfLM/m/1tjbtlo6AQAJ
Reply all
Reply to author
Forward
0 new messages