Discussion:
[ossec-list] OSSEC Alert - Level 5 - Web server 500 error code (Internal Error)
Gerhard Vissie Visser
2018-10-22 07:45:39 UTC
Permalink
Hi. I would like to just some advice if I may.

I get this email notification maybe twice a day.

OSSEC HIDS Notification.
2018 Oct 20 14:18:33

Received From: server->/var/log/nginx/access.log
Rule: 31122 fired (level 5) -> "Web server 500 error code (Internal Error)."
Src IP: 12.345.67.89
Portion of the log(s):

12.345.67.89 - - [20/Oct/2018:14:18:32 +0200] "GET /rest/system/upgrade
HTTP/2.0" 500 322 "https://server.me.com/" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"


--END OF NOTIFICATION

The source IP is my workstation. So I know this is not a attack of sorts.
This is after I installed a specific application and setup a reverse proxy
for it (https://server.me.com)
I have also white listed my IP (12.345.67.89)

To try and hide this message, I created a custom rule:
<rule id="31122" level="0">


<if_sid>31120</if_sid>


<id>^500</id>


<srcip>12.345.67.89</srcip>


<description>Web server 500 error code (Internal Error).</description>


</rule>

I can not pickup that anything is blocked, my app works like I would have
expected. The only thing is these emails that I get. Besides that I could
not have picked up any negativity.


I still need to see if this makes a difference.
My questions:
1. Was this the right thing to do?
2. Did I write the rule correctly?
3. This rule seem to be very generic (^500). Can I somehow be more specific?
Maybe say that all 500 errors from/on app "https://server.me.com"? If so,
how?
4. Any other advice that would have resulted in a better outcome maybe?

As I am still new at OSSEC, advice will really be appreciated.


Vissie
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
dan (ddp)
2018-10-22 17:44:54 UTC
Permalink
On Mon, Oct 22, 2018 at 4:17 AM Gerhard Vissie Visser
Post by Gerhard Vissie Visser
Hi. I would like to just some advice if I may.
I get this email notification maybe twice a day.
OSSEC HIDS Notification.
2018 Oct 20 14:18:33
Received From: server->/var/log/nginx/access.log
Rule: 31122 fired (level 5) -> "Web server 500 error code (Internal Error)."
Src IP: 12.345.67.89
12.345.67.89 - - [20/Oct/2018:14:18:32 +0200] "GET /rest/system/upgrade HTTP/2.0" 500 322 "https://server.me.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
--END OF NOTIFICATION
The source IP is my workstation. So I know this is not a attack of sorts. This is after I installed a specific application and setup a reverse proxy for it (https://server.me.com)
I have also white listed my IP (12.345.67.89)
<rule id="31122" level="0">
<if_sid>31120</if_sid>
<id>^500</id>
<srcip>12.345.67.89</srcip>
<description>Web server 500 error code (Internal Error).</description>
</rule>
I can not pickup that anything is blocked, my app works like I would have expected. The only thing is these emails that I get. Besides that I could not have picked up any negativity.
I still need to see if this makes a difference.
1. Was this the right thing to do?
2. Did I write the rule correctly?
3. This rule seem to be very generic (^500). Can I somehow be more specific? Maybe say that all 500 errors from/on app "https://server.me.com"? If so, how?
4. Any other advice that would have resulted in a better outcome maybe?
You can use ossec-logtest to test your rules:

ix# /var/ossec/bin/ossec-logtest
2018/10/22 13:40:56 ossec-testrule: INFO: Reading local decoder file.
2018/10/22 13:40:56 ossec-testrule: INFO: Reading the lists file:
'rules/lists/ossec.block'
2018/10/22 13:40:56 ossec-testrule: INFO: Started (pid: 23931).
ossec-testrule: Type one log per line.

12.345.67.89 - - [20/Oct/2018:14:18:32 +0200] "GET
/rest/system/upgrade HTTP/2.0" 500 322 "https://server.me.com/"
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/69.0.3497.100 Safari/537.36"


**Phase 1: Completed pre-decoding.
full event: '12.345.67.89 - - [20/Oct/2018:14:18:32 +0200] "GET
/rest/system/upgrade HTTP/2.0" 500 322 "https://server.me.com/"
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/69.0.3497.100 Safari/537.36"'
hostname: 'ix'
program_name: '(null)'
log: '12.345.67.89 - - [20/Oct/2018:14:18:32 +0200] "GET
/rest/system/upgrade HTTP/2.0" 500 322 "https://server.me.com/"
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/69.0.3497.100 Safari/537.36"'

**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '12.345.67.89'
srcuser: '-'
action: 'GET'
url: '/rest/system/upgrade'
id: '500'

**Phase 3: Completed filtering (rules).
Rule id: '31122'
Level: '5'
Description: 'Web server 500 error code (Internal Error).'
**Alert to be generated.

I think you can use anything in Phase 2 to limit your rule.
Post by Gerhard Vissie Visser
As I am still new at OSSEC, advice will really be appreciated.
Vissie
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Gerhard Vissie Visser
2018-10-30 18:25:08 UTC
Permalink
Hi Dan.

Thanks, I get it now. Did not know log-test even excited. Thank you.

This helps allot.

Vissie
Post by dan (ddp)
On Mon, Oct 22, 2018 at 4:17 AM Gerhard Vissie Visser
Post by Gerhard Vissie Visser
Hi. I would like to just some advice if I may.
I get this email notification maybe twice a day.
OSSEC HIDS Notification.
2018 Oct 20 14:18:33
Received From: server->/var/log/nginx/access.log
Rule: 31122 fired (level 5) -> "Web server 500 error code (Internal
Error)."
Post by Gerhard Vissie Visser
Src IP: 12.345.67.89
12.345.67.89 - - [20/Oct/2018:14:18:32 +0200] "GET /rest/system/upgrade
HTTP/2.0" 500 322 "https://server.me.com/" "Mozilla/5.0 (X11; Linux
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100
Safari/537.36"
Post by Gerhard Vissie Visser
--END OF NOTIFICATION
The source IP is my workstation. So I know this is not a attack of
sorts. This is after I installed a specific application and setup a reverse
proxy for it (https://server.me.com)
Post by Gerhard Vissie Visser
I have also white listed my IP (12.345.67.89)
<rule id="31122" level="0">
<if_sid>31120</if_sid>
<id>^500</id>
<srcip>12.345.67.89</srcip>
<description>Web server 500 error code (Internal
Error).</description>
Post by Gerhard Vissie Visser
</rule>
I can not pickup that anything is blocked, my app works like I would
have expected. The only thing is these emails that I get. Besides that I
could not have picked up any negativity.
Post by Gerhard Vissie Visser
I still need to see if this makes a difference.
1. Was this the right thing to do?
2. Did I write the rule correctly?
3. This rule seem to be very generic (^500). Can I somehow be more
specific? Maybe say that all 500 errors from/on app "https://server.me.com"?
If so, how?
Post by Gerhard Vissie Visser
4. Any other advice that would have resulted in a better outcome maybe?
ix# /var/ossec/bin/ossec-logtest
2018/10/22 13:40:56 ossec-testrule: INFO: Reading local decoder file.
'rules/lists/ossec.block'
2018/10/22 13:40:56 ossec-testrule: INFO: Started (pid: 23931).
ossec-testrule: Type one log per line.
12.345.67.89 - - [20/Oct/2018:14:18:32 +0200] "GET
/rest/system/upgrade HTTP/2.0" 500 322 "https://server.me.com/"
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/69.0.3497.100 Safari/537.36"
**Phase 1: Completed pre-decoding.
full event: '12.345.67.89 - - [20/Oct/2018:14:18:32 +0200] "GET
/rest/system/upgrade HTTP/2.0" 500 322 "https://server.me.com/"
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/69.0.3497.100 Safari/537.36"'
hostname: 'ix'
program_name: '(null)'
log: '12.345.67.89 - - [20/Oct/2018:14:18:32 +0200] "GET
/rest/system/upgrade HTTP/2.0" 500 322 "https://server.me.com/"
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/69.0.3497.100 Safari/537.36"'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '12.345.67.89'
srcuser: '-'
action: 'GET'
url: '/rest/system/upgrade'
id: '500'
**Phase 3: Completed filtering (rules).
Rule id: '31122'
Level: '5'
Description: 'Web server 500 error code (Internal Error).'
**Alert to be generated.
I think you can use anything in Phase 2 to limit your rule.
Post by Gerhard Vissie Visser
As I am still new at OSSEC, advice will really be appreciated.
Vissie
--
---
You received this message because you are subscribed to the Google
Groups "ossec-list" group.
Post by Gerhard Vissie Visser
To unsubscribe from this group and stop receiving emails from it, send
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...