Nginx logs
Satwika sree
We are facing an urgent issue: we are unable to capture the Nginx logs in Wazuh. These logs contain 200 status codes and associated with bad IP addresses. We need to either create rules for these logs or update existing ones.
Please find attached the logs for your reference.
Kindly assist with resolving this matter promptly.
47.88.94.28 - - [06/Sep/2023:00:01:51 +0000] "GET / HTTP/1.1" 200 7550 "-" "Mozilla/5.0 (Linux; Android 10; LIO-AN00 Build/HUAWEILIO-AN00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Mobile Safari/537.36" "-"
47.88.78.6 - - [06/Sep/2023:00:01:53 +0000] "GET /static/admin/javascript/hetong.js HTTP/1.1" 200 7550 "-" "Mozilla/5.0 (Linux; Android 10; LIO-AN00 Build/HUAWEILIO-AN00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Mobile Safari/537.36" "-"
162.142.125.12 - - [06/Sep/2023:00:15:44 +0000] "GET / HTTP/1.1" 200 7550 "-" "-" "-"
162.142.125.12 - - [06/Sep/2023:00:15:45 +0000] "GET / HTTP/1.1" 200 7550 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" "-"
162.142.125.12 - - [06/Sep/2023:00:16:02 +0000] "GET /favicon.ico HTTP/1.1" 200 1150 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" "-"
218.95.226.221 - - [06/Sep/2023:00:26:14 +0000] "GET / HTTP/1.0" 200 7550 "-" "-" "-"
106.75.79.16 - - [06/Sep/2023:00:29:45 +0000] "GET / HTTP/1.1" 200 7550 "-" "-" "-"
43.156.8.91 - - [06/Sep/2023:00:33:45 +0000] "GET / HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:45 +0000] "GET /jquery-3.3.1.min.js HTTP/1.1" 200 7550 "http://code.jquery.com/" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:45 +0000] "GET /is-bin HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:46 +0000] "GET /is-bin HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:46 +0000] "GET /news.php HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:46 +0000] "GET /load HTTP/1.1" 200 7550 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727)" "-"
43.156.8.91 - - [06/Sep/2023:00:33:46 +0000] "GET /8.bin HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:46 +0000] "GET /hrsgdsb7386wknzms.jpg HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:46 +0000] "GET /UnityPlayer.dll HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:46 +0000] "GET /ttd.exe HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:46 +0000] "GET /qd.CHM HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:47 +0000] "GET /zMLUH93A HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:47 +0000] "GET /Display/chan/IB61I7MYA HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:47 +0000] "GET /jquery-3.3.1.min.js HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:47 +0000] "GET /Gmail/UnityPlayer.txt HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:47 +0000] "GET /new/login HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:47 +0000] "GET /viwwwsogou?op=8&query=%E7%A8%8F%E5%BB%BA%09%E9%BE%90%E1%B7%A2 HTTP/1.1" 200 7550 "-" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" "-"
43.156.8.91 - - [06/Sep/2023:00:33:47 +0000] "GET /e3e7e71a0b28b5e96cc492e636722f73/4sVKAOvu3D/BDyot0NxyG.php HTTP/1.1" 200 7550 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101" "-"
43.156.8.91 - - [06/Sep/2023:00:33:47 +0000] "GET /jquery.js HTTP/1.1" 200 7550 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" "-"
43.156.8.91 - - [06/Sep/2023:00:33:48 +0000] "GET /wh/glass.php HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:48 +0000] "GET /login HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:48 +0000] "GET /c/msdownload/update/software/update/2021/11/6632de33-967441-x86.cab HTTP/1.1" 200 7550 "-" "Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.31" "-"
43.156.8.91 - - [06/Sep/2023:00:33:48 +0000] "GET /c/msdownload/update/software/update/2021/11/6632de33-967441-x86.cab HTTP/1.1" 200 7550 "-" "Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.31" "-"
43.156.8.91 - - [06/Sep/2023:00:33:48 +0000] "GET /fw6I HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:48 +0000] "GET /fw6I HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:48 +0000] "GET /Ix9b HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:48 +0000] "GET /fy7F HTTP/1.1" 200 7550 "-" "'Mozilla/5.0" "-"
43.156.8.91 - - [06/Sep/2023:00:33:48 +0000] "GET /Visu/ens/events HTTP/1.1" 200 7550 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" "-"
43.156.8.91 - - [06/Sep/2023:00:33:48 +0000] "GET /Visu/ens/events HTTP/1.1" 200 7550 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" "-"
139.162.84.205 - - [06/Sep/2023:00:37:56 +0000] "GET / HTTP/1.0" 200 7550 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" "-"
135.125.246.110 - - [06/Sep/2023:00:44:17 +0000] "GET /.env HTTP/1.1" 200 7550 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36" "-"
43.154.141.71 - - [06/Sep/2023:00:45:57 +0000] "HEAD /Core/Skin/Login.aspx HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" "-"
185.254.196.186 - - [06/Sep/2023:01:05:18 +0000] "GET /.env HTTP/1.1" 200 7550 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36" "-"
173.249.44.200 - - [06/Sep/2023:01:36:57 +0000] "CONNECT ftp.halifax.rwth-aachen.de:443 HTTP/1.1" 400 150 "-" "-" "-"
Gonzalo Acuña
Here is a link related to Blocking a known malicious actor that might lead you to the desired configuration.
With that configuration, Wazuh will block the malicious IPs.
Let me know if that's what you are looking for, please.
Regards.
Gonzalo Acuña.
Satwika sree
I need help because we're not capturing Nginx logs in Wazuh. These logs have 200 status codes and are related to bad IP addresses. We either need to make new rules or update the current ones. I've shared sample logs at the beginning of our conversation for reference.
please help me to resolve this issue.
Thanks,
Satwika
Norberto Cesar Vicchi
Thank you for choosing Wazuh!
You can easily ingest your apache/nginx log into Wazuh. To achieve this, follow the below steps:
1- Add the below configuration on the Wazuh agent by editing the /var/ossec/etc/ossec.conf file
<localfile>
<log_format>syslog</log_format>
</localfile>
2- Restart the Wazuh agent for your changes to take effect.
systemctl restart wazuh-agent
Wazuh has decoders for both apache, and nginx:
If the above decoders do not match your logs, you an easily create custom decoder and also rules. You can refer to this link to create custom decoder and rules.
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Please let me know if this helps.
Regards!
Norberto
Satwika sree
To address this issue, I edited the rules as follows:
<rule id="100125" level="10">
<if_sid>31108</if_sid>
<description>Nginx event.</description>
<group>web, accesslog, nginx</group>
</rule>
However, after implementing this rule, we noticed that it's triggering alerts for legitimate users as well.
Could you please provide guidance on how we can achieve this?
Norberto Cesar Vicchi
Regards!