Discussion:
[ossec-list] <decoder name="apache24-modsec-errorlog-ip">
webwzrd
2016-02-17 00:24:40 UTC
Permalink
I'm having an issue extracting the IP out of a successfully triggered
ModSecurity rule.

Details:
I'm using Ossec-Hid 2.8.3 on CentOS 7 with Apache 2.4. I have borrowed the
Apache 2.4 rules and decoder (Apache section) from Ossec 2.9b, which are:

+++++++++++++++++++++++++++++++++++++++++++
<!-- Apache 2.4 ModSecurity Rules -->
<rule id="30401" level="0">
<if_sid>30301</if_sid>
<match>ModSecurity: Warning</match>
<description>ModSecurity Warning messages grouped</description>
</rule>

<rule id="30402" level="0">
<if_sid>30301</if_sid>
<match>ModSecurity: Access denied</match>
<description>ModSecurity Access denied messages grouped</description>
</rule>

<rule id="30403" level="0">
<if_sid>30301</if_sid>
<match>ModSecurity: Audit log:</match>
<description>ModSecurity Audit log messages grouped</description>
</rule>

<rule id="30411" level="7">
<if_sid>30402</if_sid>
<match>with code 403</match>
<description>ModSecurity rejected a query</description>
</rule>
+++++++++++++++++++++++++++++++++++++++++++

<decoder name="apache-errorlog">
<program_name>^httpd</program_name>
</decoder>

<decoder name="apache-errorlog">
<prematch>^[warn] |^[notice] |^[error] </prematch>
</decoder>

<decoder name="apache-errorlog">
<prematch>^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:warn] |^[\w+ \w+ \d+
\d+:\d+:\d+.\d+ \d+] [\S+:notice] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+]
[\S*:error] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:info] </prematch>
</decoder>

<decoder name="apache24-errorlog-ip">
<parent>apache-errorlog</parent>

<prematch offset="after_parent">[client</prematch>
<regex offset="after_prematch">^ (\S+):\d+] (\S+): </regex>
<order>srcip,id</order>
</decoder>

<decoder name="apache24-modsec-errorlog-ip">
<parent>apache-errorlog</parent>

<prematch offset="after_parent">[client</prematch>
<regex offset="after_prematch">^ (\S+)] ModSecurity: </regex>
<order>srcip</order>
</decoder>

<decoder name="apache-errorlog-ip">
<parent>apache-errorlog</parent>

<prematch offset="after_parent">^[client</prematch>
<regex offset="after_prematch">^ (\S+)] </regex>
<order>srcip</order>
</decoder>
+++++++++++++++++++++++++++++++++++++++++++

The error_log shows as:

[Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client 46.4.84.147]
ModSecurity: Access denied with code 403 (phase 2). String match
"JDatabaseDriverMysqli" at REQUEST_HEADERS:User-Agent. [file
"/etc/httpd/modsecurity.d/cwaf_rules/26_Apps_Joomla.conf"] [line "46"] [id
"222390"] [rev "2"] [msg "COMODO WAF: PHP object injection or arbitrary
code execution attacks in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6
(CVE-2015-8562)"] [hostname "xyz.com"] [uri "/"] [unique_id
"VsLzrS4Zyx3R5xy6tzH0zAAAAAk"]


And Rule 30411 triggers successfully as (not matching alert to above, just
an example):


** Alert 1455667932.9725404: mail - apache,
2016 Feb 16 18:12:12 (server.mine.org) 1.1.1.1->/home/xyz/logs/error_log
Rule: 30411 (level 7) -> 'ModSecurity rejected a query'
[Tue Feb 16 18:12:12.419586 2016] [:error] [pid 22253] [client 178.137.167.9] ModSecurity: Access denied with code 403 (phase 2). Operator GT matched 5 at IP:multiple_username_count. [file "/etc/httpd/modsecurity.d/cwaf_rules/09_Bruteforce_Bruteforce.conf"] [line "79"] [id "230021"] [rev "3"] [msg "COMODO WAF: Multiple Username Violation: Too Many Usernames Submitted for Authentication."] [data "Current Username: xyz"] [hostname "www.xyz.com"] [uri "/administrator/index.php"] [unique_id "VsO63OFvCgWfU4iCpLmGvQAAABg"]


As you can see the srcip doesn't get listed as it should below Rule: 20411,
same when doing an ossec-logtest.

I've done a ton of searching and can not find anything on this issue. I
tried experimenting with the regex to no avail.

Can anyone suggest a correction to:

<decoder name="apache24-modsec-errorlog-ip">
<parent>apache-errorlog</parent>

<prematch offset="after_parent">[client</prematch>
<regex offset="after_prematch">^ (\S+)] ModSecurity: </regex>
<order>srcip</order>
</decoder>

Or offer another solution?

Thanks,
Brian
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Santiago Bassett
2016-02-17 02:18:49 UTC
Permalink
Hi Brian,

when running it through ossec-logtest, this is what I get:

**Phase 1: Completed pre-decoding.

full event: '[Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223]
[client 46.4.84.147] ModSecurity: Access denied with code 403 (phase 2).
String match "JDatabaseDriverMysqli" at REQUEST_HEADERS:User-Agent. [file
"/etc/httpd/modsecurity.d/cwaf_rules/26_Apps_Joomla.conf"] [line "46"] [id
"222390"] [rev "2"] [msg "COMODO WAF: PHP object injection or arbitrary
code execution attacks in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6
(CVE-2015-8562)"] [hostname "xyz.com"] [uri "/"] [unique_id
"VsLzrS4Zyx3R5xy6tzH0zAAAAAk"]'

hostname: 'vpc-ossec-manager'

program_name: '(null)'

log: '[Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client
46.4.84.147] ModSecurity: Access denied with code 403 (phase 2). String
match "JDatabaseDriverMysqli" at REQUEST_HEADERS:User-Agent. [file
"/etc/httpd/modsecurity.d/cwaf_rules/26_Apps_Joomla.conf"] [line "46"] [id
"222390"] [rev "2"] [msg "COMODO WAF: PHP object injection or arbitrary
code execution attacks in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6
(CVE-2015-8562)"] [hostname "xyz.com"] [uri "/"] [unique_id
"VsLzrS4Zyx3R5xy6tzH0zAAAAAk"]'


**Phase 2: Completed decoding.

decoder: 'apache-errorlog'


**Phase 3: Completed filtering (rules).

Rule id: '30411'

Level: '7'

Description: 'ModSecurity rejected a query'

**Alert to be generated.


This means it is matching this decoder: "apache-errorlog", but not
"apache24-errorlog-ip".
If I am right, just by having a look at the regexes, the problem might be
that the decoders are not expecting the *[pid 3223]* part, and also it is
expecting a source port. A log message like this would work (notice I
removed the pid section, and included a source port):

[Tue Feb 16 04:02:21.018764 2016] [:error] [client 46.4.84.147*:1024*]
ModSecurity: Access denied with code 403 (phase 2). String match
"JDatabaseDriverMysqli" at REQUEST_HEADERS:User-Agent. [file
"/etc/httpd/modsecurity.d/cwaf_rules/26_Apps_Joomla.conf"] [line "46"] [id
"222390"] [rev "2"] [msg "COMODO WAF: PHP object injection or arbitrary
code execution attacks in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6
(CVE-2015-8562)"] [hostname "xyz.com"] [uri "/"] [unique_id
"VsLzrS4Zyx3R5xy6tzH0zAAAAAk"]

**Phase 1: Completed pre-decoding.

full event: '[Tue Feb 16 04:02:21.018764 2016] [:error] [client
46.4.84.147:1024] ModSecurity: Access denied with code 403 (phase 2).
String match "JDatabaseDriverMysqli" at REQUEST_HEADERS:User-Agent. [file
"/etc/httpd/modsecurity.d/cwaf_rules/26_Apps_Joomla.conf"] [line "46"] [id
"222390"] [rev "2"] [msg "COMODO WAF: PHP object injection or arbitrary
code execution attacks in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6
(CVE-2015-8562)"] [hostname "xyz.com"] [uri "/"] [unique_id
"VsLzrS4Zyx3R5xy6tzH0zAAAAAk"]'

hostname: 'vpc-ossec-manager'

program_name: '(null)'

log: '[Tue Feb 16 04:02:21.018764 2016] [:error] [client
46.4.84.147:1024] ModSecurity: Access denied with code 403 (phase 2).
String match "JDatabaseDriverMysqli" at REQUEST_HEADERS:User-Agent. [file
"/etc/httpd/modsecurity.d/cwaf_rules/26_Apps_Joomla.conf"] [line "46"] [id
"222390"] [rev "2"] [msg "COMODO WAF: PHP object injection or arbitrary
code execution attacks in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6
(CVE-2015-8562)"] [hostname "xyz.com"] [uri "/"] [unique_id
"VsLzrS4Zyx3R5xy6tzH0zAAAAAk"]'


**Phase 2: Completed decoding.

decoder: 'apache-errorlog'

*srcip: '46.4.84.147'*

id: 'ModSecurity'


**Phase 3: Completed filtering (rules).

Rule id: '30411'

Level: '7'

Description: 'ModSecurity rejected a query'

**Alert to be generated.


I hope it helps
Post by webwzrd
I'm having an issue extracting the IP out of a successfully triggered
ModSecurity rule.
I'm using Ossec-Hid 2.8.3 on CentOS 7 with Apache 2.4. I have borrowed
the Apache 2.4 rules and decoder (Apache section) from Ossec 2.9b, which
+++++++++++++++++++++++++++++++++++++++++++
<!-- Apache 2.4 ModSecurity Rules -->
<rule id="30401" level="0">
<if_sid>30301</if_sid>
<match>ModSecurity: Warning</match>
<description>ModSecurity Warning messages grouped</description>
</rule>
<rule id="30402" level="0">
<if_sid>30301</if_sid>
<match>ModSecurity: Access denied</match>
<description>ModSecurity Access denied messages grouped</description>
</rule>
<rule id="30403" level="0">
<if_sid>30301</if_sid>
<match>ModSecurity: Audit log:</match>
<description>ModSecurity Audit log messages grouped</description>
</rule>
<rule id="30411" level="7">
<if_sid>30402</if_sid>
<match>with code 403</match>
<description>ModSecurity rejected a query</description>
</rule>
+++++++++++++++++++++++++++++++++++++++++++
<decoder name="apache-errorlog">
<program_name>^httpd</program_name>
</decoder>
<decoder name="apache-errorlog">
<prematch>^[warn] |^[notice] |^[error] </prematch>
</decoder>
<decoder name="apache-errorlog">
<prematch>^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:warn] |^[\w+ \w+ \d+
\d+:\d+:\d+.\d+ \d+] [\S+:notice] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+]
[\S*:error] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:info] </prematch>
</decoder>
<decoder name="apache24-errorlog-ip">
<parent>apache-errorlog</parent>
<prematch offset="after_parent">[client</prematch>
<regex offset="after_prematch">^ (\S+):\d+] (\S+): </regex>
<order>srcip,id</order>
</decoder>
<decoder name="apache24-modsec-errorlog-ip">
<parent>apache-errorlog</parent>
<prematch offset="after_parent">[client</prematch>
<regex offset="after_prematch">^ (\S+)] ModSecurity: </regex>
<order>srcip</order>
</decoder>
<decoder name="apache-errorlog-ip">
<parent>apache-errorlog</parent>
<prematch offset="after_parent">^[client</prematch>
<regex offset="after_prematch">^ (\S+)] </regex>
<order>srcip</order>
</decoder>
+++++++++++++++++++++++++++++++++++++++++++
[Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client 46.4.84.147]
ModSecurity: Access denied with code 403 (phase 2). String match
"JDatabaseDriverMysqli" at REQUEST_HEADERS:User-Agent. [file
"/etc/httpd/modsecurity.d/cwaf_rules/26_Apps_Joomla.conf"] [line "46"] [id
"222390"] [rev "2"] [msg "COMODO WAF: PHP object injection or arbitrary
code execution attacks in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6
(CVE-2015-8562)"] [hostname "xyz.com"] [uri "/"] [unique_id
"VsLzrS4Zyx3R5xy6tzH0zAAAAAk"]
And Rule 30411 triggers successfully as (not matching alert to above, just
** Alert 1455667932.9725404: mail - apache,
2016 Feb 16 18:12:12 (server.mine.org) 1.1.1.1->/home/xyz/logs/error_log
Rule: 30411 (level 7) -> 'ModSecurity rejected a query'
[Tue Feb 16 18:12:12.419586 2016] [:error] [pid 22253] [client 178.137.167.9] ModSecurity: Access denied with code 403 (phase 2). Operator GT matched 5 at IP:multiple_username_count. [file "/etc/httpd/modsecurity.d/cwaf_rules/09_Bruteforce_Bruteforce.conf"] [line "79"] [id "230021"] [rev "3"] [msg "COMODO WAF: Multiple Username Violation: Too Many Usernames Submitted for Authentication."] [data "Current Username: xyz"] [hostname "www.xyz.com"] [uri "/administrator/index.php"] [unique_id "VsO63OFvCgWfU4iCpLmGvQAAABg"]
20411, same when doing an ossec-logtest.
I've done a ton of searching and can not find anything on this issue. I
tried experimenting with the regex to no avail.
<decoder name="apache24-modsec-errorlog-ip">
<parent>apache-errorlog</parent>
<prematch offset="after_parent">[client</prematch>
<regex offset="after_prematch">^ (\S+)] ModSecurity: </regex>
<order>srcip</order>
</decoder>
Or offer another solution?
Thanks,
Brian
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
webwzrd
2016-02-17 13:34:17 UTC
Permalink
Santiago,

Thank you for your insight, I really appreciate it.

I see your discovery. I'm new to understanding the regex used, but I'm a
quick study. After the parent decoder is matched, shouldn't apache24-errorlog-ip
be able to jump ahead to the section starting with [client - not sure how
the pid effects this? Obviously it does, I just don't get why.

Are you suggesting I recraft how the ModSecurity error reads? Or do you
have an idea for a regex change?

Brian
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
webwzrd
2016-02-17 17:26:09 UTC
Permalink
Santiago,

After testing variations of your log edits, I'm finding that keeping the
pid in place and just adding the port produces:

**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
srcip: '46.4.84.147'
id: 'ModSecurity'


How can I get the decoder to not require the port or get the port to append
to the IP?

Brian
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jesus Linares
2016-02-17 17:35:13 UTC
Permalink
Hi Brian,

The decoder that you see in logtest is always the parent:
**Phase 2: Completed decoding.
decoder: 'apache-errorlog' <- This is the parent decoder.

We have 6 decoders for apache:

- Parents:
- <decoder name="apache-errorlog">
- <decoder name="apache-errorlog">
- <decoder name="apache-errorlog">
- Childs:
- <decoder name="apache24-errorlog-ip">
- <decoder name="apache24-modsec-errorlog-ip">
- <decoder name="apache-errorlog-ip">

The log matches with the third 3rd parent and doesn't match with any child.
Explanation:

Log:
[Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client 46.4.84.147]
ModSecurity: Text...

3rd parent decoder matches (blue part):
[Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client 46.4.84.147]
ModSecurity: Text...
*Red part is "after_parent" used in child decoders.

3rd child decoder can't match due to "<prematch offset="*after_parent*">
*^[client*</prematch>". The log (after_parent) starts with *[pid*, and this
decoder expects* [client*. So, it could match with the first or the second
child decoder. The prematch in both cases is the same, so I think it
matches with the first child decoder and then fails because the regex
expression expects a port "*:\d+*" (if you add the port it will match with
the second child decoder).

I think the *prematch must always be different*.The solution could be
change the prematch and change the order: first mod security (because is
the most restrictive).

It would be:

<decoder name="apache-errorlog">
<program_name>^httpd</program_name>
</decoder>


<decoder name="apache-errorlog">
<prematch>^[warn] |^[notice] |^[error] </prematch>
</decoder>


<decoder name="apache-errorlog">
<prematch>^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:warn] |^[\w+ \w+ \d+
\d+:\d+:\d+.\d+ \d+] [\S+:notice] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+]
[\S*:error] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:info] </prematch>
</decoder>


<decoder name="apache24-modsec-errorlog-ip">
<parent>apache-errorlog</parent>
<prematch offset="after_parent">[client \S+] ModSecurity</prematch>
<regex>[client (\S+)] ModSecurity</regex>
<order>srcip,srcport</order>
</decoder>


<decoder name="apache24-errorlog-ip">
<parent>apache-errorlog</parent>
<prematch offset="after_parent">[client</prematch>
<regex offset="after_prematch">^ (\S+):\d+] (\S+): </regex>
<order>srcip,id</order>
</decoder>


<decoder name="apache-errorlog-ip">
<parent>apache-errorlog</parent>
<prematch offset="after_parent">^[client</prematch>
<regex offset="after_prematch">^ (\S+)] </regex>
<order>srcip</order>
</decoder>


Test:
**Phase 1: Completed pre-decoding.
full event: '[Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client
46.4.84.147] ModSecurity: Access denied with code 403 (phase 2). String
match "JDatabaseDriverMysqli" at REQUEST_HEADERS:User-Agent. [file
"/etc/httpd/modsecurity.d/cwaf_rules/26_Apps_Joomla.conf"] [line "46"] [id
"222390"] [rev "2"] [msg "COMODO WAF: PHP object injection or arbitrary
code execution attacks in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6
(CVE-2015-8562)"] [hostname "xyz.com"] [uri "/"] [unique_id
"VsLzrS4Zyx3R5xy6tzH0zAAAAAk"]'
hostname: 'LinMV'
program_name: '(null)'
log: '[Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client
46.4.84.147] ModSecurity: Access denied with code 403 (phase 2). String
match "JDatabaseDriverMysqli" at REQUEST_HEADERS:User-Agent. [file
"/etc/httpd/modsecurity.d/cwaf_rules/26_Apps_Joomla.conf"] [line "46"] [id
"222390"] [rev "2"] [msg "COMODO WAF: PHP object injection or arbitrary
code execution attacks in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6
(CVE-2015-8562)"] [hostname "xyz.com"] [uri "/"] [unique_id
"VsLzrS4Zyx3R5xy6tzH0zAAAAAk"]'


**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
srcip: '46.4.84.147'


**Phase 3: Completed filtering (rules).
Rule id: '30411'
Level: '7'
Description: 'ModSecurity rejected a query'
**Alert to be generated.


Regards.
Jesus Linares
Post by webwzrd
Santiago,
After testing variations of your log edits, I'm finding that keeping the
**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
srcip: '46.4.84.147'
id: 'ModSecurity'
How can I get the decoder to not require the port or get the port to
append to the IP?
Brian
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
webwzrd
2016-02-17 19:17:54 UTC
Permalink
Jesus,

You were spot on! Your analyses and solution worked perfectly. Thank you so
much. I had made some additional Ossec rules for ModSecurity and now
they're all working.

I don't know if you are associated with the development team at github, but
this should be shared because it is likely to be a problem for everyone
using ModSecurity with Apache 2.4. The Apache decoders should be changed
here: https://github.com/ossec/ossec-hids/blob/2_9_b/etc/decoder.xml

Thank you again,
Brian
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jesus Linares
2016-02-17 19:23:33 UTC
Permalink
Hi Brian,

I'm glad to hear that!. I did some chages to extract the port and other
fixs. You can see the apache decoders updated here
<https://github.com/wazuh/ossec-rules/blob/development/rules-decoders/ossec/decoders/apache_decoders.xml>.
Also I sent a pull request <https://github.com/ossec/ossec-hids/pull/746> to
ossec-hids.

Regards,
Jesus Linares.
Post by webwzrd
Jesus,
You were spot on! Your analyses and solution worked perfectly. Thank you
so much. I had made some additional Ossec rules for ModSecurity and now
they're all working.
I don't know if you are associated with the development team at github,
but this should be shared because it is likely to be a problem for everyone
using ModSecurity with Apache 2.4. The Apache decoders should be changed
here: https://github.com/ossec/ossec-hids/blob/2_9_b/etc/decoder.xml
Thank you again,
Brian
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
webwzrd
2016-02-17 19:41:43 UTC
Permalink
Excellent!
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...