If you look at some of the rules that come with OSSEC by default, you’ll notice that many of them make use of variables. Any programmer will immediately recognize this as a way to make efficient use of code which has a component that changes often. Look in rules/syslog_rules.xml and you’ll find this:
<var name=”BAD_WORDS”>core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
Look a bit further down the file and you’ll see this:
<rule id=”1002″ level=”2″>
<description>Unknown problem somewhere in the system.</description>
This rule basically says, “if you see any of these words in the logs (denoted by the logical OR symbol, |) send an e-mail alert. It may be nothing, so the alert level is only 2, but I thought you might like to know.”
Variables can also be used in your local_rules.xml file. Are you being bothered by constant scans for vulnerable versions of PHPMyAdmin when you know you aren’t vulnerable? Simply create a variable like this at the top of the file:
Now create a local rule to use the variable (watch for a conflicting rule ID):
<rule id=”100013″ level=”10″>
<description>No alert on scans for vulnerable scripts</description>
The English translation for this rule is: if you see these strings in the URL portion of the log and it’s a 400 error code, don’t e-mail me. But since no one should be legitimately doing this, let’s set the level to 10 so active response blocks them for a few minutes.
When a slight variant of the scan starts showing up, or you’re getting scans for other common low-hanging fruit, all you need to do is add the string to the end of the variable and restart OSSEC. Just be careful to not block legitimate requests.