Week of OSSEC Day 3: Using Variables

If you look at some of the rules that come with OSSEC by default, you’ll notice that many of them make use of variables. Any programmer will immediately recognize this as a way to make efficient use of code which has a component that changes often. Look in rules/syslog_rules.xml and you’ll find this:

<var name=”BAD_WORDS”>core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>

Look a bit further down the file and you’ll see this:

<rule id=”1002″ level=”2″>
<match>$BAD_WORDS</match>
<options>alert_by_email</options>
<description>Unknown problem somewhere in the system.</description>
</rule>

<rule id=”1002″ level=”2″>
<match>$BAD_WORDS</match>
<options>alert_by_email</options>
<description>Unknown problem somewhere in the system.</description>
</rule>

This rule basically says, “if you see any of these words in the logs (denoted by the logical OR symbol, |) send an e-mail alert. It may be nothing, so the alert level is only 2, but I thought you might like to know.”

Variables can also be used in your local_rules.xml file. Are you being bothered by constant scans for vulnerable versions of PHPMyAdmin when you know you aren’t vulnerable? Simply create a variable like this at the top of the file:

<var name=”BAD_SCRIPTS”>phpMy|php-my</var>

Now create a local rule to use the variable (watch for a conflicting rule ID):

<rule id=”100013″ level=”10″>
<if_sid>31101</if_sid>
<url>$BAD_SCRIPTS</url>
<description>No alert on scans for vulnerable scripts</description>
<options>no_email_alert</options>
</rule>

The English translation for this rule is: if you see these strings in the URL portion of the log and it’s a 400 error code, don’t e-mail me. But since no one should be legitimately doing this, let’s set the level to 10 so active response blocks them for a few minutes.

When a slight variant of the scan starts showing up, or you’re getting scans for other common low-hanging fruit, all you need to do is add the string to the end of the variable and restart OSSEC. Just be careful to not block legitimate requests.

Posted in Intrusion Detection, Log Analysis Tagged with:

Leave a Reply

Your email address will not be published. Required fields are marked *

*